===================================================================== CERT-Renater Note d'Information No. 2023/VULN384 _____________________________________________________________________ DATE : 10/10/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Xen. ===================================================================== http://xenbits.xen.org/xsa/advisory-440.html http://xenbits.xen.org/xsa/advisory-441.html http://xenbits.xen.org/xsa/advisory-442.html http://xenbits.xen.org/xsa/advisory-443.html http://xenbits.xen.org/xsa/advisory-444.html _____________________________________________________________________ Xen Security Advisory CVE-2023-34323 / XSA-440 version 3 xenstored: A transaction conflict can crash C Xenstored UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default). IMPACT ====== A malicious guest could craft a transaction that will hit the C Xenstored bug and crash it. This will result to the inability to perform any further domain administration like starting new guests, or adding/removing resources to or from any existing guest. VULNERABLE SYSTEMS ================== All versions of Xen up to and including 4.17 are vulnerable if XSA-326 was ingested. All Xen systems using C Xenstored are vulnerable. C Xenstored built using -DNDEBUG (can be specified via EXTRA_CFLAGS_XEN_TOOLS=-DNDEBUG) are not vulnerable. Systems using the OCaml variant of Xenstored are not vulnerable. MITIGATION ========== The problem can be avoided by using OCaml Xenstored variant. CREDITS ======= This issue was discovered by Stanislav Uschakow and Julien Grall, all from Amazon. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa440-4.17.patch Xen 4.17.x - Xen 4.15.x. $ sha256sum xsa440* 187b7edef4f509f3d7ec1662901fa638a900ab4213447438171fb2935f387014 xsa440.meta 431dab53baf2b57a299d1a151b330b62d9a007715d700e8515db71ff813d0037 xsa440-4.17.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html _____________________________________________________________________ Xen Security Advisory CVE-2023-34324 / XSA-441 version 4 Possible deadlock in Linux kernel event handling UPDATES IN VERSION 4 ==================== Public release. Modified advisory again to state that Arm32 guests are NOT affected. ISSUE DESCRIPTION ================= Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel on Arm doesn't use queued-RW-locks, which are required to trigger the issue (on Arm32 a waiting writer doesn't block further readers to get the lock). IMPACT ====== A (malicious) guest administrator could cause a denial of service (DoS) in a backend domain (other than dom0) by disabling a paravirtualized device. A malicious backend could cause DoS in a guest running a Linux kernel by disabling a paravirtualized device. VULNERABLE SYSTEMS ================== All unprivileged guests running a Linux kernel of version 5.10 and later, or with the fixes for XSA-332, are vulnerable. All guest types are vulnerable. Only x86- and 64-bit Arm-guests are vulnerable. Arm-guests running in 32-bit mode are not vulnerable. Guests not using paravirtualized drivers are not vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered as a bug by Marek Marczykowski-Górecki of Invisible Things Lab; the security impact was recognised by Jürgen Groß of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa441-linux.patch Linux $ sha256sum xsa441* 937406d86dd6dd3e389fdae726a25e5f0e960f7004c314e370cb2369d6715c24 xsa441-linux.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) on the host and on VMs being administered and used only by organisations which are members of the Xen Project Security Issue Predisclosure List is permitted during the embargo, even on public-facing systems with other untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. Deployment of patches or mitigations is NOT permitted on VMs being administered or used by organisations which are not members of the Xen Project Security Issue Predisclosure List. On those VMs deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html _____________________________________________________________________ Xen Security Advisory CVE-2023-34326 / XSA-442 version 2 x86/AMD: missing IOMMU TLB flushing UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions. IMPACT ====== Privilege escalation, Denial of Service (DoS) affecting the entire host, and information leaks. VULNERABLE SYSTEMS ================== All Xen versions supporting PCI passthrough are affected. Only x86 AMD systems with IOMMU hardware are vulnerable. Only x86 guests which have physical devices passed through to them can leverage the vulnerability. MITIGATION ========== Not passing through physical devices to guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Roger Pau Monné of XenServer. