CVE-2020-11739
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded.
Se detectó un problema en Xen versiones hasta 4.13.x, permitiendo a usuarios invitados del Sistema Operativo causar una denegación de servicio o posiblemente alcanzar privilegios debido a la falta de barreras de memoria en las rutas de desbloqueo de lectura y escritura. Las rutas de desbloqueo de lectura y escritura no contienen una barrera de memoria. En Arm, esto significa que un procesador está habilitado para reordenar el acceso a la memoria con los precedentes. En otras palabras, el desbloqueo puede ser visto por otro procesador antes de que toda la memoria acceda dentro de la sección "critical". Como consecuencia, puede ser posible que un escritor ejecute una sección crítica al mismo tiempo que los lectores u otro escritor. En otras palabras, muchos de los supuestos (por ejemplo, una variable no se puede modificar después de una comprobación) en las secciones críticas ya no son seguros. Los bloqueos de lectura y escritura se usan en hipercalls (tales como los de la tabla de concesión), por lo que un invitado malicioso podría explotar la carrera. Por ejemplo, existe una pequeña ventana donde Xen puede perder memoria si XENMAPSPACE_grant_table es usada simultáneamente. Un invitado malicioso puede perder memoria o causar un bloqueo del hipervisor resultando en una Denegación de Servicio (DoS). Una fuga de información y una escalada de privilegios no pueden ser excluidas.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-04-14 CVE Reserved
- 2020-04-14 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (9)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://www.openwall.com/lists/oss-security/2020/04/14/2 | 2023-11-07 | |
http://xenbits.xen.org/xsa/advisory-314.html | 2023-11-07 | |
https://xenbits.xen.org/xsa/advisory-314.html | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | <= 4.13.0 Search vendor "Xen" for product "Xen" and version " <= 4.13.0" | - |
Affected
| ||||||
Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | 4.13.0 Search vendor "Xen" for product "Xen" and version "4.13.0" | rc1 |
Affected
| ||||||
Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | 4.13.0 Search vendor "Xen" for product "Xen" and version "4.13.0" | rc2 |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 31 Search vendor "Fedoraproject" for product "Fedora" and version "31" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
|