CVE-2020-11739

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded.

Se detectó un problema en Xen versiones hasta 4.13.x, permitiendo a usuarios invitados del Sistema Operativo causar una denegación de servicio o posiblemente alcanzar privilegios debido a la falta de barreras de memoria en las rutas de desbloqueo de lectura y escritura. Las rutas de desbloqueo de lectura y escritura no contienen una barrera de memoria. En Arm, esto significa que un procesador está habilitado para reordenar el acceso a la memoria con los precedentes. En otras palabras, el desbloqueo puede ser visto por otro procesador antes de que toda la memoria acceda dentro de la sección "critical". Como consecuencia, puede ser posible que un escritor ejecute una sección crítica al mismo tiempo que los lectores u otro escritor. En otras palabras, muchos de los supuestos (por ejemplo, una variable no se puede modificar después de una comprobación) en las secciones críticas ya no son seguros. Los bloqueos de lectura y escritura se usan en hipercalls (tales como los de la tabla de concesión), por lo que un invitado malicioso podría explotar la carrera. Por ejemplo, existe una pequeña ventana donde Xen puede perder memoria si XENMAPSPACE_grant_table es usada simultáneamente. Un invitado malicioso puede perder memoria o causar un bloqueo del hipervisor resultando en una Denegación de Servicio (DoS). Una fuga de información y una escalada de privilegios no pueden ser excluidas.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-04-14 CVE Reserved
2020-04-14 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (9)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2020/04/14/2	2023-11-07
http://xenbits.xen.org/xsa/advisory-314.html	2023-11-07
https://xenbits.xen.org/xsa/advisory-314.html	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00006.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5M2XRNCHOGGTJQBZQJ7DCV6ZNAKN3LE2	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NVTP4OYHCTRU3ONFJOFJQVNDFB25KLLG	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YMAW7D2MP6RE4BFI5BZWOBBWGY3VSOFN	2023-11-07
https://security.gentoo.org/glsa/202005-08	2023-11-07
https://www.debian.org/security/2020/dsa-4723	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				<= 4.13.0 Search vendor "Xen" for product "Xen" and version " <= 4.13.0"		-		Affected
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				4.13.0 Search vendor "Xen" for product "Xen" and version "4.13.0"		rc1		Affected
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				4.13.0 Search vendor "Xen" for product "Xen" and version "4.13.0"		rc2		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected