CVE-2020-29484

Published: Dic 15, 2020 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2020-21852 Aliases: GSD-2020-29484

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,0

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: high

User Interaction: none

Scope: changed

Confidentiality: none

Integrity: none

Availability: high

MEDIUM 4,9

Source: [email protected]

Access Vector: local

Access Complexity: low

Authentication: none

Confidentiality: none

Integrity: none

Availability: complete

Description

AI Translation Available

An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry that triggered the watch, and the tag that was specified when registering the watch. Any communication with xenstored is done via Xenstore messages, consisting of a message header and the payload. The payload length is limited to 4096 bytes. Any request to xenstored resulting in a response with a payload longer than 4096 bytes will result in an error. When registering a watch, the payload length limit applies to the combined length of the watched path and the specified tag. Because watches for a specific path are also triggered for all nodes below that path, the payload of a watch event message can be longer than the payload needed to register the watch. A malicious guest that registers a watch using a very large tag (i.e., with a registration operation payload length close to the 4096 byte limit) can cause the generation of watch events with a payload length larger than 4096 bytes, by writing to Xenstore entries below the watched path. This will result in an error condition in xenstored. This error can result in a NULL pointer dereference, leading to a crash of xenstored. A malicious guest administrator can cause xenstored to crash, leading to a denial of service. Following a xenstored crash, domains may continue to run, but management operations will be impossible. Only C xenstored is affected, oxenstored is not affected.

AI Generated Translation

È stato scoperto un problema in Xen fino alla versione 4.14.x. Quando si attiva un watch in Xenstore, il client Xenstore che ha registrato il watch riceverà un messaggio Xenstore contenente il percorso dell’entry Xenstore modificata che ha attivato il watch, e il tag specificato al momento della registrazione del watch. Qualsiasi comunicazione con xenstored avviene tramite messaggi Xenstore, costituiti da un'intestazione di messaggio e dal payload. La lunghezza del payload è limitata a 4096 byte. Qualsiasi richiesta a xenstored che produca una risposta con un payload più lungo di 4096 byte genererà un errore. Quando si registra un watch, il limite di lunghezza del payload si applica alla lunghezza combinata del percorso monitorato e del tag specificato. Poiché i watch per un percorso specifico vengono attivati anche per tutti i nodi sottostanti a quel percorso, il payload di un messaggio di evento di watch può essere più lungo del payload necessario per registrare il watch. Un guest malintenzionato che registra un watch utilizzando un tag molto grande (ad esempio, con una lunghezza di payload di operazione di registrazione vicina al limite di 4096 byte) può causare la generazione di eventi di watch con payload più lungo di 4096 byte, scrivendo in entry Xenstore sotto il percorso monitorato. Ciò comporterà una condizione di errore in xenstored. Questo errore può portare a un dereference di puntatore NULL, causando il crash di xenstored. Un amministratore guest malintenzionato può causare il crash di xenstored, portando a un attacco di tipo denial of service. Dopo il crash di xenstored, i domini possono continuare a funzionare, ma le operazioni di gestione saranno impossibili. Solo xenstored in C è interessato, oxenstored non è coinvolto.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0006

Percentile

0,2th

Updated

EPSS Score Trend (Last 90 Days)

476

NULL Pointer Dereference

Stable

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Availability Integrity Confidentiality

Potential Impacts:

Dos: Crash, Exit, Or Restart Execute Unauthorized Code Or Commands Read Memory Modify Memory

Applicable Platforms

Languages: C, C#, C++, Go, Java

Likelihood of Exploit: Medium

View CWE Details

Operating System

Debian Linux by Debian

Product Information

Vendor Debian

Product Debian Linux

Version 10.0

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Xen by Xen

Product Information

Vendor Xen

Product Xen

Version Range Affected

To 4.14.0 (inclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Fedora by Fedoraproject

Product Information

Vendor Fedoraproject

Product Fedora

Version 32

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Fedora by Fedoraproject

Product Information

Vendor Fedoraproject

Product Fedora

Version 33

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://lists.fedoraproject.org/archives/list/package-annou…

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…

https://lists.fedoraproject.org/archives/list/package-annou…

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…

https://www.debian.org/security/2020/dsa-4812

Third Party Advisory

https://www.debian.org/security/2020/dsa-4812

https://xenbits.xenproject.org/xsa/advisory-324.txt

Patch Vendor Advisory

https://xenbits.xenproject.org/xsa/advisory-324.txt

https://lists.fedoraproject.org/archives/list/package-annou…

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…

https://lists.fedoraproject.org/archives/list/package-annou…

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…

https://www.debian.org/security/2020/dsa-4812

Third Party Advisory

https://www.debian.org/security/2020/dsa-4812

https://xenbits.xenproject.org/xsa/advisory-324.txt

Patch Vendor Advisory

https://xenbits.xenproject.org/xsa/advisory-324.txt

CVE-2020-29484

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

NULL Pointer Dereference

Common Consequences

Applicable Platforms

Debian Linux by Debian

Product Information

Xen by Xen

Product Information

Fedora by Fedoraproject

Product Information

Fedora by Fedoraproject

Product Information

Iscriviti alla newsletter