CVE-2020-29484

Name of the Vulnerable Software and Affected Versions Xen versions through 4.14.x

Description A malicious guest administrator can cause xenstored to crash, leading to a denial of service, by exploiting an issue related to Xenstore watches. When a Xenstore watch fires, the xenstore client receives a Xenstore message containing the path of the modified Xenstore entry and the specified tag. The payload length is limited to 4096 bytes, and any request resulting in a response with a payload longer than 4096 bytes will result in an error. A malicious guest can register a watch using a very large tag, causing the generation of watch events with a payload length larger than 4096 bytes, leading to an error condition in xenstored and potentially a NULL pointer dereference, resulting in a crash of xenstored. Following a xenstored crash, domains may continue to run, but management operations will be impossible.

Recommendations For Xen versions through 4.14.x, consider disabling the watch functionality in xenstored as a temporary workaround until a patch is available. Restrict access to the xenstored service to minimize the risk of exploitation. Avoid using very large tags when registering watches to prevent the generation of watch events with a payload length larger than 4096 bytes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.