// For flags

CVE-2020-25603

 

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in Xen through 4.14.x. There are missing memory barriers when accessing/allocating an event channel. Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such a sequence is missing an appropriate memory barrier (e.g., smp_*mb()) to prevent both the compiler and CPU from re-ordering access. A malicious guest may be able to cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded. Systems running all versions of Xen are affected. Whether a system is vulnerable will depend on the CPU and compiler used to build Xen. For all systems, the presence and the scope of the vulnerability depend on the precise re-ordering performed by the compiler used to build Xen. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code generation options). GCC documentation clearly suggests that re-ordering is possible. Arm systems will also be vulnerable if the CPU is able to re-order memory access. Please consult your CPU vendor. x86 systems are only vulnerable if a compiler performs re-ordering.

Se detectó un problema en Xen versiones hasta 4.14.x. Se presenta una carencia de barreras de memoria al acceder y asignar un canal de eventos. Las estructuras de control de canales de eventos pueden ser accedidas sin lock siempre que el puerto se considere válido. A dicha secuencia le falta una barrera de memoria adecuada (por ejemplo, smp_* mb()) para evitar que tanto el compilador como la CPU reordenen el acceso. Un invitado malicioso puede causar un bloqueo del hypervisor que resulte en una Denegación de Servicio (DoS). Un filtrado de información y una escalada de privilegios no puede ser excluidas. Los sistemas que ejecutan todas las versiones de Xen están afectados. La vulnerabilidad de un sistema dependerá de la CPU y el compilador usados para construir Xen. Para todos los sistemas, la presencia y el alcance de la vulnerabilidad dependen del reordenamiento preciso realizado por el compilador utilizado para compilar Xen. No hemos podido encuestar a los compiladores; en consecuencia, no podemos decir qué compilador (es) podrían producir código vulnerable (con cuales opciones de generación de código). La documentación de GCC sugiere claramente que el reordenamiento es posible. Los sistemas Arm también serán vulnerables si la CPU puede reordenar el acceso a la memoria. Consulte a su proveedor de CPU. Los sistemas x86 solo son vulnerables si un compilador realiza un reordenamiento.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-09-16 CVE Reserved
  • 2020-09-23 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-670: Always-Incorrect Control Flow Implementation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Xen
Search vendor "Xen"
Xen
Search vendor "Xen" for product "Xen"
<= 4.14.0
Search vendor "Xen" for product "Xen" and version " <= 4.14.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
31
Search vendor "Fedoraproject" for product "Fedora" and version "31"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
32
Search vendor "Fedoraproject" for product "Fedora" and version "32"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
33
Search vendor "Fedoraproject" for product "Fedora" and version "33"
-
Affected
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
15.2
Search vendor "Opensuse" for product "Leap" and version "15.2"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected