CVE & CISA-KEV Catalog

CVE-2020-15567

HIGH
7.8
CVSS v3
NVD

Description

An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially written PTE to the hardware, which an attacker might be able to race to exploit. A guest administrator or perhaps even an unprivileged guest user might be able to cause denial of service, data corruption, or privilege escalation. Only systems using Intel CPUs are vulnerable. Systems using AMD CPUs, and Arm systems, are not vulnerable. Only systems using nested paging (hap, aka nested paging, aka in this case Intel EPT) are vulnerable. Only HVM and PVH guests can exploit the vulnerability. The presence and scope of the vulnerability depends on the precise optimisations performed by the compiler used to build Xen. If the compiler generates (a) a single 64-bit write, or (b) a series of read-modify-write operations in the same order as the source code, the hypervisor is not vulnerable. For example, in one test build using GCC 8.3 with normal settings, the compiler generated multiple (unlocked) read-modify-write operations in source-code order, which did not constitute a vulnerability. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code-generation options). The source code clearly violates the C rules, and thus should be considered vulnerable.

How to fix

Remediation Available
xenDebian
Fixed in:4.11.4+24-gddaaccbbab-1CVE-2020-15567
Fixed in:4.11.4+24-gddaaccbbab-1CVE-2020-15567
Fixed in:4.11.4+24-gddaaccbbab-1CVE-2020-15567
Fixed in:4.11.4+24-gddaaccbbab-1CVE-2020-15567
libxendevicemodel1Ubuntu
Fixed in:4.11.3+24-g14b62ab3e5-1ubuntu2.3USN-5617-1
libxenevtchn1Ubuntu
Fixed in:4.11.3+24-g14b62ab3e5-1ubuntu2.3USN-5617-1
libxengnttab1Ubuntu
Fixed in:4.11.3+24-g14b62ab3e5-1ubuntu2.3USN-5617-1
libxenmisc4.11Ubuntu
Fixed in:4.11.3+24-g14b62ab3e5-1ubuntu2.3USN-5617-1
xenUbuntu
Fixed in:4.11.3+24-g14b62ab3e5-1ubuntu2.3USN-5617-1
xen-hypervisor-4.11-amd64Ubuntu
Fixed in:4.11.3+24-g14b62ab3e5-1ubuntu2.3USN-5617-1
xen-hypervisor-4.11-arm64Ubuntu
Fixed in:4.11.3+24-g14b62ab3e5-1ubuntu2.3USN-5617-1
xen-hypervisor-4.11-armhfUbuntu
Fixed in:4.11.3+24-g14b62ab3e5-1ubuntu2.3USN-5617-1
xen-utils-4.11Ubuntu
Fixed in:4.11.3+24-g14b62ab3e5-1ubuntu2.3USN-5617-1
xen-utils-commonUbuntu
Fixed in:4.11.3+24-g14b62ab3e5-1ubuntu2.3USN-5617-1
xenstore-utilsUbuntu
Fixed in:4.11.3+24-g14b62ab3e5-1ubuntu2.3USN-5617-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorLocal
Attack ComplexityHigh
Privileges RequiredLow
User InteractionNone
ScopeChanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploit Intelligence

0.28%probability of exploitation in 30 days
19thpercentile

Low risk: more likely to be exploited than 19% of all known CVEs.

References

Related Vulnerabilities

Other CWE-362 (Race Condition) vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2024-6387High8.1100%-Fix
CVE-2023-36884High7.599%KEV + RansomFix
CVE-2018-15473Medium5.399%-Fix
CVE-2024-27983High8.287%-Fix
CVE-2014-0226Medium6.886%-Fix
CVE-2016-5195High7.084%KEVFix
Embed a live status badge for CVE-2020-15567
CVE-2020-15567 severity badge

Markdown

[![CVE-2020-15567](https://tridentstack.com/cve/badge/CVE-2020-15567.svg)](https://tridentstack.com/cve/CVE-2020-15567)

HTML

<a href="https://tridentstack.com/cve/CVE-2020-15567"><img src="https://tridentstack.com/cve/badge/CVE-2020-15567.svg" alt="CVE-2020-15567"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.