Lucene search

K
xenXen ProjectXSA-286
HistoryOct 20, 2020 - 11:49 a.m.

x86 PV guest INVLPG-like flushes may leave stale TLB entries

2020-10-2011:49:00
Xen Project
xenbits.xen.org
21

4.6 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

5.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

0.0005 Low

EPSS

Percentile

17.7%

ISSUE DESCRIPTION

x86 PV guest kernels may use hypercalls with INVLPG-like behavior to invalidate TLB entries even after changes to non-leaf page tables. Such changes to non-leaf page tables will, however, also render stale possible TLB entries created by Xen’s internal use of linear page tables to process guest requests like update-va-mapping. Invalidation of these TLB entries has been missing, allowing subsequent guest requests to change address mappings for one process to potentially modify memory meanwhile in use elsewhere.

IMPACT

Malicious x86 PV guest user mode may be able to escalate their privilege to that of the guest kernel.

VULNERABLE SYSTEMS

All versions of Xen expose the vulnerability.
The vulnerability is exposed to x86 PV guests only. x86 HVM/PVH guests as well as ARM ones are not vulnerable.

4.6 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

5.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

0.0005 Low

EPSS

Percentile

17.7%