Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS
denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When
page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore,
IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to
memory after changes were made. Such writing back of cached data was missing in particular when splitting
large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA
access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading
to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2
onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not
affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device
assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table
sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support
compatible. (CVE-2020-15565)
- Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an
authenticated user to potentially enable information disclosure via local access. (CVE-2020-0543)
- An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor
crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make
Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM guest may cause
the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Xen versions from
4.8 onwards are affected. Xen versions 4.7 and earlier are not affected. Only x86 systems are affected.
Arm systems are not affected. Only x86 HVM guests using shadow paging can leverage the vulnerability. In
addition, there needs to be an entity actively monitoring a guest's video frame buffer (typically for
display purposes) in order for such a guest to be able to leverage the vulnerability. x86 PV guests, as
well as x86 HVM guests using hardware assisted paging (HAP), cannot leverage the vulnerability.
(CVE-2020-15563)
- An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash
because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info
is used by a guest to register a shared region with the hypervisor. The region will be mapped into Xen
address space so it can be directly accessed. On Arm, the region is accessed with instructions that
require a specific alignment. Unfortunately, there is no check that the address provided by the guest will
be correctly aligned. As a result, a malicious guest could cause a hypervisor crash by passing a
misaligned address. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of
Service (DoS). All Xen versions are vulnerable. Only Arm systems are vulnerable. x86 systems are not
affected. (CVE-2020-15564)
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:C
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 6/9/2020