Details of VAR-202009-0841

ID

VAR-202009-0841

CVE

CVE-2020-25599

TITLE

Xen Race Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-011819

DESCRIPTION

An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. In particular, x86 PV guests may be able to elevate their privilege to that of the host. Host and guest crashes are also possible, leading to a Denial of Service (DoS). Information leaks cannot be ruled out. All Xen versions from 4.5 onwards are vulnerable. Xen versions 4.4 and earlier are not vulnerable. Xen Is vulnerable to a race condition.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Xen is an open source virtual machine monitor product from the University of Cambridge in the United Kingdom. The product can make different and incompatible operating systems run on the same computer, and supports migration during runtime, ensuring normal operation and avoiding downtime. The vulnerability stems from EVTCHNOP reset or XEN DOMCTL soft reset violating various internal assumptions, resulting in out-of-range memory access or triggering error checks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4769-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 02, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2020-25595 CVE-2020-25596 CVE-2020-25597 CVE-2020-25599 CVE-2020-25600 CVE-2020-25601 CVE-2020-25602 CVE-2020-25603 CVE-2020-25604 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks. For the stable distribution (buster), these problems have been fixed in version 4.11.4+37-g3263f257ca-1. We recommend that you upgrade your xen packages. For the detailed security status of xen please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xen Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl93YAEACgkQEMKTtsN8 TjY0MBAAhNI5m2Xr0uDfEROtBWOy5om8CNYJRnOH4cm4f6Nx9uCvNUDU+AvhS3Bk 67nVTbpJe6IP7jtYHh2YuIuJIz0iCbSxPrW5wlytA/HKnrqfFITD2SgwvQx4ncZU iiJOn/LWDwxfsAMjZk01TboPEoefzOa8PsxprTUmfpbdCfr9uctQ6VMqDJGbQuTb YZoNBn9p38t37HgI3JN2r43LXXawR9HU30NwTnL9H2ffRu/Rqz7aA+7sCjjbgJ85 7gEHix+lBvQmEc8qd6f/JkhSu1TCxvslL6MdGcCj9kYecW7g0Rme7A+TtEfdrfnK zpKcoSDsp3VZUGvP4pV8aQ+ByV8A4CgCKJ9wchkwWNRCgDZaB/hn1FLSIG47cvAL qOL/2cO456ZGtCadjYeO3JIKUlQtjwZafc5NRtI52YB13ZVQBblu2u+msnKkg7VD Ba9P7M9QwWM37DmFwjyhxvWj52I/VLHZ4jsx2giRY+QhZ/FilkO1G3esBPVVtcrk jReijuSE4r/7q9iwPsdAj03UevSzah/3kY2ZlNolQkBQcVUgXQluWuImBO3Fvn50 grFSMJTnrxfjcj3pLFEgHw7p+CJEM2Tv1a3QnoO6iQS0EH1tAnFUk3bHIvYg1fNk o2jnKeLe9sUhtr3GXEhu3wv3eOq7zyg0IoocCo/tAOkl9bgWyI4= =po/H -----END PGP SIGNATURE----- . Software Description: - xen: Public headers and libs for Xen Details: It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information. (CVE-2020-0543) Julien Grall discovered that Xen incorrectly handled memory barriers on ARM-based systems. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information or escalate privileges. (CVE-2020-11739) Ilja Van Sprundel discovered that Xen incorrectly handled profiling of guests. An unprivileged attacker could use this issue to obtain sensitive information from other guests, cause a denial of service or possibly gain privileges. (CVE-2020-11742, CVE-2020-11743) Jan Beulich discovered that Xen incorrectly handled certain code paths. (CVE-2020-15563) Julien Grall discovered that Xen incorrectly verified memory addresses provided by the guest on ARM-based systems. (CVE-2020-15564) Roger Pau Monn\xe9 discovered that Xen incorrectly handled caching on x86 Intel systems. (CVE-2020-15565) It was discovered that Xen incorrectly handled error in event-channel port allocation. (CVE-2020-15566) Jan Beulich discovered that Xen incorrectly handled certain EPT (Extended Page Tables). (CVE-2020-15567) Andrew Cooper discovered that Xen incorrectly handled PCI passthrough. (CVE-2020-25595) Andrew Cooper discovered that Xen incorrectly sanitized path injections. (CVE-2020-25596) Jan Beulich discovered that Xen incorrectly handled validation of event channels. (CVE-2020-25597) Julien Grall and Jan Beulich discovered that Xen incorrectly handled resetting event channels. (CVE-2020-25599) Julien Grall discovered that Xen incorrectly handled event channels memory allocation on 32-bits domains. (CVE-2020-25600) Jan Beulich discovered that Xen incorrectly handled resetting or cleaning up event channels. (CVE-2020-25601) Andrew Cooper discovered that Xen incorrectly handled certain Intel specific MSR (Model Specific Registers). (CVE-2020-25602) Julien Grall discovered that Xen incorrectly handled accessing/allocating event channels. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information of privilege escalation. (CVE-2020-25604) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libxendevicemodel1 4.11.3+24-g14b62ab3e5-1ubuntu2.3 libxenevtchn1 4.11.3+24-g14b62ab3e5-1ubuntu2.3 libxengnttab1 4.11.3+24-g14b62ab3e5-1ubuntu2.3 libxenmisc4.11 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xen-hypervisor-4.11-amd64 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xen-hypervisor-4.11-arm64 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xen-hypervisor-4.11-armhf 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xen-utils-4.11 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xen-utils-common 4.11.3+24-g14b62ab3e5-1ubuntu2.3 xenstore-utils 4.11.3+24-g14b62ab3e5-1ubuntu2.3 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5617-1 CVE-2020-0543, CVE-2020-11739, CVE-2020-11740, CVE-2020-11741, CVE-2020-11742, CVE-2020-11743, CVE-2020-15563, CVE-2020-15564, CVE-2020-15565, CVE-2020-15566, CVE-2020-15567, CVE-2020-25595, CVE-2020-25596, CVE-2020-25597, CVE-2020-25599, CVE-2020-25600, CVE-2020-25601, CVE-2020-25602, CVE-2020-25603, CVE-2020-25604 Package Information: https://launchpad.net/ubuntu/+source/xen/4.11.3+24-g14b62ab3e5-1ubuntu2.3

