Xen ProjectXSA-308VMX: VMentry failure with debug exceptions and blocked states
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
72.1%
ISSUE DESCRIPTION
Please see XSA-260 for background on the MovSS shadow: <a href=“http://xenbits.xen.org/xsa/advisory-260.html”>http://xenbits.xen.org/xsa/advisory-260.html</a>
Please see XSA-156 for background on the need for #DB interception: <a href=“http://xenbits.xen.org/xsa/advisory-156.html”>http://xenbits.xen.org/xsa/advisory-156.html</a>
The VMX VMEntry checks does not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest.
IMPACT
HVM/PVH guest userspace code may be able to crash the guest, resulting in a guest Denial of Service.
VULNERABLE SYSTEMS
All versions of Xen are affected.
Only systems supporting VMX hardware virtual extensions (Intel, Cyrix or Zhaoxin CPUs) are affected. Arm and AMD systems are unaffected.
Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
72.1%