CVE-2020-25597

Ubuntu Security Notice USN-5617-1

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve decreasing one of the bounds checked when determining validity. This may lead to bug checks triggering, crashing the host. An unprivileged guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only systems with untrusted guests permitted to create more than the default number of event channels are vulnerable. This number depends on the architecture and type of guest. For 32-bit x86 PV guests, this is 1023; for 64-bit x86 PV guests, and for all ARM guests, this number is 4095. Systems where untrusted guests are limited to fewer than this number are not vulnerable. Note that xl and libxl limit max_event_channels to 1023 by default, so systems using exclusively xl, libvirt+libxl, or their own toolstack based on libxl, and not explicitly setting max_event_channels, are not vulnerable.

Se detectó un problema en Xen versiones hasta 4.14.x. Existe un manejo inapropiado de la restricción de que los canales de eventos que una vez fueron válidos no pueden volverse no válidos. La lógica en el manejo de las operaciones del canal de eventos en Xen asume que un canal de eventos, una vez válido, no dejará de serlo durante la vida útil de un invitado. Sin embargo, operaciones como el restablecimiento de todos los canales de eventos pueden implicar la disminución de uno de los límites comprobados al determinar la validez. Esto puede provocar que se activen las comprobaciones de errores y que el host se bloquee. Un invitado sin privilegios puede bloquear Xen, conllevando a una Denegación de servicio (DoS) para todo el sistema. Todas las versiones de Xen desde 4.4 en adelante son vulnerables. Las versiones 4.3 y anteriores de Xen no son vulnerables. Solo los sistemas con invitados que no son de confianza y que tienen permitido crear más canales de eventos que el número predeterminado son vulnerables. Este número depende de la arquitectura y el tipo de invitado. Para invitados PV x86 de 32 bits, es 1023; para invitados PV x86 de 64 bits y para todos los invitados ARM, este número es 4095. Los sistemas en los que los invitados que no son de confianza están limitados a menos de este número no son vulnerables. Tome en cuenta que xl y libxl limitan max_event_channels a 1023 de forma predeterminada, por lo que los sistemas que usan exclusivamente xl, libvirt + libxl o su propio conjunto de herramientas basado en libxl, y que no establecen explícitamente max_event_channels, no son vulnerables

It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information. Julien Grall discovered that Xen incorrectly handled memory barriers on ARM-based systems. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information or escalate privileges.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-09-16 CVE Reserved
2020-09-23 CVE Published
2024-08-04 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-755: Improper Handling of Exceptional Conditions

CAPEC

References (7)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://xenbits.xen.org/xsa/advisory-338.html	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE	2023-11-07
https://security.gentoo.org/glsa/202011-06	2023-11-07
https://www.debian.org/security/2020/dsa-4769	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				>= 4.4.0 <= 4.14.0 Search vendor "Xen" for product "Xen" and version " >= 4.4.0 <= 4.14.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected