7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
13.4%
On hardware supporting the fsgsbase feature, 64bit PV guests can set and clear the applicable control bit in its virtualised %cr4, but the feature remains fully active in hardware. Therefore, the associated instructions are actually usable.
Linux, which does not currently support this feature, has various optimisations in its context switch path which justifiably assume that userspace can’t actually make changes without a system call.
Xen’s behaviour of having this feature active behind the guest kernel’s back undermines the correctness of any context switch logic which depends on the feature being disabled.
Userspace can therefore corrupt fsbase or gsbase (commonly used for Thread Local Storage) in the next thread to be scheduled on the current vcpu.
A malicious unprivileged guest userspace process can escalate its privilege to that of other userspace processes in the same guest, and potentially thereby to that of the guest operating system.
Additionally, some guest software which attempts to use this CPU feature may trigger the bug accidentally, leading to crashes or corruption of other processes in the same guest.
Xen versions 4.4 and later are vulnerable. Xen 4.3 and earlier are not vulnerable.
Only x86 hardware with the fsgsbase feature is vulnerable. This is believed to be Intel IvyBridge and later hardware, and AMD Steamroller and later hardware.
ARM hardware is not affected.
Only 64bit PV guests can exploit the vulnerability. 32bit PV guests, and HVM/PVH guests cannot exploit the vulnerability.
Whether the bug is exploitable, and whether it will be triggered by accident, depend in a complicated way on the guest operating system and its configuration. Most guests are vulnerable to malicious userspace processes.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
13.4%