6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.003 Low
EPSS
Percentile
70.1%
XSA-302 relies on the use of libxl’s “assignable-add” feature to prepare devices to be assigned to untrusted guests.
Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these “alternate” methods are used will still leave the system in a vulnerable state after the device comes back from a guest.
An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation.
Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.
Only systems which use “alternate” methods to assign devices to pciback before assignment are vulnerable. These methods include: - Assigning devices on the Linux command-line using xen-pciback.hide
- Assigning devices via xen-pciback module parameters - Assigning devices manually via sysfs - Assigning devices using libvirt
Systems which use xl pci-assignable-add
or libxl_device_pci_assignable_add, or have the assignable state handled automatically via setting the seize
parameter, are not affected.
6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.003 Low
EPSS
Percentile
70.1%