CVE-2020-25595

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for devices to have out-of-spec "backdoor" operations that can affect the result of these reads. A not fully trusted guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. Privilege escalation and information leaks cannot be excluded. All versions of Xen supporting PCI passthrough are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only guests with passed through PCI devices may be able to leverage the vulnerability. Only systems passing through devices with out-of-spec ("backdoor") functionality can cause issues. Experience shows that such out-of-spec functionality is common; unless you have reason to believe that your device does not have such functionality, it's better to assume that it does.

Se detectó un problema en Xen versiones hasta 4.14.x. El código pasado a través de PCI utiliza incorrectamente los datos de registro. Se han identificado rutas de código en el manejo de MSI de Xen que actúan sobre valores no saneados leídos de los registros de hardware del dispositivo. Si bien los dispositivos que cumplen estrictamente con las especificaciones PCI no deberían poder afectar estos registros, la experiencia señala que es muy común que los dispositivos tengan operaciones de "backdoor" fuera de especificaciones que pueden afectar el resultado de estas lecturas. Un invitado en el que no se confía plenamente puede bloquear Xen, conllevando a una denegación de servicio (DoS) para todo el sistema. Una escalada de privilegios y el filtrado de información no pueden ser excluidos. Todas las versiones de Xen que admiten el paso a través de PCI están afectadas. Solo los sistemas x86 son vulnerables. Los sistemas Arm no son vulnerables. Solo los invitados con dispositivos PCI pasados ??pueden aprovechar la vulnerabilidad. Solo los sistemas que pasan a través de dispositivos con funcionalidad fuera de especificación ("backdoor") pueden causar problemas. La experiencia señala que esta funcionalidad fuera de especificación es común; a menos que tenga motivos para creer que su dispositivo no tiene dicha funcionalidad, es mejor asumir que sí

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-09-16 CVE Reserved
2020-09-23 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-269: Improper Privilege Management

CAPEC

References (7)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://xenbits.xen.org/xsa/advisory-337.html	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE	2023-11-07
https://security.gentoo.org/glsa/202011-06	2023-11-07
https://www.debian.org/security/2020/dsa-4769	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				<= 4.14.0 Search vendor "Xen" for product "Xen" and version " <= 4.14.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.2 Search vendor "Opensuse" for product "Leap" and version "15.2"		-		Affected