multiple xenoprof issues

2020-04-1412:00:00

Xen Project

xenbits.xen.org

8.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.0005 Low

EPSS

Percentile

16.7%

JSON

ISSUE DESCRIPTION

Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed. This is CVE-2020-11740.
Furthermore, for guests for which “active” profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head / tail pointers in unexpected ways. This is CVE-2020-11741.

IMPACT

A malicious guest may be able to access sensitive information pertaining to other guests. Guests with “active profiling” enabled can crash the host (DoS). Privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS

Only x86 PV guests can leverage the vulnerabilities. Arm guests and x86 HVM and PVH guests cannot leverage the vulnerabilities.
All Xen versions back to at least 3.2 are vulnerable.
Any x86 PV guest can leverage the information leak. Only x86 PV guests whose host administrator has explicitly enabled “active profiling” for an untrusted guest can exploit the DoS / potential privilege escalation.
Only builds of Xen with the Xenoprof functionality enabled at build time are vulnerable. The option to disable the functionality at build time was been introduced in Xen 4.7.