CVE-2020-15565 in Xen
Summary
by MITRE
An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/08/2020
This vulnerability exists in Xen hypervisors version 4.13.x and earlier, specifically affecting x86 Intel systems running hardware-assisted paging with Intel VT-d support. The flaw stems from insufficient cache management during page table operations, creating a critical security gap that can lead to both denial of service and privilege escalation. The vulnerability manifests when page tables are shared between the IOMMU and CPU, requiring proper synchronization of both Translation Lookaside Buffers and CPU caches. According to CWE-119, this represents a memory access issue where improper cache coherency handling allows unauthorized data access patterns. The root cause lies in the missing cache write-back operations when splitting large page mappings into smaller granularities, a process that should ensure data consistency between CPU caches and memory.
The technical implementation of this vulnerability exploits the non-coherent nature of IOMMUs, where the hypervisor fails to flush CPU caches before updating IOMMU TLBs during page table modifications. When a guest operating system manipulates page tables through Intel VT-d, the system should ensure that cached data is written back to memory before TLB invalidation occurs. This missing step creates a window where malicious guests can maintain DMA access to memory frames that have been returned to the hypervisor's free pool and subsequently reallocated for different purposes. The flaw specifically impacts x86 Intel HVM guests that utilize hardware-assisted paging with passthrough PCI devices, requiring page table sharing to be enabled for exploitation. This condition is automatically enabled when Xen detects compatibility between IOMMU and CPU large page size support, making the vulnerability more likely to be exploited in modern systems.
The operational impact of this vulnerability spans from system instability to potential privilege escalation, representing a serious threat to virtualized environments. Host crashes occur when the hypervisor encounters corrupted memory states due to the cache coherency violations, resulting in denial of service conditions that can affect all virtual machines running on the compromised host. More critically, the vulnerability allows for potential privilege escalation where a malicious guest can retain read/write DMA access to memory frames that should no longer be accessible to it. This behavior violates fundamental security principles of virtualization isolation, as defined by the ATT&CK framework under T1055 Privilege Escalation and T1499 Endpoint Denial of Service. The vulnerability affects all Xen versions from 3.2 onwards, making it a long-standing issue that has persisted across multiple generations of the hypervisor. The attack vector requires specific conditions including Intel x86 architecture, HVM guest configuration, hardware-assisted paging, and passthrough PCI device assignment, but these requirements are common in enterprise virtualization deployments.
Mitigation strategies for this vulnerability focus on both immediate patches and architectural considerations. The primary solution involves applying the official Xen security patches that address the cache coherency handling during page table modifications, ensuring proper cache write-back operations before IOMMU TLB invalidation. System administrators should also consider disabling page table sharing when it's not strictly required, as this eliminates the specific conditions necessary for exploitation. The vulnerability highlights the importance of proper cache coherency management in virtualized environments, particularly when dealing with hardware-assisted virtualization features like VT-d. Organizations should implement monitoring for unusual memory access patterns and ensure that hypervisor updates are applied promptly. Additionally, security teams should review virtual machine configurations to minimize the use of passthrough PCI devices where possible, as these represent the primary attack surface for this vulnerability. The fix demonstrates the critical nature of maintaining cache coherency in virtualized systems, as outlined in security best practices for hypervisor implementations and the need for comprehensive memory management protocols in virtualization environments.