Race Condition

2023-11-3017:17:21

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

xen

race condition

vulnerability

mitigations

xsa-422

xsa-434

speculative return stack overflow

meltdown

xpti

interrupts

pv guest

attack

4.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

8.9%

JSON

Xen is vulnerable to Race Condition. The vulnerability is caused due to the two mitigations XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) not active (because it was believed that the mitigations always operated in contexts with IRQs disabled) due to original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. This can lead to a malicious PV guest bypass BTC/SRSO protections and launch a BTC/SRSO attack.

CPENameOperatorVersion
xen:3.16eq4.16.1-r5
xen:3.16eq4.16.1-r1
xen:3.16eq4.16.4-r0
xen:3.16eq4.16.1-r3
xen:3.16eq4.16.4-r1
xen:3.16eq4.16.1-r2
xen:3.16eq4.16.1-r4
xen:3.16eq4.16.3-r0
xen:3.16eq4.16.5-r0
xen:3.16eq4.16.5-r1

Name	Operator	Version
xen:3.16	eq	4.16.1-r5
xen:3.16	eq	4.16.1-r1
xen:3.16	eq	4.16.4-r0
xen:3.16	eq	4.16.1-r3
xen:3.16	eq	4.16.4-r1
xen:3.16	eq	4.16.1-r2
xen:3.16	eq	4.16.1-r4
xen:3.16	eq	4.16.3-r0
xen:3.16	eq	4.16.5-r0
xen:3.16	eq	4.16.5-r1