Bug 1851475 (CVE-2020-15565) - CVE-2020-15565 xen: insufficient cache write-back under VT-d leads to DoS (XSA-321)
Summary: CVE-2020-15565 xen: insufficient cache write-back under VT-d leads to DoS (XS...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-15565
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1854467
Blocks: 1851487
TreeView+ depends on / blocked
 
Reported: 2020-06-26 16:40 UTC by Dhananjay Arunesh
Modified: 2021-02-16 19:45 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Xen, in the page table sharing between the IOMMU and CPU. This flaw allows a malicious guest user to access sensitive information pertaining to other guests to crash the host, resulting in a denial of service and privilege escalation. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-07-07 19:30:06 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-06-26 16:40:47 UTC
A vulnerability was found in xe, where a malicious guest may be able to access sensitive information pertaining to other guests.  Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out.

Comment 1 Mauro Matteo Cascella 2020-07-01 15:49:19 UTC
Acknowledgments:

Name: the Xen project

Comment 2 Mauro Matteo Cascella 2020-07-06 14:58:00 UTC
Statement:

Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing is enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible. x86 AMD as well as ARM systems are not affected by this flaw.

Comment 3 Mauro Matteo Cascella 2020-07-06 14:58:03 UTC
Mitigation:

- Suppress the use of page table sharing (command line option `iommu=no-sharept`). Note however that as of Xen version 4.13 there is also a respective per-guest control (`passthrough=` libxl guest config file option). If any guests have been created with an explicit setting, this setting may conflict with the addition of the `iommu=no-sharept` Xen command line option.

- Suppress the use of large HAP pages (command line options `hap_2mb=no` and `hap_1gb=no`).

- Avoid pass-through of PCI devices to HVM guests.

Comment 4 Mauro Matteo Cascella 2020-07-07 14:03:55 UTC
External References:

https://xenbits.xen.org/xsa/advisory-321.html

Comment 5 Mauro Matteo Cascella 2020-07-07 14:05:10 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1854467]

Comment 6 Product Security DevOps Team 2020-07-07 19:30:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15565


Note You need to log in before you can comment on or make changes to this bug.