CVE-2020-25595
📋 TL;DR
This vulnerability in Xen's PCI passthrough code allows guests with passed-through PCI devices to crash the hypervisor, causing a system-wide denial of service. Attackers could potentially escalate privileges or leak information. Only x86 systems with PCI passthrough enabled and devices with out-of-spec functionality are affected.
💻 Affected Systems
- Xen Hypervisor
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Xen by Xen
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash leading to denial of service for all VMs, potential privilege escalation to hypervisor level, and information leakage from other guests.
Likely Case
Denial of service through hypervisor crash, disrupting all virtual machines on the host.
If Mitigated
No impact if PCI passthrough is disabled or only compliant devices are used.
🎯 Exploit Status
Requires guest access with PCI passthrough device and device with out-of-spec functionality. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Xen 4.14.1 and later
Vendor Advisory: https://xenproject.org/security-policy/
Restart Required: Yes
Instructions:
1. Update Xen to version 4.14.1 or later. 2. Apply distribution-specific patches if using packaged version. 3. Reboot the hypervisor host.
🔧 Temporary Workarounds
Disable PCI passthrough
linuxPrevent guests from using PCI passthrough functionality
Edit Xen configuration to remove PCI device assignments
Remove 'pci=' options from guest configurations
Use only compliant PCI devices
allOnly pass through PCI devices known to be fully compliant with specifications
🧯 If You Can't Patch
- Disable PCI passthrough for all guests
- Isolate affected systems from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Check if Xen version is 4.14.x or earlier and PCI passthrough is enabled: 'xl info | grep xen_version' and review guest configurations for PCI device assignments.Check Version:
xl info | grep xen_versionVerify Fix Applied:
Verify Xen version is 4.14.1 or later: 'xl info | grep xen_version' and ensure no hypervisor crashes occur during PCI operations.📡 Detection & Monitoring
Log Indicators:
- Hypervisor crash logs
- Unexpected guest PCI access errors in Xen logs
- System reboots without clear cause
Network Indicators:
- Sudden loss of connectivity to all VMs on a host
SIEM Query:
source="xen.log" AND ("crash" OR "panic" OR "PCI passthrough error")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE/
- https://security.gentoo.org/glsa/202011-06
- https://www.debian.org/security/2020/dsa-4769
- https://xenbits.xen.org/xsa/advisory-337.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE/
- https://security.gentoo.org/glsa/202011-06
- https://www.debian.org/security/2020/dsa-4769
- https://xenbits.xen.org/xsa/advisory-337.html
