Alpine: multiple xen packages: security update to 4.13.1-r4

high Tenable Self-Hosted Container Security Plugin ID 424712

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid
event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that
an event channel, once valid, will not become invalid over the life time of a guest. However, operations
like the resetting of all event channels may involve decreasing one of the bounds checked when determining
validity. This may lead to bug checks triggering, crashing the host. An unprivileged guest may be able to
crash Xen, leading to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards
are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only systems with untrusted guests
permitted to create more than the default number of event channels are vulnerable. This number depends on
the architecture and type of guest. For 32-bit x86 PV guests, this is 1023; for 64-bit x86 PV guests, and
for all ARM guests, this number is 4095. Systems where untrusted guests are limited to fewer than this
number are not vulnerable. Note that xl and libxl limit max_event_channels to 1023 by default, so systems
using exclusively xl, libvirt+libxl, or their own toolstack based on libxl, and not explicitly setting
max_event_channels, are not vulnerable. (CVE-2020-25597)

- An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor
crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make
Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM guest may cause
the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Xen versions from
4.8 onwards are affected. Xen versions 4.7 and earlier are not affected. Only x86 systems are affected.
Arm systems are not affected. Only x86 HVM guests using shadow paging can leverage the vulnerability. In
addition, there needs to be an entity actively monitoring a guest's video frame buffer (typically for
display purposes) in order for such a guest to be able to leverage the vulnerability. x86 PV guests, as
well as x86 HVM guests using hardware assisted paging (HAP), cannot leverage the vulnerability.
(CVE-2020-15563)

- An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash
because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info
is used by a guest to register a shared region with the hypervisor. The region will be mapped into Xen
address space so it can be directly accessed. On Arm, the region is accessed with instructions that
require a specific alignment. Unfortunately, there is no check that the address provided by the guest will
be correctly aligned. As a result, a malicious guest could cause a hypervisor crash by passing a
misaligned address. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of
Service (DoS). All Xen versions are vulnerable. Only Arm systems are vulnerable. x86 systems are not
affected. (CVE-2020-15564)

- An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS
denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When
page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore,
IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to
memory after changes were made. Such writing back of cached data was missing in particular when splitting
large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA
access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading
to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2
onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not
affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device
assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table
sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support
compatible. (CVE-2020-15565)

- An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of
incorrect error handling in event-channel port allocation. The allocation of an event-channel port may
fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, or (3) the port
we try to allocate is higher than what is supported by the ABI (e.g., 2L or FIFO) used by the guest or the
limit set by an administrator (max_event_channels in xl cfg). Due to the missing error checks, only (1)
will be considered an error. All the other cases will provide a valid port and will result in a crash when
trying to access the event channel. When the administrator configured a guest to allow more than 1023
event channels, that guest may be able to crash the host. When Xen is out-of-memory, allocation of new
event channels will result in crashing the host rather than reporting an error. Xen versions 4.10 and
later are affected. All architectures are affected. The default configuration, when guests are created
with xl/libxl, is not vulnerable, because of the default event-channel limit. (CVE-2020-15566)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-15563

https://security.alpinelinux.org/vuln/CVE-2020-15564

https://security.alpinelinux.org/vuln/CVE-2020-15565

https://security.alpinelinux.org/vuln/CVE-2020-15566

https://security.alpinelinux.org/vuln/CVE-2020-15567

https://security.alpinelinux.org/vuln/CVE-2020-25595

https://security.alpinelinux.org/vuln/CVE-2020-25596

https://security.alpinelinux.org/vuln/CVE-2020-25597

https://security.alpinelinux.org/vuln/CVE-2020-25598

https://security.alpinelinux.org/vuln/CVE-2020-25599

https://security.alpinelinux.org/vuln/CVE-2020-25600

https://security.alpinelinux.org/vuln/CVE-2020-25601

https://security.alpinelinux.org/vuln/CVE-2020-25602

https://security.alpinelinux.org/vuln/CVE-2020-25603

https://security.alpinelinux.org/vuln/CVE-2020-25604

Plugin Details

Severity: High

ID: 424712

Version: Revision 1.7

Type: Local

Published: 4/4/2025

Updated: 5/31/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.35

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.5

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:C

CVSS Score Source: CVE-2020-25597

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-15565

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/7/2020

Reference Information

CVE: CVE-2020-15563, CVE-2020-15564, CVE-2020-15565, CVE-2020-15566, CVE-2020-15567, CVE-2020-25595, CVE-2020-25596, CVE-2020-25597, CVE-2020-25598, CVE-2020-25599, CVE-2020-25600, CVE-2020-25601, CVE-2020-25602, CVE-2020-25603, CVE-2020-25604

IAVB: 2020-B-0034-S, 2020-B-0056-S