Bug 1809948 (CVE-2020-10702) - CVE-2020-10702 qemu: weak signature generation in Pointer Authentication support for ARM
Summary: CVE-2020-10702 qemu: weak signature generation in Pointer Authentication supp...
Keywords:
Status: NEW
Alias: CVE-2020-10702
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1820234 1813940
Blocks: 1809099
TreeView+ depends on / blocked
 
Reported: 2020-03-04 09:42 UTC by Mauro Matteo Cascella
Modified: 2020-07-10 21:41 UTC (History)
37 users (show)

Fixed In Version: qemu 5.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-03-04 09:42:50 UTC
A flaw was found in QEMU Pointer Authentication (PAuth) support for ARM introduced in version 4.0.
Specifically, a general failure of the signature generation process causes every PAuth-enforced pointer to be signed with the same signature, resulting in weaker encryption than advertised by the design of the PAuth technique.

An attacker can easily obtain the signature of the protected pointer, and bypass PAuth through brute force guessing or information disclosure vulnerabilities, and all programs running on QEMU will lose protection from PAuth.

Comment 2 Andrew Jones 2020-03-09 19:24:12 UTC
(In reply to Mauro Matteo Cascella from comment #1)
> Statement:
> 
> This flaw did not affect the versions of `qemu-kvm-ma` as shipped with Red
> Hat Enterprise Linux for ARM 64 7 as they did not include support for
> Pointer Authentication. The same is true for the versions of `qemu-kvm` as
> shipped with Red Hat Enterprise Linux 6, 7 and 8.

qemu-kvm-av (Advanced Virtualization) is based on QEMU 4.2 for RHEL 8.2, so it does contain PAuth support. However, we don't generally support the use of QEMU as an emulator. We only support its use with KVM. Additionally, the RHEL 8 guest kernel (which is the only supported guest kernel) already has ARM64_USER_VA_BITS_52 enabled, so nobody should be counting on PAuth with that.

I agree with keeping the priority/severity of this bug low.

Comment 5 Joshua Padman 2020-03-11 22:35:40 UTC
Statement:

Several packages are unaffected because they do not include support for Pointer Authentication. These include:
* `qemu-kvm-ma` as shipped with Red Hat Enterprise Linux for ARM 64 7
* `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7 and 8
* `qemu-kvm-rhev` as shipped with Red Hat OpenStack Platform 10 and 13

Comment 11 Mauro Matteo Cascella 2020-04-02 10:22:02 UTC
Upstream fix:
https://git.qemu.org/?p=qemu.git;a=commit;h=de0b1bae6461f67243282555475f88b2384a1eb9

Comment 12 Mauro Matteo Cascella 2020-04-02 14:54:00 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1820234]

Comment 14 Mauro Matteo Cascella 2020-04-06 10:28:04 UTC
Acknowledgments:

Name: Xingman Chen, Yuan Li (NISL, Tsinghua University)


Note You need to log in before you can comment on or make changes to this bug.