Xen PCI Passthrough Code Reading Back Hardware Registers DoS (XSA-337)

high Nessus Plugin ID 140794

Synopsis

The remote Xen hypervisor installation is missing a security update.

Description

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a denial of service (DoS) vulnerability. Code paths in Xen's MSI handling have been identified which act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for devices to have out-of-spec 'backdoor' operations which can affect the result of these reads. A not fully trusted guest may be able to crash Xen, leading to a Denial of Service for the entire system. Privilege escalation and information leaks cannot be excluded.

Only systems passing through devices with out-of-spec (backdoor) functionality can cause issues. Experience shows that such out-of-spec functionality is common; unless you have reason to believe that your device does not have such functionality, it's better to assume that it does.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

https://xenbits.xen.org/xsa/advisory-337.html

Plugin Details

Severity: High

ID: 140794

File Name: xen_server_XSA-337.nasl

Version: 1.7

Type: local

Family: Misc.

Published: 9/25/2020

Updated: 11/13/2020

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.5

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:C

CVSS Score Source: CVE-2020-25595

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:xen:xen

Required KB Items: Settings/ParanoidReport, installed_sw/Xen Hypervisor

Exploit Ease: No known exploits are available

Patch Publication Date: 9/22/2020

Vulnerability Publication Date: 9/22/2020

Reference Information

CVE: CVE-2020-25595

IAVB: 2020-B-0056-S