Lucene search

K
xenXen ProjectXSA-304
HistoryNov 12, 2019 - 5:53 p.m.

x86: Machine Check Error on Page Size Change DoS

2019-11-1217:53:00
Xen Project
xenbits.xen.org
89
x86
page size change
dos
machine check error
intel core
xen
tlb invalidation
guest kernels

CVSS2

4.9

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

EPSS

0.001

Percentile

18.7%

ISSUE DESCRIPTION

An erratum exists across some CPUs whereby an instruction fetch may cause a machine check error if the pagetables have been updated in a specific manner without invalidating the TLB.
The x86 architecture explicitly permits modification of the pagetables without TLB invalidation, but in this corner case, the impacted core ceases operating and an unexpected machine check or system reset occurs.
This corner case can be triggered by guest kernels.
For more details, see: <a href=โ€œhttps://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-changeโ€>https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change</a>

IMPACT

A malicious guest kernel can crash the host, resulting in a Denial of Service (DoS). (This CPU bug may also be triggered accidentally.)

VULNERABLE SYSTEMS

Systems running all versions of Xen are affected.
Only x86 processors are vulnerable. ARM processors are not believed to be vulnerable.
Only Intel Core based processors (from Nehalem onwards) are affected. Other processors designs (Intel Atom/Knights range), and other manufacturers (AMD) are not known to be affected.
Only x86 HVM/PVH guests can exploit the vulnerability. x86 PV guests cannot exploit the vulnerability.
Please consult the Intel Security Advisory for details on the affected processors.

CVSS2

4.9

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

EPSS

0.001

Percentile

18.7%