Home

CVE-2020-11739

Description

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths dont contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the critical section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded.

Risk Information

Base Score
7.8
MODERATE
Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.087

Associated Vulnerability

VulnerabilityOS Platform
SUSE-SU-2020:1138-1(SUSE Linux Enterprise Server 12-SP4 ) xen-4.11.3_04-2.23.1.x86_64.rpmLinux
SUSE-SU-2020:1138-1(SUSE Linux Enterprise Server 12-SP4 ) xen-debugsource-4.11.3_04-2.23.1.x86_64.rpmLinux
SUSE-SU-2020:1138-1(SUSE Linux Enterprise Server 12-SP4 ) xen-doc-html-4.11.3_04-2.23.1.x86_64.rpmLinux
SUSE-SU-2020:1138-1(SUSE Linux Enterprise Server 12-SP4 ) xen-libs-4.11.3_04-2.23.1.x86_64.rpmLinux
SUSE-SU-2020:1138-1(SUSE Linux Enterprise Server 12-SP4 ) xen-libs-32bit-4.11.3_04-2.23.1.x86_64.rpmLinux
SUSE-SU-2020:1138-1(SUSE Linux Enterprise Server 12-SP4 ) xen-libs-debuginfo-4.11.3_04-2.23.1.x86_64.rpmLinux
SUSE-SU-2020:1138-1(SUSE Linux Enterprise Server 12-SP4 ) xen-libs-debuginfo-32bit-4.11.3_04-2.23.1.x86_64.rpmLinux
SUSE-SU-2020:1138-1(SUSE Linux Enterprise Server 12-SP4 ) xen-tools-4.11.3_04-2.23.1.x86_64.rpmLinux
SUSE-SU-2020:1138-1(SUSE Linux Enterprise Server 12-SP4 ) xen-tools-debuginfo-4.11.3_04-2.23.1.x86_64.rpmLinux
SUSE-SU-2020:1138-1(SUSE Linux Enterprise Server 12-SP4 ) xen-tools-domU-4.11.3_04-2.23.1.x86_64.rpmLinux
SUSE-SU-2020:1138-1(SUSE Linux Enterprise Server 12-SP4 ) xen-tools-domU-debuginfo-4.11.3_04-2.23.1.x86_64.rpmLinux
Public headers and libs for Xen (USN-5617-1) libxenevtchn1_4.11.3+24-g14b62ab3e5-1ubuntu2.3_amd64.debLinux
Public headers and libs for Xen (USN-5617-1) libxengnttab1_4.11.3+24-g14b62ab3e5-1ubuntu2.3_amd64.debLinux
Public headers and libs for Xen (USN-5617-1) libxenmisc4.11_4.11.3+24-g14b62ab3e5-1ubuntu2.3_amd64.debLinux
Public headers and libs for Xen (USN-5617-1) xen-utils-4.11_4.11.3+24-g14b62ab3e5-1ubuntu2.3_amd64.debLinux
Public headers and libs for Xen (USN-5617-1) xenstore-utils_4.11.3+24-g14b62ab3e5-1ubuntu2.3_amd64.debLinux
Public headers and libs for Xen (USN-5617-1) xen-utils-common_4.11.3+24-g14b62ab3e5-1ubuntu2.3_amd64.debLinux
Public headers and libs for Xen (USN-5617-1) libxendevicemodel1_4.11.3+24-g14b62ab3e5-1ubuntu2.3_amd64.debLinux
Public headers and libs for Xen (USN-5617-1) xen-hypervisor-4.11-amd64_4.11.3+24-g14b62ab3e5-1ubuntu2.3_amd64.debLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234