Bug 1215145 (CVE-2023-34322) - VUL-0: CVE-2023-34322: xen: top-level shadow reference dropped too early for 64-bit PV guests (XSA-438)
Summary: VUL-0: CVE-2023-34322: xen: top-level shadow reference dropped too early for ...
Status: RESOLVED FIXED
Alias: CVE-2023-34322
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/377728/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-34322:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-08 07:36 UTC by Carlos López
Modified: 2024-05-30 14:38 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Attached patches (17.57 KB, application/zip)
2023-09-08 07:38 UTC, Carlos López
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Gabriele Sonnu 2023-09-20 12:22:16 UTC
Public now:

https://xenbits.xen.org/xsa/advisory-438.html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2023-34322 / XSA-438
                               version 2

   top-level shadow reference dropped too early for 64-bit PV guests

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

For migration as well as to work around kernels unaware of L1TF (see
XSA-273), PV guests may be run in shadow paging mode.  Since Xen itself
needs to be mapped when PV guests run, Xen and shadowed PV guests run
directly the respective shadow page tables.  For 64-bit PV guests this
means running on the shadow of the guest root page table.

In the course of dealing with shortage of memory in the shadow pool
associated with a domain, shadows of page tables may be torn down.  This
tearing down may include the shadow root page table that the CPU in
question is presently running on.  While a precaution exists to
supposedly prevent the tearing down of the underlying live page table,
the time window covered by that precaution isn't large enough.

IMPACT
======

Privilege escalation, Denial of Service (DoS) affecting the entire host,
and information leaks all cannot be ruled out.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been inspected.

Only x86 systems are vulnerable.  Only 64-bit PV guests can leverage the
vulnerability, and only when running in shadow mode.  Shadow mode would
be in use when migrating guests or as a workaround for XSA-273 (L1TF).

MITIGATION
==========

Running only HVM or PVH guests will avoid the vulnerability.

Running PV guests in the PV shim will also avoid the vulnerability.

CREDITS
=======

This issue was discovered by Tim Deegan, and Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa438.patch           xen-unstable
xsa438-4.17.patch      Xen 4.17.x
xsa438-4.16.patch      Xen 4.16.x
xsa438-4.15.patch      Xen 4.15.x

