7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.1 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:P/I:P/A:C
0.0004 Low
EPSS
Percentile
13.6%
Code paths in Xen’s MSI handling have been identified which act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn’t be able to affect these registers, experience shows that it’s very common for devices to have out-of-spec “backdoor” operations which can affect the result of these reads.
A not fully trusted guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. Privilege escalation and information leaks cannot be excluded.
All versions of Xen supporting PCI passthrough are affected.
Only x86 systems are vulnerable. Arm systems are not vulnerable.
Only guests with passed through PCI devices may be able to leverage the vulnerability.
Only systems passing through devices with out-of-spec (“backdoor”) functionality can cause issues. Experience shows that such out-of-spec functionality is common; unless you have reason to believe that your device does not have such functionality, it’s better to assume that it does.
REMINDER OF PCI PASSTHROUGH SUPPORT STATEMENT
The security team wishes to reiterate our support statement for PCI Device Passthrough (found in xen.git/SUPPORT.md):
“Because of hardware limitations (affecting any operating system or hypervisor), it is generally not safe to use this feature to expose a physical device to completely untrusted guests. However, this feature can still confer significant security benefit when used to remove drivers and backends from domain 0 (i.e., Driver Domains).”
The possibility of “backdoor” device functionality mentioned above is one of the major reasons for this stance. We issue this XSA to help maintain Driver Domains as a “defense-in-depth”, and also on behalf of those who may have done full security audits of their particular hardware platform. It does not change our stance that passing through PCI devices to untrusted guests is in general not safe.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.1 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:P/I:P/A:C
0.0004 Low
EPSS
Percentile
13.6%