Resource exhaustion in Xen - CVE-2020-25601
Published: September 23, 2020
Vulnerability identifier: #VU46984
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Green
CVE-ID: CVE-2020-25601
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Xen Project
Affected software:
Xen
Xen
Detailed vulnerability description
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application, as the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these when resetting all event channels or when cleaning up after the guest may take extended periods of time. So far there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. A remote user can consume all available CPU resources and perform a denial of service (DoS) attack of the entire host system.How to mitigate CVE-2020-25601
Install updates from vendor's website.