CVE-2020-11739
Ubuntu Security Notice USN-5617-1
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded.
Se detectó un problema en Xen versiones hasta 4.13.x, permitiendo a usuarios invitados del Sistema Operativo causar una denegación de servicio o posiblemente alcanzar privilegios debido a la falta de barreras de memoria en las rutas de desbloqueo de lectura y escritura. Las rutas de desbloqueo de lectura y escritura no contienen una barrera de memoria. En Arm, esto significa que un procesador está habilitado para reordenar el acceso a la memoria con los precedentes. En otras palabras, el desbloqueo puede ser visto por otro procesador antes de que toda la memoria acceda dentro de la sección "critical". Como consecuencia, puede ser posible que un escritor ejecute una sección crítica al mismo tiempo que los lectores u otro escritor. En otras palabras, muchos de los supuestos (por ejemplo, una variable no se puede modificar después de una comprobación) en las secciones críticas ya no son seguros. Los bloqueos de lectura y escritura se usan en hipercalls (tales como los de la tabla de concesión), por lo que un invitado malicioso podría explotar la carrera. Por ejemplo, existe una pequeña ventana donde Xen puede perder memoria si XENMAPSPACE_grant_table es usada simultáneamente. Un invitado malicioso puede perder memoria o causar un bloqueo del hipervisor resultando en una Denegación de Servicio (DoS). Una fuga de información y una escalada de privilegios no pueden ser excluidas.
It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information. Julien Grall discovered that Xen incorrectly handled memory barriers on ARM-based systems. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information or escalate privileges.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-04-14 CVE Reserved
- 2020-04-14 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (9)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2020/04/14/2 | 2023-11-07 | |
| http://xenbits.xen.org/xsa/advisory-314.html | 2023-11-07 | |
| https://xenbits.xen.org/xsa/advisory-314.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | <= 4.13.0 Search vendor "Xen" for product "Xen" and version " <= 4.13.0" | - |
Affected
| ||||||
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | 4.13.0 Search vendor "Xen" for product "Xen" and version "4.13.0" | rc1 |
Affected
| ||||||
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | 4.13.0 Search vendor "Xen" for product "Xen" and version "4.13.0" | rc2 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 31 Search vendor "Fedoraproject" for product "Fedora" and version "31" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
| ||||||