Bug 1218758 (CVE-2023-20573)

Summary: VUL-0: CVE-2023-20573: kernel-firmware: AMD Secure Nested Paging Debug Exception
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Takashi Iwai <tiwai>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/390878/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-12 09:12:50 UTC 
A privileged attacker
can prevent delivery of debug exceptions to SEV-SNP guests potentially
resulting in guests not receiving expected debug information.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-20573
https://www.cve.org/CVERecord?id=CVE-2023-20573
https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-3006
https://bugzilla.redhat.com/show_bug.cgi?id=2253702
Comment 1 Takashi Iwai 2024-01-17 14:59:16 UTC 
The update to the latest version 2023.11.30 was submitted to TW.
Comment 2 Takashi Iwai 2024-01-17 15:02:36 UTC 
Bah, sorry, a wrong bug entry.

For this one, there is too little information.  Is the fixed firmware already available?
Comment 3 Takashi Iwai 2024-01-17 15:04:50 UTC 
The AMD bulletin says:
"""
Mitigation

No mitigation is planned for this issue. SEV-SNP guest that have the alternate injection feature enabled are not affected.
"""

Is it a WONTFIX issue, then?
Comment 4 Marcus Meissner 2024-01-18 10:16:07 UTC 
wontfix.