Use of uninitialized resource in xen (Alpine package)



Published: 2020-09-23
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-25595
CWE-ID CWE-908
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		xen (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Use of uninitialized resource

EUVDB-ID: #VU46972

Risk: Medium

CVSSv3.1: 7.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25595

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges on the host operating system.

The vulnerability exists due to PCI passthrough code reading back untrusted values fromhardware registers in Xen. A remote user on a guest operating system can run a specially crafted program to obtain potentially sensitive information from memory and crash Xen or escalate privileges on the hypervisor.

The vulnerability affects x86 systems with PCI passthrough support.

Mitigation

Install update from vendor's website.

Vulnerable software versions

xen (Alpine package): 4.10.1-r0 - 4.14.0-r0

External links

http://git.alpinelinux.org/aports/commit/?id=f48590ae54ca9e0c3bf6b3fae3e6b065f14223e3


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###