Vulnerability identifier: #VU29600

Vulnerability risk: Medium

CVSSv3.1: 7.2 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-15565

CWE-ID: CWE-264

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Xen
Server applications / Virtualization software

Vendor: Xen Project

Description

The vulnerability allows a remote attacker to escalate privileges on the system or perform a denial of service attack.

The vulnerability exists due to application does not properly impose security restrictions. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose.

Successful exploitation of the vulnerability may allows privileges escalation on the host operating system.

Note: the vulnerability affects Intel x86 systems only.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Xen: 3.2 - 4.13.1

---

External links
http://www.openwall.com/lists/oss-security/2020/07/07/4
http://xenbits.xen.org/xsa/advisory-321.html

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.