From: Ferruh Yigit <ferruh.yigit@intel.com>
To: Mauro Matteo Cascella <mcascell@redhat.com>,
oss-security@lists.openwall.com
Cc: security@dpdk.org, security-prerelease@dpdk.org,
"dev@dpdk.org" <dev@dpdk.org>, Ryan Hall <ryan.e.hall@intel.com>
Subject: Re: [dpdk-dev] [oss-security] DPDK security advisory for multiple vhost crypto issues
Date: Mon, 4 Jan 2021 11:27:50 +0000 [thread overview]
Message-ID: <69a35308-0697-780d-8e72-422c7a2173d8@intel.com> (raw)
In-Reply-To: <CAA8xKjULPZw04YY9fd1d83893mmqXX_qp1UjRZdAWP7fU3yC_A@mail.gmail.com>
On 1/4/2021 8:28 AM, Mauro Matteo Cascella wrote:
> Hello,
>
> Is there any particular reason for the Scope metric to be Unchanged
> (S:U) for CVE-2020-14377 and CVE-2020-14378?
>
removed dpdk-announce mail list
Hi Mauro,
CVE-2020-14377, the memory over read is in the scope of the same application,
that is the reason of the unchanged scope. There is another CVE below that can
use this information to figure out where to overwrite for remote execution which
has scope set as 'Changed'.
CVE-2020-14378, can cause loop taken longer time and delays the service, since
it is eating the core cycles, if there is something else using that specific
core technically it may delay it too, but DPDK mostly uses all core for itself
and since mainly the vhost crypto service is affected, scope selected as Unchanged.
Is there a concern on the selected scope metric?
Thanks.
> Thank you,
>
> On Mon, Sep 28, 2020 at 5:43 PM Ferruh Yigit <ferruh.yigit@intel.com> wrote:
>>
>> A set of vulnerabilities are fixed in DPDK:
>> - CVE-2020-14374
>> - CVE-2020-14375
>> - CVE-2020-14376
>> - CVE-2020-14377
>> - CVE-2020-14378
>>
>> Some downstream stakeholders were warned in advance in order to coordinate the
>> release of fixes and reduce the vulnerability window.
>>
>> Problem:
>> A malicious guest can harm the host using vhost crypto, this includes
>> executing code in host (VM Escape), reading host application memory
>> space to guest and causing partially denial of service in the host.
>>
>> All users of the vhost library are strongly encouraged to upgrade as soon as
>> possible.
>>
>> Thanks to "Ryan Hall <ryan.e.hall@intel.com>" for reporting the issues.
>>
>>
>> Stable releases download links:
>>
>> DPDK 18.11.10 (LTS)
>> http://fast.dpdk.org/rel/dpdk-18.11.10.tar.xz
>>
>> DPDK 19.11.5 (LTS)
>> https://fast.dpdk.org/rel/dpdk-19.11.5.tar.xz
>>
>>
>> Details:
>>
>> CVE: CVE-2020-14374
>> Bugzilla: https://bugs.dpdk.org/show_bug.cgi?id=272
>> Severity: 8.8 (High)
>> CVSS scores: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
>> Summary : Remote Code Execution in vhost_crypto (VM Escape)
>> Reporter: Ryan Hall <ryan.e.hall@intel.com>
>>
>> CVE: CVE-2020-14375
>> Bugzilla: https://bugs.dpdk.org/show_bug.cgi?id=272
>> Severity: 7.8 (High)
>> CVSS scores: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
>> Summary : Time-of-check time-of-use vulnerabilities throughout vhost_crypto.c
>> Reporter: Ryan Hall <ryan.e.hall@intel.com>
>>
>> CVE: CVE-2020-14376
>> Bugzilla: https://bugs.dpdk.org/show_bug.cgi?id=272
>> Severity: 7.8 (High)
>> CVSS scores: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
>> Summary : Buffer overflow copying iv_data from guest to
>> host(prepare_sym_cipher_op & prepare_sym_chain_op)
>> Reporter: Ryan Hall <ryan.e.hall@intel.com>
>>
>> CVE: CVE-2020-14377
>> Bugzilla: https://bugs.dpdk.org/show_bug.cgi?id=272
>> Severity: 7.1 (High)
>> CVSS scores: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
>> Summary: write_back_data buffer over read (cipher->para.dst_data_len &
>> desc->len)
>> Reporter: Ryan Hall <ryan.e.hall@intel.com>
>>
>> CVE: CVE-2020-14378
>> Bugzilla: https://bugs.dpdk.org/show_bug.cgi?id=272
>> Severity: 3.3 (Low)
>> CVSS scores: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
>> Summary : Partial Denial of Service due to Integer Underflow
>> Reporter: Ryan Hall <ryan.e.hall@intel.com>
>>
>>
>> Commits:
>> main repo (will be 20.11.0)
>> https://git.dpdk.org/dpdk/commit/?id=57680e34498
>> https://git.dpdk.org/dpdk/commit/?id=5677e68c05d
>> https://git.dpdk.org/dpdk/commit/?id=b2866f47336
>> https://git.dpdk.org/dpdk/commit/?id=409c47c7c5b
>> https://git.dpdk.org/dpdk/commit/?id=e15b7c01120
>> https://git.dpdk.org/dpdk/commit/?id=2d962bb7365
>>
>> DPDK 18.11.10 (LTS)
>> https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=ab6314978567
>> https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=7a5af91f8bf4
>> https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=7e7c75edc635
>> https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=ff65dc28bc71
>> https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=75f8df70a2c8
>> https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=6e8a4da39e68
>>
>> DPDK 19.11.5 (LTS)
>> https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=3f2635c5a9c3
>> https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=81e969483020
>> https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=e4a7c14f0248
>> https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=319b498e4b16
>> https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=6a3a414698e4
>> https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=e2666ec24535
>>
>> --
>> DPDK Security Team
>> http://core.dpdk.org/security/
>>
next prev parent reply other threads:[~2021-01-04 11:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-28 15:23 [dpdk-dev] " Ferruh Yigit
2021-01-04 8:28 ` [dpdk-dev] [oss-security] " Mauro Matteo Cascella
2021-01-04 11:27 ` Ferruh Yigit [this message]
2021-01-04 13:27 ` Mauro Matteo Cascella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69a35308-0697-780d-8e72-422c7a2173d8@intel.com \
--to=ferruh.yigit@intel.com \
--cc=dev@dpdk.org \
--cc=mcascell@redhat.com \
--cc=oss-security@lists.openwall.com \
--cc=ryan.e.hall@intel.com \
--cc=security-prerelease@dpdk.org \
--cc=security@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).