CVE-2020-11740: 
NixOS vulnerability analysis and mitigation

An issue was discovered in xenoprof in Xen through 4.13.x, identified as CVE-2020-11740, which was publicly disclosed on April 14, 2020. The vulnerability affects the Xen hypervisor's xenoprof functionality, allowing guest OS users without active profiling to obtain sensitive information about other guests. The issue specifically affects x86 PV guests, while Arm guests and x86 HVM and PVH guests are not vulnerable (Xen Advisory).

The vulnerability stems from unprivileged guests being able to request mapping of xenoprof buffers, even when profiling has not been enabled for those guests. The critical issue is that these buffers were not properly scrubbed before access was granted. The vulnerability has a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access required with high confidentiality impact (NVD).

A malicious guest may be able to access sensitive information pertaining to other guests running on the same Xen hypervisor. The vulnerability affects all Xen versions back to at least 3.2, but only systems with Xenoprof functionality enabled at build time are vulnerable. The option to disable this functionality at build time was introduced in Xen 4.7 (Xen Advisory).

There is no known mitigation for the information leak aspect of the vulnerability due to the lack of buffer scrubbing. The issue was addressed through patches, with the first patch specifically fixing the information leak issue. This patch should be applied to all x86 systems running untrusted PV guests. Various distributions have released security updates to address this vulnerability, including Debian (4.11.4+24-gddaaccbbab-1~deb10u1), Fedora, and openSUSE (Debian Advisory, OpenSUSE Advisory).