From: Mauro Matteo Cascella <mcascell@redhat.com>
To: Ferruh Yigit <ferruh.yigit@intel.com>
Cc: oss-security@lists.openwall.com, security@dpdk.org,
security-prerelease@dpdk.org, "dev@dpdk.org" <dev@dpdk.org>,
Ryan Hall <ryan.e.hall@intel.com>
Subject: Re: [dpdk-dev] [oss-security] DPDK security advisory for multiple vhost crypto issues
Date: Mon, 4 Jan 2021 14:27:59 +0100 [thread overview]
Message-ID: <CAA8xKjUGZPdrDvpisd4YpJfwL1wUMbr5KiM7x_SCNetAsLU8Ww@mail.gmail.com> (raw)
In-Reply-To: <69a35308-0697-780d-8e72-422c7a2173d8@intel.com>
On Mon, Jan 4, 2021 at 12:29 PM Ferruh Yigit <ferruh.yigit@intel.com> wrote:
>
> On 1/4/2021 8:28 AM, Mauro Matteo Cascella wrote:
> > Hello,
> >
> > Is there any particular reason for the Scope metric to be Unchanged
> > (S:U) for CVE-2020-14377 and CVE-2020-14378?
> >
>
> removed dpdk-announce mail list
>
> Hi Mauro,
>
> CVE-2020-14377, the memory over read is in the scope of the same application,
> that is the reason of the unchanged scope. There is another CVE below that can
> use this information to figure out where to overwrite for remote execution which
> has scope set as 'Changed'.
>
> CVE-2020-14378, can cause loop taken longer time and delays the service, since
> it is eating the core cycles, if there is something else using that specific
> core technically it may delay it too, but DPDK mostly uses all core for itself
> and since mainly the vhost crypto service is affected, scope selected as Unchanged.
>
> Is there a concern on the selected scope metric?
>
> Thanks.
>
Thank you for the timely reply. With regard to CVE-2020-14377, the
Scope metric was rated differently by NIST [1] hence my initial
question.
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14377
> > On Mon, Sep 28, 2020 at 5:43 PM Ferruh Yigit <ferruh.yigit@intel.com> wrote:
> >>
> >> A set of vulnerabilities are fixed in DPDK:
> >> - CVE-2020-14374
> >> - CVE-2020-14375
> >> - CVE-2020-14376
> >> - CVE-2020-14377
> >> - CVE-2020-14378
> >>
> >> Some downstream stakeholders were warned in advance in order to coordinate the
> >> release of fixes and reduce the vulnerability window.
> >>
> >> Problem:
> >> A malicious guest can harm the host using vhost crypto, this includes
> >> executing code in host (VM Escape), reading host application memory
> >> space to guest and causing partially denial of service in the host.
> >>
From the problem statement above I assume all these CVEs lead to some
kind of guest-to-host compromise, which usually implies a Scope change
(or at least, this holds true for QEMU flaws). Therefore I was
wondering what's the reason behind the different evaluation of the
Scope metric between CVE-2020-14377 and the others.
Regards.
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
prev parent reply other threads:[~2021-01-04 13:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-28 15:23 [dpdk-dev] " Ferruh Yigit
2021-01-04 8:28 ` [dpdk-dev] [oss-security] " Mauro Matteo Cascella
2021-01-04 11:27 ` Ferruh Yigit
2021-01-04 13:27 ` Mauro Matteo Cascella [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA8xKjUGZPdrDvpisd4YpJfwL1wUMbr5KiM7x_SCNetAsLU8Ww@mail.gmail.com \
--to=mcascell@redhat.com \
--cc=dev@dpdk.org \
--cc=ferruh.yigit@intel.com \
--cc=oss-security@lists.openwall.com \
--cc=ryan.e.hall@intel.com \
--cc=security-prerelease@dpdk.org \
--cc=security@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).