Trust: 2.43

sources: NVD: CVE-2020-25599 // JVNDB: JVNDB-2020-011819 // CNVD: CNVD-2020-53815 // VULMON: CVE-2020-25599 // PACKETSTORM: 168922 // PACKETSTORM: 168421

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-53815

AFFECTED PRODUCTS

vendor:	fedoraproject	model:	fedora	scope:	eq	version:	33	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	32	Trust: 1.0
vendor:	xen	model:	xen	scope:	gte	version:	4.5.0	Trust: 1.0
vendor:	xen	model:	xen	scope:	lte	version:	4.14.0	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	31	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	opensuse	model:	leap	scope:	eq	version:	15.2	Trust: 1.0
vendor:	xen プロジェクト	model:	xen	scope:	eq	version:	-	Trust: 0.8
vendor:	xen プロジェクト	model:	xen	scope:	eq	version:	4.5 to 4.14.x	Trust: 0.8
vendor:	xen	model:	xen	scope:	lte	version:	<=4.14	Trust: 0.6

sources: CNVD: CNVD-2020-53815 // JVNDB: JVNDB-2020-011819 // NVD: CVE-2020-25599

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-25599
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-25599
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-53815
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202009-1326
value:	HIGH
Trust: 0.6
VULMON:	CVE-2020-25599
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-25599
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2020-53815
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-25599
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-25599
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-53815 // VULMON: CVE-2020-25599 // JVNDB: JVNDB-2020-011819 // CNNVD: CNNVD-202009-1326 // NVD: CVE-2020-25599

PROBLEMTYPE DATA

problemtype:	CWE-119	Trust: 1.0
problemtype:	CWE-362	Trust: 1.0
problemtype:	Race condition (CWE-362) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-011819 // NVD: CVE-2020-25599

THREAT TYPE

local

Trust: 0.7

sources: PACKETSTORM: 168421 // CNNVD: CNNVD-202009-1326

TYPE

competition condition problem

Trust: 0.6

sources: CNNVD: CNNVD-202009-1326

PATCH

title:	XSA-343	url:	https://xenbits.xen.org/xsa/advisory-343.html	Trust: 0.8
title:	Patch for Xen Denial of Service Vulnerability (CNVD-2020-53815)	url:	https://www.cnvd.org.cn/patchInfo/show/235537	Trust: 0.6
title:	Xen Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128971	Trust: 0.6
title:	Debian Security Advisories: DSA-4769-1 xen -- security update	url:	https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=6b9f33720d0595a3a6c8a5672919f349	Trust: 0.1
title:	Ubuntu Security Notice: USN-5617-1: Xen vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5617-1	Trust: 0.1
title:	Citrix Security Bulletins: Citrix Hypervisor Security Update	url:	https://vulmon.com/vendoradvisory?qidtp=citrix_security_bulletins&qid=26eccc1a2b36a29a010d10e613c3ec29	Trust: 0.1

