CVE-2020-11739

{"id": "CVE-2020-11739", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.1}]}, "published": "2020-04-14T13:15:12.703", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00006.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2020/04/14/2", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://xenbits.xen.org/xsa/advisory-314.html", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5M2XRNCHOGGTJQBZQJ7DCV6ZNAKN3LE2/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NVTP4OYHCTRU3ONFJOFJQVNDFB25KLLG/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YMAW7D2MP6RE4BFI5BZWOBBWGY3VSOFN/", "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202005-08", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.debian.org/security/2020/dsa-4723", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://xenbits.xen.org/xsa/advisory-314.html", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the \"critical\" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Xen versiones hasta 4.13.x, permitiendo a usuarios invitados del Sistema Operativo causar una denegaci\u00f3n de servicio o posiblemente alcanzar privilegios debido a la falta de barreras de memoria en las rutas de desbloqueo de lectura y escritura. Las rutas de desbloqueo de lectura y escritura no contienen una barrera de memoria. En Arm, esto significa que un procesador est\u00e1 habilitado para reordenar el acceso a la memoria con los precedentes. En otras palabras, el desbloqueo puede ser visto por otro procesador antes de que toda la memoria acceda dentro de la secci\u00f3n \"critical\". Como consecuencia, puede ser posible que un escritor ejecute una secci\u00f3n cr\u00edtica al mismo tiempo que los lectores u otro escritor. En otras palabras, muchos de los supuestos (por ejemplo, una variable no se puede modificar despu\u00e9s de una comprobaci\u00f3n) en las secciones cr\u00edticas ya no son seguros. Los bloqueos de lectura y escritura se usan en hipercalls (tales como los de la tabla de concesi\u00f3n), por lo que un invitado malicioso podr\u00eda explotar la carrera. Por ejemplo, existe una peque\u00f1a ventana donde Xen puede perder memoria si XENMAPSPACE_grant_table es usada simult\u00e1neamente. Un invitado malicioso puede perder memoria o causar un bloqueo del hipervisor resultando en una Denegaci\u00f3n de Servicio (DoS). Una fuga de informaci\u00f3n y una escalada de privilegios no pueden ser excluidas."}], "lastModified": "2023-11-07T03:15:04.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3BD625DD-3C5E-4849-88A6-464AA7AC6F88", "versionEndIncluding": "4.13.0"}, {"criteria": "cpe:2.3:o:xen:xen:4.13.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BEB8A75-3CF5-4DA3-9159-16675A47D842"}, {"criteria": "cpe:2.3:o:xen:xen:4.13.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAC2A87A-73F2-4D40-8EDB-8373B938FC11"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}