===================================================================== CERT-Renater Note d'Information No. 2023/VULN291 _____________________________________________________________________ DATE : 05/09/2023 HARDWARE PLATFORM(S): Arm 32-bit. OPERATING SYSTEM(S): Systems running Xen. ===================================================================== https://xenbits.xen.org/xsa/advisory-437.html _____________________________________________________________________ Xen Security Advisory CVE-2023-34321 / XSA-437 version 2 arm32: The cache may not be properly cleaned/invalidated UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. IMPACT ====== A malicious guest may be able to read sensitive data from memory that previously belonged to another guest. VULNERABLE SYSTEMS ================== Systems running all version of Xen are affected. Only systems running Xen on Arm 32-bit are vulnerable. Xen on Arm 64-bit is not affected. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Julien Grall of Amazon. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa437/xsa437.patch xen-unstable - Xen 4.17.x xsa437/xsa437-4.16.patch Xen 4.16.x - Xen 4.15.x $ sha256sum xsa437* xsa437*/* 259b872275d9d77fc1744df886ffe611d933889bb5ea2833f3c7d8f554eff061 xsa437.meta 31b1a4050403fc83d4ea7619155105001cfd2f739ceb0b0cc7212ab7d0b9d559 xsa437/xsa437.patch ada8ba64e8562ff6016d456e08b7a171ef356cf476c643df9f66b8650009115c xsa437/xsa437-4.16.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.htmlml ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================