sources: CNVD: CNVD-2020-53815 // VULMON: CVE-2020-25599 // JVNDB: JVNDB-2020-011819 // CNNVD: CNNVD-202009-1326

EXTERNAL IDS

db:	NVD	id:	CVE-2020-25599	Trust: 3.3
db:	OPENWALL	id:	OSS-SECURITY/2020/12/16/5	Trust: 1.7
db:	JVNDB	id:	JVNDB-2020-011819	Trust: 0.8
db:	PACKETSTORM	id:	168421	Trust: 0.7
db:	CNVD	id:	CNVD-2020-53815	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3437	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.4642	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3259	Trust: 0.6
db:	CNNVD	id:	CNNVD-202009-1326	Trust: 0.6
db:	VULMON	id:	CVE-2020-25599	Trust: 0.1
db:	PACKETSTORM	id:	168922	Trust: 0.1

sources: CNVD: CNVD-2020-53815 // VULMON: CVE-2020-25599 // JVNDB: JVNDB-2020-011819 // PACKETSTORM: 168922 // PACKETSTORM: 168421 // CNNVD: CNNVD-202009-1326 // NVD: CVE-2020-25599

REFERENCES

url:	https://www.debian.org/security/2020/dsa-4769	Trust: 1.8
url:	https://xenbits.xen.org/xsa/advisory-343.html	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html	Trust: 1.7
url:	https://security.gentoo.org/glsa/202011-06	Trust: 1.7
url:	http://www.openwall.com/lists/oss-security/2020/12/16/5	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25599	Trust: 1.6
url:	https://access.redhat.com/security/cve/cve-2020-25599	Trust: 1.2
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/da633y3g5kx7mkrn4pfegm3ivtjmbeom/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4jrxmkemqrqywyephvbiwueavq3lu4fn/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/rjzerrbjn6e6stdcht4jhp4mi6tkbcje/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4jrxmkemqrqywyephvbiwueavq3lu4fn/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/da633y3g5kx7mkrn4pfegm3ivtjmbeom/	Trust: 0.7
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/rjzerrbjn6e6stdcht4jhp4mi6tkbcje/	Trust: 0.7
url:	https://packetstormsecurity.com/files/168421/ubuntu-security-notice-usn-5617-1.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3259/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3437/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/xen-privilege-escalation-via-evtchn-reset-33393	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.4642	Trust: 0.6
url:	https://ubuntu.com/security/notices/usn-5617-1	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25596	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25601	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25600	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25597	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25595	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/119.html	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/362.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://seclists.org/oss-sec/2020/q4/228	Trust: 0.1
url:	https://www.debian.org/security/faq	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25603	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25602	Trust: 0.1
url:	https://security-tracker.debian.org/tracker/xen	Trust: 0.1
url:	https://www.debian.org/security/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25604	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11742	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15567	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15566	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/xen/4.11.3+24-g14b62ab3e5-1ubuntu2.3	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15563	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15564	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15565	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11739	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-0543	Trust: 0.1

CREDITS

Debian

Trust: 0.1

sources: PACKETSTORM: 168922

SOURCES

db:	CNVD	id:	CNVD-2020-53815
db:	VULMON	id:	CVE-2020-25599
db:	JVNDB	id:	JVNDB-2020-011819
db:	PACKETSTORM	id:	168922
db:	PACKETSTORM	id:	168421
db:	CNNVD	id:	CNNVD-202009-1326
db:	NVD	id:	CVE-2020-25599

LAST UPDATE DATE

2024-11-23T20:14:00.118000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-53815	date:	2020-09-25T00:00:00
db:	VULMON	id:	CVE-2020-25599	date:	2022-04-28T00:00:00
db:	JVNDB	id:	JVNDB-2020-011819	date:	2021-04-15T07:22:00
db:	CNNVD	id:	CNNVD-202009-1326	date:	2022-09-21T00:00:00
db:	NVD	id:	CVE-2020-25599	date:	2024-11-21T05:18:12.097

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-53815	date:	2020-09-25T00:00:00
db:	VULMON	id:	CVE-2020-25599	date:	2020-09-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-011819	date:	2021-04-15T00:00:00
db:	PACKETSTORM	id:	168922	date:	2020-10-28T19:12:00
db:	PACKETSTORM	id:	168421	date:	2022-09-19T18:26:25
db:	CNNVD	id:	CNNVD-202009-1326	date:	2020-09-22T00:00:00
db:	NVD	id:	CVE-2020-25599	date:	2020-09-23T22:15:13.477