6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
49.6%
Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices.
On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694).
On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695).
Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn’t have access to anymore (CVE-2021-28696).
The precise impact is system specific, but can - on affected systems - be any or all of privilege escalation, denial of service, or information leaks.
The vulnerability is only exploitable by guests granted access to physical devices (ie, via PCI passthrough).
All versions of Xen are affected.
Only x86 systems with IOMMUs and with firmware specifying memory regions to be identity mapped are affected. Other x86 systems are not affected.
Whether a particular system whose ACPI tables declare such memory region(s) is actually affected cannot be known without knowing when and/or how these regions are used. For example, if these regions were used only during system boot, there would not be any vulnerability. The necessary knowledge can only be obtained from, collectively, the hardware and firmware manufacturers.
On Arm hardware IOMMU use is not security supported. Accordingly, we have not undertaken an analysis of these issues for Arm systems.
6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
49.6%