CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25596 – Ubuntu Security Notice USN-5617-1
https://notcve.org/view.php?id=CVE-2020-25596
23 Sep 2020 — An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. This causes the guest kernel to observe a kernel-privilege #GP fault (typically fatal) rather than a user-privilege #GP fault (usually converted into SIGSEGV/etc.). Malicious or buggy userspace can crash the guest... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.7EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25604 – Ubuntu Security Notice USN-5617-1
https://notcve.org/view.php?id=CVE-2020-25604
23 Sep 2020 — An issue was discovered in Xen through 4.14.x. There is a race condition when migrating timers between x86 HVM vCPUs. When migrating timers of x86 HVM guests between its vCPUs, the locking model used allows for a second vCPU of the same guest (also operating on the timers) to release a lock that it didn't acquire. The most likely effect of the issue is a hang or crash of the hypervisor, i.e., a Denial of Service (DoS). All versions of Xen are affected. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25601 – Ubuntu Security Notice USN-5617-1
https://notcve.org/view.php?id=CVE-2020-25601
23 Sep 2020 — An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular, the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these (when resetting all event channels or when cleaning up after the guest) may take extended periods of time. So far, there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of t... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25600 – Ubuntu Security Notice USN-5617-1
https://notcve.org/view.php?id=CVE-2020-25600
23 Sep 2020 — An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains can use only 1023 channels, due to limited space in their shared (between guest and Xen) information structure, whereas all other domains can use up to 4095 in this model. The recording of the respective limit d... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html • CWE-787: Out-of-bounds Write •
CVSS: 7.0EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25599 – Ubuntu Security Notice USN-5617-1
https://notcve.org/view.php?id=CVE-2020-25599
23 Sep 2020 — An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. In particular, x86 PV guests may be able to elevate their privilege to that of the host. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-25597 – Ubuntu Security Notice USN-5617-1
https://notcve.org/view.php?id=CVE-2020-25597
23 Sep 2020 — An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve decreasing one of the bounds checked when determining validity. This may lead to bug checks triggering, crashing the host. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25595 – Ubuntu Security Notice USN-5617-1
https://notcve.org/view.php?id=CVE-2020-25595
23 Sep 2020 — An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for devices to have out-of-spec "backdoor" operations that can affect the result of these reads. A not fully trusted guest may be able to cra... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-15852
https://notcve.org/view.php?id=CVE-2020-15852
20 Jul 2020 — An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap mishandling causes a loss of synchronization between the I/O bitmaps of TSS and Xen, aka CID-cadfad870154. Se detectó un problema en el kernel de Linux versiones 5.5 hasta 5.7.9, como es usado en Xen versiones hasta 4.13.x para invitados PV x86. Un atacante puede otorgar los permi... • http://www.openwall.com/lists/oss-security/2020/07/21/2 • CWE-276: Incorrect Default Permissions •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-15567 – Ubuntu Security Notice USN-5617-1
https://notcve.org/view.php?id=CVE-2020-15567
07 Jul 2020 — An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially written PTE to the hardware, which an attacker might be able to race to exploit. A guest administrator or perhaps... • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00024.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-15564 – Ubuntu Security Notice USN-5617-1
https://notcve.org/view.php?id=CVE-2020-15564
07 Jul 2020 — An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info is used by a guest to register a shared region with the hypervisor. The region will be mapped into Xen address space so it can be directly accessed. On Arm, the region is accessed with instructions that require a specific alignment. Unfortunately, there is no check that the address provided by the gue... • http://www.openwall.com/lists/oss-security/2020/07/07/5 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •