CVE-2020-11739

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 14-04-2020 03:15

Last modified: - 03-05-2022 04:05

Total changes: - 5

Description

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

High

Attack complexity

Local

Attack vector

High

Availability

High

Confidentiality

High

Integrity

Low

Privileges required

Changed

Scope

None

User interaction

7.8

Base score

1.1

6.0

Exploitability score

Impact score

Verification logic

vendor=xen AND product=xen AND versionEndIncluding=4.13.0

vendor=xen AND product=xen AND version=4.13.0 AND update=rc1

vendor=xen AND product=xen AND version=4.13.0 AND update=rc2

vendor=fedoraproject AND product=fedora AND version=30

vendor=fedoraproject AND product=fedora AND version=31

vendor=fedoraproject AND product=fedora AND version=32

vendor=Debian AND product=debian_linux AND version=10.0

vendor=opensuse AND product=leap AND version=15.1

Reference

https://xenbits.xen.org/xsa/advisory-314.html
http://xenbits.xen.org/xsa/advisory-314.html
[oss-security] 20200414 Xen Security Advisory 314 v3 (CVE-2020-11739) - Missing memory barriers in read-write unlock paths-Mailing List, Patch, Third Party Advisory
FEDORA-2020-440457afe4-Mailing List, Third Party Advisory
FEDORA-2020-295ed0b1e0-Mailing List, Third Party Advisory
openSUSE-SU-2020:0599-Mailing List, Third Party Advisory
FEDORA-2020-cbc3149753-Mailing List, Third Party Advisory
GLSA-202005-08-Third Party Advisory
DSA-4723-Third Party Advisory

Keywords

CVE-2020-11739

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2020-11739

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures