CVE-2020-15567 – A race condition vulnerability in Xen hyperviso... (How to Fix)

Q: What is the severity of CVE-2020-15567?

CVE-2020-15567 has a CVSS score of 7.8 (HIGH). A race condition vulnerability in Xen hypervisor allows Intel guest OS users to gain privileges or cause denial of service through non-atomic modification of live EPT page table entries. Only affects systems using Intel CPUs with nested paging (HVM/PVH guests). The vulnerability depends on compiler optimizations and may not be present in all builds.

📋 TL;DR

A race condition vulnerability in Xen hypervisor allows Intel guest OS users to gain privileges or cause denial of service through non-atomic modification of live EPT page table entries. Only affects systems using Intel CPUs with nested paging (HVM/PVH guests). The vulnerability depends on compiler optimizations and may not be present in all builds.

💻 Affected Systems

Products:

Xen Hypervisor

Versions: Through 4.13.x

Operating Systems: Any OS running Xen hypervisor

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects: 1) Intel CPUs with EPT (nested paging), 2) HVM or PVH guests, 3) Specific compiler optimizations that generate vulnerable code. AMD and Arm systems are NOT vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Guest-to-host privilege escalation allowing complete hypervisor compromise, data corruption, or persistent denial of service.

🟠

Likely Case

Denial of service through hypervisor crash or guest instability, potentially leading to data loss.

🟢

If Mitigated

No impact if using AMD CPUs, Arm systems, or compiler optimizations that generate safe code.

🌐 Internet-Facing: MEDIUM - Requires guest access which could be obtained through cloud instances, but exploitation requires specific conditions.

🏢 Internal Only: HIGH - Internal virtualization infrastructure with Intel CPUs and vulnerable compiler builds is at significant risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires race condition timing, specific compiler optimizations, and guest administrator access (or possibly unprivileged guest user). No public exploits known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Xen 4.14 and later, or security patches for earlier versions

Vendor Advisory: http://xenbits.xen.org/xsa/advisory-328.html

Restart Required: Yes

Instructions:

1. Apply Xen security patch from vendor advisory. 2. Rebuild Xen if using custom compilation. 3. Reboot hypervisor and affected guests. 4. Verify patch application with version check.

🔧 Temporary Workarounds

Disable nested paging for Intel CPUs

linux

Disable EPT (Extended Page Tables) to remove vulnerable component, but will impact performance

Set 'hap=0' in Xen configuration

Migrate to AMD or Arm hardware

all

Move virtualization infrastructure to non-Intel platforms

🧯 If You Can't Patch

Isolate vulnerable Xen hosts from critical infrastructure
Implement strict access controls to prevent unauthorized guest creation

🔍 How to Verify

Check if Vulnerable:

Check Xen version and CPU type: 1. 'xl info' for Xen version, 2. 'cat /proc/cpuinfo | grep -i intel' for Intel CPU, 3. Check if using HVM/PVH guests

Check Version:

xl info | grep xen_version

Verify Fix Applied:

Verify Xen version is patched: 'xl info | grep xen_version' should show 4.14+ or patched version

📡 Detection & Monitoring

Log Indicators:

Hypervisor crashes or unexpected reboots
Guest instability or crashes
Xen error logs mentioning EPT or page table issues

Network Indicators:

Unusual guest-to-hypervisor communication patterns

SIEM Query:

source="xen.log" AND ("crash" OR "panic" OR "EPT" OR "page fault")

📊 Metadata

CVE ID: CVE-2020-15567

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-362

Published: July 7, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00024.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00031.html Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/07/07/6 Mailing List,Third Party Advisory
http://xenbits.xen.org/xsa/advisory-328.html Mitigation,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXESCOVI7AVRNC7HEAMFM7PMEO6D3AUH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB3QJJZV23Z2IDYEMIHELWYSQBUEW6JP/
https://security.gentoo.org/glsa/202007-02 Third Party Advisory
https://www.debian.org/security/2020/dsa-4723 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00024.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00031.html Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/07/07/6 Mailing List,Third Party Advisory
http://xenbits.xen.org/xsa/advisory-328.html Mitigation,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXESCOVI7AVRNC7HEAMFM7PMEO6D3AUH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB3QJJZV23Z2IDYEMIHELWYSQBUEW6JP/
https://security.gentoo.org/glsa/202007-02 Third Party Advisory
https://www.debian.org/security/2020/dsa-4723 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15567, you might also want to check these: