CVE-2020-15565

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible.

References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00024.html

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00031.html

http://www.openwall.com/lists/oss-security/2020/07/07/4

http://xenbits.xen.org/xsa/advisory-321.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/MXESCOVI7AVRNC7HEAMFM7PMEO6D3AUH/

https://lists.fedoraproject.org/archives/list/[email protected]/message/VB3QJJZV23Z2IDYEMIHELWYSQBUEW6JP/

https://security.gentoo.org/glsa/202007-02

https://www.debian.org/security/2020/dsa-4723

Details

Source: MITRE

Published: 2020-07-07

Updated: 2020-07-27

Type: CWE-400

Risk Information

CVSS v2

Base Score: 6.1

Vector: AV:L/AC:L/Au:N/C:P/I:P/A:C

Impact Score: 8.5

Exploitability Score: 3.9

Severity: MEDIUM

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Impact Score: 6

Exploitability Score: 2

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:* versions from 3.2.0 to 4.13.1 (inclusive)

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:10:*:*:*:*:*:*:*

Tenable Plugins

View all (15 total)

IDNameProductFamilySeverity
150542SUSE SLES11 Security Update : xen (SUSE-SU-2020:14521-1)NessusSuSE Local Security Checks
medium
143805SUSE SLES12 Security Update : xen (SUSE-SU-2020:2822-1)NessusSuSE Local Security Checks
medium
140019OracleVM 3.4 : xen (OVMSA-2020-0039) (Bunker Buster) (Foreshadow) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (Meltdown) (POODLE) (Spectre)NessusOracleVM Local Security Checks
critical
138925GLSA-202007-02 : Xen: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
138864Fedora 31 : xen (2020-76cf2b0f0a)NessusFedora Local Security Checks
high
138749openSUSE Security Update : xen (openSUSE-2020-985)NessusSuSE Local Security Checks
high
138741openSUSE Security Update : xen (openSUSE-2020-965)NessusSuSE Local Security Checks
high
138535Fedora 32 : xen (2020-fbc13516af)NessusFedora Local Security Checks
high
138495SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2020:1902-1)NessusSuSE Local Security Checks
high
138492SUSE SLES12 Security Update : xen (SUSE-SU-2020:1891-1)NessusSuSE Local Security Checks
high
138434SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2020:1889-1)NessusSuSE Local Security Checks
high
138433SUSE SLES12 Security Update : xen (SUSE-SU-2020:1887-1)NessusSuSE Local Security Checks
high
138432SUSE SLES12 Security Update : xen (SUSE-SU-2020:1886-1)NessusSuSE Local Security Checks
high
138394Debian DSA-4723-1 : xen - security updateNessusDebian Local Security Checks
high
138363Xen Insufficient Cache Write-Back (XSA-321)NessusMisc.
high