Race condition in Xen

#VU29598 Race condition in Xen

Cybersecurity Help s.r.o.

Published: 2020-07-09 | Updated: 2020-07-15

Vulnerability identifier: #VU29598

Vulnerability risk: Medium

CVSSv3.1: 7.2 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-15567

CWE-ID: CWE-362

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Xen
Server applications / Virtualization software

Vendor: Xen Project

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to improper management of internal resources in Xen. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially written PTE to the hardware, which an attacker might be able to race to exploit. An attacker with access to guest operating system can perform a denial of service (DoS) attack or escalate privileges on the host operating system.

Note: the vulnerability can be exploited only on systems with Intel processors.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Xen: 4.0.0 - 4.13.1

External links
http://www.openwall.com/lists/oss-security/2020/07/07/6
http://xenbits.xen.org/xsa/advisory-328.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Ubuntu update for xen

Gentoo update for Xen

OpenSUSE Linux update for xen

Debian update for xen

Race condition in xen (Alpine package)

Multiple vulnerabilities in Xen