Resource exhaustion in Xen - CVE-2020-25601

Vulnerability identifier: #VU46984

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Green

CVE-ID: CVE-2020-25601

CWE-ID: CWE-400

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Xen

Software vendor:
Xen Project

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application, as the FIFO event channel model allows guests to have a large number of event channels active at a time.  Closing all of these when resetting all event channels or when cleaning up after the guest may take extended periods of time.  So far there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. A remote user can consume all available CPU resources and perform a denial of service (DoS) attack of the entire host system.

Install updates from vendor's website.

• https://xenbits.xen.org/xsa/advisory-344.html