6.1 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:P/I:P/A:C
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
14.2%
An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest
OS users to cause a host OS denial of service or possibly gain privileges
because of insufficient cache write-back under VT-d. When page tables are
shared between IOMMU and CPU, changes to them require flushing of both
TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing
IOMMU TLBs, a CPU cache also needs writing back to memory after changes
were made. Such writing back of cached data was missing in particular when
splitting large page mappings into smaller granularity ones. A malicious
guest may be able to retain read/write DMA access to frames returned to
Xen’s free pool, and later reused for another purpose. Host crashes
(leading to a Denial of Service) and privilege escalation cannot be ruled
out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel
systems are affected. x86 AMD as well as Arm systems are not affected. Only
x86 HVM guests using hardware assisted paging (HAP), having a passed
through PCI device assigned, and having page table sharing enabled can
leverage the vulnerability. Note that page table sharing will be enabled
(by default) only if Xen considers IOMMU and CPU large page size support
compatible.
Author | Note |
---|---|
mdeslaur | hypervisor packages are in universe. For issues in the hypervisor, add appropriate tags to each section, ex: Tags_xen: universe-binary |
www.openwall.com/lists/oss-security/2020/07/07/4
xenbits.xen.org/xsa/advisory-321.html
launchpad.net/bugs/cve/CVE-2020-15565
nvd.nist.gov/vuln/detail/CVE-2020-15565
security-tracker.debian.org/tracker/CVE-2020-15565
ubuntu.com/security/notices/USN-5617-1
www.cve.org/CVERecord?id=CVE-2020-15565
xenbits.xen.org/xsa/advisory-321.html
6.1 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:P/I:P/A:C
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
14.2%