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa442.patch xen-unstable xsa442-4.17.patch Xen 4.17.x - Xen 4.16.x xsa442-4.15.patch Xen 4.15.x $ sha256sum xsa442* e897c24953f33e24557666975662f74bd634e354108e7df293c1f56179ee97a9 xsa442.patch e7413df9a217d674f8fa71cdcc18adc98201f4fca502a3bb632424e8afc32717 xsa442-4.15.patch 0690fab47c521cae2e14e4c0cf5fcb16a7e4278ef057413ce42e0611b0739070 xsa442-4.17.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html _____________________________________________________________________ Xen Security Advisory CVE-2023-34325 / XSA-443 version 3 Multiple vulnerabilities in libfsimage disk handling UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the same user as the toolstack (root in a priviledged domain). At least one issue has been reported to the Xen Security Team that allows an attacker to trigger a stack buffer overflow in libfsimage. After further analisys the Xen Security Team is no longer confident in the suitability of libfsimage when run against guest controlled input with super user priviledges. In order to not affect current deployments that rely on pygrub patches are provided in the resolution section of the advisory that allow running pygrub in deprivileged mode. IMPACT ====== A guest using pygrub can escalate its privilege to that of the domain construction tools (i.e., normally, to control of the host). VULNERABLE SYSTEMS ================== All Xen versions are affected. MITIGATION ========== Ensuring that guests do not use the pygrub bootloader will avoid this vulnerability. For cases where the PV guest is known to be 64bit, and uses grub2 as a bootloader, pvgrub is a suitable alternative pygrub. Running only HVM guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Ferdinand Nölscher of Google. RESOLUTION ========== Applying patches 1-4 resolves the libfsimage XFS stack overflow. Applying patches 5-11 add additional functionality to pygrub and libxl in order to run pygrub in a restricted environment using a specific UID. Check xl.cfg man page for information on the bootloader_restrict option. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa443/xsa443-??.patch xen-unstable xsa443/xsa443-4.17-??.patch Xen 4.17.x xsa443/xsa443-4.16-??.patch Xen 4.16.x xsa443/xsa443-4.15-??.patch Xen 4.15.x $ sha256sum xsa443*/* d2b306efd35b1e207904f4142be724c4b70bacafae73f8efd5ee12570eb235a1 xsa443/xsa443-01.patch 3af33399c9966465ef65461c344fe0c3184a21a59830de8e3701122cda4f5483 xsa443/xsa443-02.patch a260be66f02307143d9e776cac2b95735011056bebd718f175680f879563ea21 xsa443/xsa443-03.patch 170d511df3a3898ab0302f7e85bc63127cb0b75f73fdcd83104d3f358365f648 xsa443/xsa443-4.15-01.patch 16c942da8929ab240a8807da05d9b39bbabfb34adc4f5a63bc3d2d99568973b1 xsa443/xsa443-4.15-02.patch 13fd27948f5a5e21e1a8e0ddf218ec79b44f1fca55fdc371c932ad2dfa5c23ea xsa443/xsa443-4.15-03.patch 1c865b8f0048483ea76e8cfbeba1536ca6cbde04c58a7e0d485d46c063046cf4 xsa443/xsa443-4.15-04.patch 115b9561c0ea8f155d60049a1e60a26e5261147b1d2672d8a96313aef5dd95e6 xsa443/xsa443-4.15-05.patch 5e54fe8fcd56de43e9035e57ed964cc677aca853b6f205f8576f56aa8f968bf0 xsa443/xsa443-4.15-06.patch a0bd7681bd541b21d069cd025cfb97c798c35041300d5cc86f59941471b88b3c xsa443/xsa443-4.15-07.patch 165795217669df7fa2f6bcb3eb820f93391c7d46422eb941ae359b43ce5c510f xsa443/xsa443-4.15-08.patch fe8be8c39f83567597ec5077bd6fe8b57324d5f6bed7f5cfbed7df43008f7835 xsa443/xsa443-4.15-09.patch 48936926848af29786490dd6db3dcfaf8ed8443f1d6ae896dcb95c930e2f4c21 xsa443/xsa443-4.15-10.patch 213b6a45198869869248b2e3c096fd327f7b0cccbd68faa12335134172c7c908 xsa443/xsa443-4.15-11.patch 170d511df3a3898ab0302f7e85bc63127cb0b75f73fdcd83104d3f358365f648 xsa443/xsa443-4.16-01.patch 16c942da8929ab240a8807da05d9b39bbabfb34adc4f5a63bc3d2d99568973b1 xsa443/xsa443-4.16-02.patch 13fd27948f5a5e21e1a8e0ddf218ec79b44f1fca55fdc371c932ad2dfa5c23ea xsa443/xsa443-4.16-03.patch 1c865b8f0048483ea76e8cfbeba1536ca6cbde04c58a7e0d485d46c063046cf4 xsa443/xsa443-4.16-04.patch 115b9561c0ea8f155d60049a1e60a26e5261147b1d2672d8a96313aef5dd95e6 