CVE-2020-15567

Summary

CVE	CVE-2020-15567
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-07-07 13:15:00 UTC
Updated	2023-11-07 03:17:00 UTC
Description	An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially written PTE to the hardware, which an attacker might be able to race to exploit. A guest administrator or perhaps even an unprivileged guest user might be able to cause denial of service, data corruption, or privilege escalation. Only systems using Intel CPUs are vulnerable. Systems using AMD CPUs, and Arm systems, are not vulnerable. Only systems using nested paging (hap, aka nested paging, aka in this case Intel EPT) are vulnerable. Only HVM and PVH guests can exploit the vulnerability. The presence and scope of the vulnerability depends on the precise optimisations performed by the compiler used to build Xen. If the compiler generates (a) a single 64-bit write, or (b) a series of read-modify-write operations in the same order as the source code, the hypervisor is not vulnerable. For example, in one test build using GCC 8.3 with normal settings, the compiler generated multiple (unlocked) read-modify-write operations in source-code order, which did not constitute a vulnerability. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code-generation options). The source code clearly violates the C rules, and thus should be considered vulnerable.

Risk And Classification

Problem Types: CWE-362

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.2	All	All	All
Operating System	Xen	Xen	All	All	All	All

References

Reference	Source	Link	Tags
oss-security - Xen Security Advisory 328 v3 (CVE-2020-15567) - non-atomic modification of live EPT PTE	MLIST	www.openwall.com	Mailing List, Third Party Advisory
Xen: Multiple vulnerabilities (GLSA 202007-02) — Gentoo security	GENTOO	security.gentoo.org
[SECURITY] Fedora 31 Update: xen-4.12.3-3.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 32 Update: xen-4.13.1-4.fc32 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[security-announce] openSUSE-SU-2020:0985-1: important: Security update	SUSE	lists.opensuse.org
[SECURITY] Fedora 32 Update: xen-4.13.1-4.fc32 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 31 Update: xen-4.12.3-3.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[security-announce] openSUSE-SU-2020:0965-1: important: Security update	SUSE	lists.opensuse.org
Debian -- Security Information -- DSA-4723-1 xen	DEBIAN	www.debian.org	Third Party Advisory
XSA-328 - Xen Security Advisories	MISC	xenbits.xen.org	Mitigation, Patch, Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

198943 Ubuntu Security Notification for Xen Vulnerabilities (USN-5617-1)
500790 Alpine Linux Security Update for xen
501510 Alpine Linux Security Update for xen
504534 Alpine Linux Security Update for xen