CVE-2020-15567

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially written PTE to the hardware, which an attacker might be able to race to exploit. A guest administrator or perhaps even an unprivileged guest user might be able to cause denial of service, data corruption, or privilege escalation. Only systems using Intel CPUs are vulnerable. Systems using AMD CPUs, and Arm systems, are not vulnerable. Only systems using nested paging (hap, aka nested paging, aka in this case Intel EPT) are vulnerable. Only HVM and PVH guests can exploit the vulnerability. The presence and scope of the vulnerability depends on the precise optimisations performed by the compiler used to build Xen. If the compiler generates (a) a single 64-bit write, or (b) a series of read-modify-write operations in the same order as the source code, the hypervisor is not vulnerable. For example, in one test build using GCC 8.3 with normal settings, the compiler generated multiple (unlocked) read-modify-write operations in source-code order, which did not constitute a vulnerability. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code-generation options). The source code clearly violates the C rules, and thus should be considered vulnerable.

References

http://xenbits.xen.org/xsa/advisory-328.html

http://www.openwall.com/lists/oss-security/2020/07/07/6

https://www.debian.org/security/2020/dsa-4723

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00024.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/VB3QJJZV23Z2IDYEMIHELWYSQBUEW6JP/

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00031.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/MXESCOVI7AVRNC7HEAMFM7PMEO6D3AUH/

https://security.gentoo.org/glsa/202007-02

Details

Source: MITRE

Published: 2020-07-07

Updated: 2021-07-21

Type: CWE-362

Risk Information

CVSS v2

Base Score: 4.4

Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 3.4

Severity: MEDIUM

CVSS v3

Base Score: 7.8

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Impact Score: 6

Exploitability Score: 1.1

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:* versions up to 4.13.1 (inclusive)

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Tenable Plugins

View all (15 total)

IDNameProductFamilySeverity
150542SUSE SLES11 Security Update : xen (SUSE-SU-2020:14521-1)NessusSuSE Local Security Checks
medium
149089Xen Paging Tables Race Condition (XSA-328)NessusMisc.
high
143805SUSE SLES12 Security Update : xen (SUSE-SU-2020:2822-1)NessusSuSE Local Security Checks
medium
140019OracleVM 3.4 : xen (OVMSA-2020-0039) (Bunker Buster) (Foreshadow) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (Meltdown) (POODLE) (Spectre)NessusOracleVM Local Security Checks
critical
138925GLSA-202007-02 : Xen: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
138864Fedora 31 : xen (2020-76cf2b0f0a)NessusFedora Local Security Checks
high
138749openSUSE Security Update : xen (openSUSE-2020-985)NessusSuSE Local Security Checks
high
138741openSUSE Security Update : xen (openSUSE-2020-965)NessusSuSE Local Security Checks
high
138535Fedora 32 : xen (2020-fbc13516af)NessusFedora Local Security Checks
high
138495SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2020:1902-1)NessusSuSE Local Security Checks
high
138492SUSE SLES12 Security Update : xen (SUSE-SU-2020:1891-1)NessusSuSE Local Security Checks
high
138434SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2020:1889-1)NessusSuSE Local Security Checks
high
138433SUSE SLES12 Security Update : xen (SUSE-SU-2020:1887-1)NessusSuSE Local Security Checks
high
138432SUSE SLES12 Security Update : xen (SUSE-SU-2020:1886-1)NessusSuSE Local Security Checks
high
138394Debian DSA-4723-1 : xen - security updateNessusDebian Local Security Checks
high