CVE-2020-11739

2020-04-1400:00:00

ubuntu.com

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

13.3%

JSON

An issue was discovered in Xen through 4.13.x, allowing guest OS users to
cause a denial of service or possibly gain privileges because of missing
memory barriers in read-write unlock paths. The read-write unlock paths
don’t contain a memory barrier. On Arm, this means a processor is allowed
to re-order the memory access with the preceding ones. In other words, the
unlock may be seen by another processor before all the memory accesses
within the “critical” section. As a consequence, it may be possible to have
a writer executing a critical section at the same time as readers or
another writer. In other words, many of the assumptions (e.g., a variable
cannot be modified after a check) in the critical sections are not safe
anymore. The read-write locks are used in hypercalls (such as grant-table
ones), so a malicious guest could exploit the race. For instance, there is
a small window where Xen can leak memory if XENMAPSPACE_grant_table is used
concurrently. A malicious guest may be able to leak memory, or cause a
hypervisor crash resulting in a Denial of Service (DoS). Information leak
and privilege escalation cannot be excluded.

Notes

Author	Note
mdeslaur	hypervisor packages are in universe. For issues in the hypervisor, add appropriate tags to each section, ex: Tags_xen: universe-binary

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchxen< anyUNKNOWN
ubuntu20.04noarchxen< 4.11.3+24-g14b62ab3e5-1ubuntu2.3UNKNOWN
ubuntu16.04noarchxen< anyUNKNOWN