xsa443/xsa443-4.16-05.patch 5e54fe8fcd56de43e9035e57ed964cc677aca853b6f205f8576f56aa8f968bf0 xsa443/xsa443-4.16-06.patch a0bd7681bd541b21d069cd025cfb97c798c35041300d5cc86f59941471b88b3c xsa443/xsa443-4.16-07.patch 165795217669df7fa2f6bcb3eb820f93391c7d46422eb941ae359b43ce5c510f xsa443/xsa443-4.16-08.patch fe8be8c39f83567597ec5077bd6fe8b57324d5f6bed7f5cfbed7df43008f7835 xsa443/xsa443-4.16-09.patch c9538238f4b636b7d093a59610b0eab2e7fd409a7cc9e988d006bee4c9b944f7 xsa443/xsa443-4.16-10.patch 62147de7a6b8a0073c7abe204da25e94871a32c4e3851f9feccf065976dc0267 xsa443/xsa443-4.16-11.patch 3322213303481fea964cf18e09b172d42caf21fe662c947ae6ddc0d8a1789fa1 xsa443/xsa443-4.17-01.patch 02cf94559407d693ef2dcfc47671b63f5f27019dd759bae3b5eaaa922fb4ea74 xsa443/xsa443-4.17-02.patch 189bef69380d6fbd7f571b2fe11908bac26a650e2b0d040e12b8c1266373f8c8 xsa443/xsa443-4.17-03.patch cdb4f0dd47a6c8a759ae4ffd400f2ce72675b8779ca5576dea74e372ca77a021 xsa443/xsa443-4.17-04.patch 2147dcf95b1ad36da0961e2c084072fa9eb59486e9c0ed43444d268a17d01ee1 xsa443/xsa443-4.17-05.patch a523273792a77fa55a7ab8925369edcb9d9ae50e8e9236be43f23e66aaa0f5e2 xsa443/xsa443-4.17-06.patch 54f97e027c80bfed8e3559ba8d89a69d2f4c48e1017c2090af029a01efe49741 xsa443/xsa443-4.17-07.patch 79667e7b8fbfa43f9135ba14ca364c63e1e7e7c3a68ae12513fe0204e57fa2bd xsa443/xsa443-4.17-08.patch 11125e8da5f9e8313d943e6cbba2ff160478681c290b1413c88113292cca91c4 xsa443/xsa443-4.17-09.patch 113bbc294e10be4e8bf9855536114f875add033f790504f5c744b38da85d1b11 xsa443/xsa443-4.17-10.patch 7e5c7d4ef0b148ce9421c1856ced8b023bae22abc8e13956fe2832628c9d4189 xsa443/xsa443-4.17-11.patch eb81bcbaf1016bce77696c1f2f5cd90b22e11eaa02d15c36c4c704b02981c50d xsa443/xsa443-04.patch 5a099d8bf6a06e318f9ff92491ae4191fd2a3f8637a3c9616173bd2c7d56dbb6 xsa443/xsa443-05.patch 32733ee7dd1baf81338d50532876f211660dd65eb44f3ea121604b4c897ba30f xsa443/xsa443-06.patch 9dfe8e70ed3007dbe46de75d6790baa770d91ac42d6abf642ca0f11b8b2d6b6d xsa443/xsa443-07.patch b8040da4d2ef22ed9f96e1648fa8c4682f82bce2d17bbdd9f2250c48f8858d10 xsa443/xsa443-08.patch 4b0fa7efd271de010943a2974e178d6e9c44c5181a94fc58ddd3f9ecd953d572 xsa443/xsa443-09.patch f1b97a6ee5dc15a2b85ffde12242eb65d885b244419f34d737eb4489769f7224 xsa443/xsa443-10.patch eafccd01a5458baf2a7f39b3e533fd3638d6f728078c437247dc712856422706 xsa443/xsa443-11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html _____________________________________________________________________ Xen Security Advisory CVE-2023-34327,CVE-2023-34328 / XSA-444 version 3 x86/AMD: Debug Mask handling UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. IMPACT ====== For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for it's own purposes can cause incorrect behaviour in an unrelated HVM vCPU, most likely resulting in a guest crash. For CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the host. VULNERABLE SYSTEMS ================== Only AMD/Hygon hardware supporting the DBEXT feature are vulnerable. This is believed to be the Steamroller microarchitecture and later. For CVE-2023-34327, Xen versions 4.5 and later are vulnerable. For CVE-2023-34328, Xen version between 4.5 and 4.13 are vulnerable. The issue is benign in Xen 4.14 and later owing to an unrelated change. MITIGATION ========== For CVE-2023-34327, HVM VMs which can see the DBEXT feature are not susceptible to running in the wrong state. By default, VMs will see the DBEXT feature on capable hardware, and when not explicitly levelled for migration compatibility. For CVE-2023-34328, PV VMs which cannot see the DBEXT feature cannot leverage the vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of XenServer. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa444-?.patch xen-unstable xsa444-4.17-?.patch Xen 4.17.x xsa444-4.16-?.patch Xen 4.16.x - Xen 4.15.x $ sha256sum xsa444* d1a10243d08295ffed2721aaa150efad9e9bd624428f0c24d04e69435a8ddc2e xsa444-1.patch 9ce44c08030780c2e0432169ce679da0a5793ee254e38a0dbe506edf5f1587fd xsa444-2.patch ff0142be5b71679df0f425ea8f74e77589db5b5312e631541d2ab7968b9ea779 xsa444-4.16-1.patch 4ecf44680bd95fb4adddb1c5ced21e8b2754bca2f5cf3e028cf6ea3d9a90d239 xsa444-4.16-2.patch 9c1244f06c2cd0ad4c2023d224363d5d4ad063d80f8682ee66056520cabfb52d xsa444-4.17-1.patch 18dcbb62b5c5f1fba205cfbc83f3b4b1ffa39490bbfd1f1263320f8aef16e83c xsa444-4.17-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================