$ sha256sum xsa438*
f30067fa3732fb52042b14a2836b610c29af47461425f1a1ccec21cb8a5a48b1  xsa438.patch
a2e7d7c12ea19fb95e2d825fda5f7d0124cbb5c4a369cb58ab6036d266b7e297  xsa438-4.15.patch
eb75fbeb4aa635d6104c12acd5f7311e477f7c159f2ec4eca8a345327a9aee24  xsa438-4.16.patch
f3a305c86124e48b9afa14f3ba76b81d1f5d8d472e2412ae3d014305c749a86a  xsa438-4.17.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUKuSAMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZtL0IAL3mXsj7Q5Xfu/Tof0a1ie7TnpvZ2qXxzoLlyiFR
Vra9gs83Nw7n45yXFFVLSzTjmz2bCbCmUowPp6TxF9Nawt0JocbF80JpYKEojEko
6B2BAdUFhPXtx1D6NruzG2gVr5qn/eNJjIIos0o7tzxtBPLKX9qzLh3FmZK5BJm2
HyKMLIEZuVipb3Qtb+avUDHvLjee6p4eaaWOk08g3sSWhtSfwxlS4IF9j1G2Oejj
QKZ1XILCP8miXmuUZJ/L/7CzFvOm+DKNVFZYhFT0fjDWk3vNhtLcBv5s36Z65gKK
MvKe7owffmclQLWjOekYNm8dG5gQ/OkWRAPbxiwRMegT22g=
=L3du
-----END PGP SIGNATURE-----
Comment 7 Maintenance Automation 2023-09-27 20:30:49 UTC
SUSE-SU-2023:3832-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215145, 1215474
CVE References: CVE-2023-20588, CVE-2023-34322
Sources used:
openSUSE Leap 15.4 (src): xen-4.16.5_04-150400.4.34.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.5_04-150400.4.34.1
SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.5_04-150400.4.34.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.5_04-150400.4.34.1
SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.5_04-150400.4.34.1
Basesystem Module 15-SP4 (src): xen-4.16.5_04-150400.4.34.1
Server Applications Module 15-SP4 (src): xen-4.16.5_04-150400.4.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-09-27 20:30:51 UTC
SUSE-SU-2023:3831-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215145, 1215474
CVE References: CVE-2023-20588, CVE-2023-34322
Sources used:
openSUSE Leap 15.5 (src): xen-4.17.2_04-150500.3.9.1
Basesystem Module 15-SP5 (src): xen-4.17.2_04-150500.3.9.1
Server Applications Module 15-SP5 (src): xen-4.17.2_04-150500.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-09-29 12:30:13 UTC
SUSE-SU-2023:3895-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213616, 1214083, 1215145, 1215474
CVE References: CVE-2022-40982, CVE-2023-20588, CVE-2023-20593, CVE-2023-34322
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_04-150200.3.77.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_04-150200.3.77.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xen-4.13.5_04-150200.3.77.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-09-29 12:30:16 UTC
SUSE-SU-2023:3894-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213616, 1214083, 1215145, 1215474
CVE References: CVE-2022-40982, CVE-2023-20588, CVE-2023-20593, CVE-2023-34322
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xen-4.12.4_38-3.94.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xen-4.12.4_38-3.94.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xen-4.12.4_38-3.94.1
SUSE Linux Enterprise Server 12 SP5 (src): xen-4.12.4_38-3.94.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-09-29 16:30:03 UTC
SUSE-SU-2023:3903-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213616, 1215145, 1215474
CVE References: CVE-2023-20588, CVE-2023-20593, CVE-2023-34322
Sources used:
SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.6_04-150300.3.54.1
SUSE Linux Enterprise Micro 5.2 (src): xen-4.14.6_04-150300.3.54.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): xen-4.14.6_04-150300.3.54.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xen-4.14.6_04-150300.3.54.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xen-4.14.6_04-150300.3.54.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xen-4.14.6_04-150300.3.54.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xen-4.14.6_04-150300.3.54.1
SUSE Manager Proxy 4.2 (src): xen-4.14.6_04-150300.3.54.1
SUSE Manager Retail Branch Server 4.2 (src): xen-4.14.6_04-150300.3.54.1
SUSE Manager Server 4.2 (src): xen-4.14.6_04-150300.3.54.1
SUSE Enterprise Storage 7.1 (src): xen-4.14.6_04-150300.3.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-09-29 16:30:06 UTC
SUSE-SU-2023:3902-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213616, 1214083, 1215145, 1215474
CVE References: CVE-2022-40982, CVE-2023-20588, CVE-2023-20593, CVE-2023-34322
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_38-150100.3.92.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_38-150100.3.92.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): xen-4.12.4_38-150100.3.92.1
SUSE CaaS Platform 4.0 (src): xen-4.12.4_38-150100.3.92.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Charles Arnold 2023-10-25 20:03:46 UTC
Submission done.
Comment 15 Maintenance Automation 2023-11-17 08:30:04 UTC
SUSE-SU-2023:4476-1: An update that solves eight vulnerabilities can now be installed.

Category: security (important)
Bug References: 1027519, 1215145, 1215474, 1215746, 1215747, 1215748, 1216654, 1216807
CVE References: CVE-2023-20588, CVE-2023-34322, CVE-2023-34325, CVE-2023-34326, CVE-2023-34327, CVE-2023-34328, CVE-2023-46835, CVE-2023-46836
Sources used:
openSUSE Leap 15.4 (src): xen-4.16.5_08-150400.4.40.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.5_08-150400.4.40.1
SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.5_08-150400.4.40.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.5_08-150400.4.40.1
SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.5_08-150400.4.40.1
Basesystem Module 15-SP4 (src): xen-4.16.5_08-150400.4.40.1
Server Applications Module 15-SP4 (src): xen-4.16.5_08-150400.4.40.1
openSUSE Leap Micro 5.3 (src): xen-4.16.5_08-150400.4.40.1
openSUSE Leap Micro 5.4 (src): xen-4.16.5_08-150400.4.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2023-11-17 08:30:10 UTC
SUSE-SU-2023:4475-1: An update that solves eight vulnerabilities can now be installed.

Category: security (important)
Bug References: 1027519, 1215145, 1215474, 1215746, 1215747, 1215748, 1216654, 1216807
CVE References: CVE-2023-20588, CVE-2023-34322, CVE-2023-34325, CVE-2023-34326, CVE-2023-34327, CVE-2023-34328, CVE-2023-46835, CVE-2023-46836
Sources used:
openSUSE Leap 15.5 (src): xen-4.17.2_08-150500.3.15.1
SUSE Linux Enterprise Micro 5.5 (src): xen-4.17.2_08-150500.3.15.1
Basesystem Module 15-SP5 (src): xen-4.17.2_08-150500.3.15.1
Server Applications Module 15-SP5 (src): xen-4.17.2_08-150500.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.