https://xenbits.xen.org/xsa/advisory-345.html

openSUSE-SU-2020:1783

openSUSE-SU-2020:1844

GLSA-202011-06

FEDORA-2020-6dd36a716c

DSA-4804

[oss-security] 20210119 Xen Security Advisory 345 v4 (CVE-2020-27672) - x86: Race condition in Xen mapping code

http://xenbits.xen.org/xsa/advisory-345.html

The remote SUSE Linux SLES11 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2020:14557-1 advisory.

  - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while     processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user     within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host,     resulting in a denial of service. (CVE-2020-25723)

  - An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a denial of service     (data corruption), cause a data leak, or possibly gain privileges because an AMD IOMMU page-table entry     can be half-updated. (CVE-2020-27670)

  - An issue was discovered in Xen through 4.14.x allowing x86 HVM and PVH guest OS users to cause a denial of     service (data corruption), cause a data leak, or possibly gain privileges because coalescing of per-page     IOMMU TLB flushes is mishandled. (CVE-2020-27671)

  - An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a host OS denial of     service, achieve data corruption, or possibly gain privileges by exploiting a race condition that leads to     a use-after-free involving 2MiB and 1GiB superpages. (CVE-2020-27672)

  - An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges     by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an     INVLPG-like attack technique. (CVE-2020-27674)

  - Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from     outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a Platypus     attack. NOTE: there is only one logically independent fix: to change the access control for each such     interface in Xen. (CVE-2020-28368)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2021-0014 for details.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an issue allowing x86 guest OS users to cause a host OS denial of service, achieve data corruption, or possibly gain privileges by exploiting a race condition that leads to a use-after-free involving 2MiB and 1GiB superpages.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

This update for xen fixes the following issues :

bsc#1178963 - stack corruption from XSA-346 change (XSA-355)

bsc#1177409 - CVE-2020-27674: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)

bsc#1177412 - CVE-2020-27672: Race condition in Xen mapping code (XSA-345)

bsc#1177413 - CVE-2020-27671: undue deferral of IOMMU TLB flushes (XSA-346)

bsc#1177414 - CVE-2020-27670: unsafe AMD IOMMU page table updates (XSA-347)

bsc#1178591 - CVE-2020-28368: Intel RAPL sidechannel attack aka PLATYPUS attack aka XSA-351

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

bsc#1178963 - VUL-0: xen: stack corruption from XSA-346 change (XSA-355)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)

bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition in Xen mapping code (XSA-345)

bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral of IOMMU TLB flushes (XSA-346)

bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

  - bsc#1178963 - VUL-0: xen: stack corruption from XSA-346     change (XSA-355) 

This update was imported from the SUSE:SLE-15-SP1:Update update project.

This update for xen fixes the following issues :

  - bsc#1178963 - VUL-0: xen: stack corruption from XSA-346     change (XSA-355) 

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or information leaks.

revised patch for XSA-286 (mitigating performance impact)

----

x86 PV guest INVLPG-like flushes may leave stale TLB entries [XSA-286, CVE-2020-27674] (#1891092)

----

x86: Race condition in Xen mapping code [XSA-345] undue deferral of IOMMU TLB flushes [XSA-346] unsafe AMD IOMMU page table updates [XSA-347]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-202011-06 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

This update for xen fixes the following issues :

  - bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest     INVLPG-like flushes may leave stale TLB entries     (XSA-286)

  - bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition     in Xen mapping code (XSA-345)

  - bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral     of IOMMU TLB flushes (XSA-346)

  - bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD     IOMMU page table updates (XSA-347)

This update was imported from the SUSE:SLE-15-SP1:Update update project.

This update for xen fixes the following issues :

  - bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest     INVLPG-like flushes may leave stale TLB entries     (XSA-286)

  - bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition     in Xen mapping code (XSA-345)

  - bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral     of IOMMU TLB flushes (XSA-346)

  - bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD     IOMMU page table updates (XSA-347)

This update was imported from the SUSE:SLE-15-SP2:Update update project.

ID	Name	Product	Family	Severity
150513	SUSE SLES11 Security Update : xen (SUSE-SU-2020:14557-1)	Nessus	SuSE Local Security Checks	high
150180	OracleVM 3.4 : xen (OVMSA-2021-0014)	Nessus	OracleVM Local Security Checks	high
149033	Xen x86 Race Condition Use-After-Free (XSA-345)	Nessus	Misc.	high
144102	SUSE SLES12 Security Update : xen (SUSE-SU-2020:3742-1)	Nessus	SuSE Local Security Checks	high
143878	SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2020:3615-1)	Nessus	SuSE Local Security Checks	high
143861	SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2020:3611-1)	Nessus	SuSE Local Security Checks	high
143824	SUSE SLES12 Security Update : xen (SUSE-SU-2020:3653-1)	Nessus	SuSE Local Security Checks	high
143820	SUSE SLES12 Security Update : xen (SUSE-SU-2020:3050-1)	Nessus	SuSE Local Security Checks	high
143813	SUSE SLES12 Security Update : xen (SUSE-SU-2020:3088-1)	Nessus	SuSE Local Security Checks	high
143811	SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2020:3051-1)	Nessus	SuSE Local Security Checks	high
143674	SUSE SLES12 Security Update : xen (SUSE-SU-2020:3631-1)	Nessus	SuSE Local Security Checks	high
143670	SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2020:3049-1)	Nessus	SuSE Local Security Checks	high
143538	openSUSE Security Update : xen (openSUSE-2020-2192)	Nessus	SuSE Local Security Checks	high
143506	openSUSE Security Update : xen (openSUSE-2020-2162)	Nessus	SuSE Local Security Checks	high
143500	Debian DSA-4804-1 : xen - security update	Nessus	Debian Local Security Checks	high
143135	Fedora 31 : xen (2020-6dd36a716c)	Nessus	Fedora Local Security Checks	high
142854	GLSA-202011-06 : Xen: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
142526	openSUSE Security Update : xen (openSUSE-2020-1844)	Nessus	SuSE Local Security Checks	high
142185	openSUSE Security Update : xen (openSUSE-2020-1783)	Nessus	SuSE Local Security Checks	high

CVE-2020-27672

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high