Debian update for xen
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 CVE-2020-11743 CVE-2020-15563 CVE-2020-15564 CVE-2020-15565 CVE-2020-15566 CVE-2020-15567 |
| CWE-ID | CWE-119 CWE-200 CWE-862 CWE-252 CWE-755 CWE-822 CWE-399 CWE-264 CWE-362 |
| Exploitation vector | Local network |
| Public exploit |
Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #8 is available. Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #10 is available. |
| Vulnerable software Subscribe |
Debian Linux Operating systems & Components / Operating system xen (Debian package) Operating systems & Components / Operating system package or component |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU31973
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11739
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). MitigationUpdate xen package to version 4.11.4+24-gddaaccbbab-1~deb10u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.11.4+24-gddaaccbbab-1~deb10u1
External linkshttp://www.debian.org/security/2020/dsa-4723
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU31974
Risk: Low
CVSSv3.1: 3.1 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11740
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests.
MitigationUpdate xen package to version 4.11.4+24-gddaaccbbab-1~deb10u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.11.4+24-gddaaccbbab-1~deb10u1
External linkshttp://www.debian.org/security/2020/dsa-4723
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Missing Authorization
EUVDB-ID: #VU31975
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11741
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
An issue was discovered in xenoprof in Xen through 4.13.x, allowing
guest OS users (with active profiling) to obtain sensitive information
about other guests, cause a denial of service, or possibly gain
privileges. For guests for which "active" profiling
was enabled by the administrator, the xenoprof code uses the standard
Xen shared ring structure. Unfortunately, this code did not treat the
guest as a potential adversary: it trusts the guest not to modify buffer
size information or modify head / tail pointers in unexpected ways. A remote user can perform a denial of service (DoS) attack.
Update xen package to version 4.11.4+24-gddaaccbbab-1~deb10u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.11.4+24-gddaaccbbab-1~deb10u1
External linkshttp://www.debian.org/security/2020/dsa-4723
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Unchecked Return Value
EUVDB-ID: #VU31971
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11742
CWE-ID:
CWE-252 - Unchecked Return Value
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to introduction of unexpected behavior in the fix for CVE-2017-1213 that caused bad continuation handling in GNTTABOP_copy. A remote user can crash the hypervisor.
Update xen package to version 4.11.4+24-gddaaccbbab-1~deb10u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.11.4+24-gddaaccbbab-1~deb10u1
External linkshttp://www.debian.org/security/2020/dsa-4723
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Handling of Exceptional Conditions
EUVDB-ID: #VU31972
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11743
CWE-ID:
CWE-755 - Improper Handling of Exceptional Conditions
Exploit availability: No
Description
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of a bad error path in GNTTABOP_map_grant. Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly initialised state. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to map a grant, it hits the incorrect error path. This will crash a Linux based dom0 or backend domain.
MitigationUpdate xen package to version 4.11.4+24-gddaaccbbab-1~deb10u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.11.4+24-gddaaccbbab-1~deb10u1
External linkshttp://www.debian.org/security/2020/dsa-4723
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Untrusted Pointer Dereference
EUVDB-ID: #VU29601
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-15563
CWE-ID:
CWE-822 - Untrusted Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to inverted code paths in x86 dirty VRAM tracking in Xen. An attacker with access to HVM guest operating system can crash the hypervisor.
Note: the vulnerability affects x86 systems only.
Update xen package to version 4.11.4+24-gddaaccbbab-1~deb10u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.11.4+24-gddaaccbbab-1~deb10u1
External linkshttp://www.debian.org/security/2020/dsa-4723
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Resource management error
EUVDB-ID: #VU29599
Risk: Low
CVSSv3.1: 4.9 [CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-15564
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to missing alignment check in VCPUOP_register_vcpu_info hypercall in Xen. A attacker with privileged access to guest operating system can crash the hypervisor.
Note: the vulnerability affects Arm systems only.
Update xen package to version 4.11.4+24-gddaaccbbab-1~deb10u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.11.4+24-gddaaccbbab-1~deb10u1
External linkshttp://www.debian.org/security/2020/dsa-4723
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU29600
Risk: Medium
CVSSv3.1: 7.2 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-15565
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system or perform a denial of service attack.
The vulnerability exists due to application does not properly impose security restrictions. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose.
Successful exploitation of the vulnerability may allows privileges escalation on the host operating system.
Note: the vulnerability affects Intel x86 systems only.
Update xen package to version 4.11.4+24-gddaaccbbab-1~deb10u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.11.4+24-gddaaccbbab-1~deb10u1
External linkshttp://www.debian.org/security/2020/dsa-4723
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Resource management error
EUVDB-ID: #VU29602
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-15566
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling in event-channel port allocation in Xen. An attacker with access to guest operating system can consume more than 1023 event channels and crash the hypervisor.
Update xen package to version 4.11.4+24-gddaaccbbab-1~deb10u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.11.4+24-gddaaccbbab-1~deb10u1
External linkshttp://www.debian.org/security/2020/dsa-4723
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Race condition
EUVDB-ID: #VU29598
Risk: Medium
CVSSv3.1: 7.2 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-15567
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
Note: the vulnerability can be exploited only on systems with Intel processors.
Update xen package to version 4.11.4+24-gddaaccbbab-1~deb10u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.11.4+24-gddaaccbbab-1~deb10u1
External linkshttp://www.debian.org/security/2020/dsa-4723
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
