Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 10 Oct 2023 12:09:37 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 444 v3 (CVE-2023-34327,CVE-2023-34328) -
 x86/AMD: Debug Mask handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

     Xen Security Advisory CVE-2023-34327,CVE-2023-34328 / XSA-444
                               version 3

                     x86/AMD: Debug Mask handling

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.
Xen supports guests using these extensions.

Unfortunately there are errors in Xen's handling of the guest state, leading
to denials of service.

 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of
    a previous vCPUs debug mask state.

 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.
    This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock
    up the CPU entirely.

IMPACT
======

For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for
it's own purposes can cause incorrect behaviour in an unrelated HVM
vCPU, most likely resulting in a guest crash.

For CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the
host.

VULNERABLE SYSTEMS
==================

Only AMD/Hygon hardware supporting the DBEXT feature are vulnerable.
This is believed to be the Steamroller microarchitecture and later.

For CVE-2023-34327, Xen versions 4.5 and later are vulnerable.

For CVE-2023-34328, Xen version between 4.5 and 4.13 are vulnerable.
The issue is benign in Xen 4.14 and later owing to an unrelated change.

MITIGATION
==========

For CVE-2023-34327, HVM VMs which can see the DBEXT feature are not
susceptible to running in the wrong state.  By default, VMs will see the
DBEXT feature on capable hardware, and when not explicitly levelled for
migration compatibility.

For CVE-2023-34328, PV VMs which cannot see the DBEXT feature cannot
leverage the vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of XenServer.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa444-?.patch           xen-unstable
xsa444-4.17-?.patch      Xen 4.17.x
xsa444-4.16-?.patch      Xen 4.16.x - Xen 4.15.x

$ sha256sum xsa444*
d1a10243d08295ffed2721aaa150efad9e9bd624428f0c24d04e69435a8ddc2e  xsa444-1.patch
9ce44c08030780c2e0432169ce679da0a5793ee254e38a0dbe506edf5f1587fd  xsa444-2.patch
ff0142be5b71679df0f425ea8f74e77589db5b5312e631541d2ab7968b9ea779  xsa444-4.16-1.patch
4ecf44680bd95fb4adddb1c5ced21e8b2754bca2f5cf3e028cf6ea3d9a90d239  xsa444-4.16-2.patch
9c1244f06c2cd0ad4c2023d224363d5d4ad063d80f8682ee66056520cabfb52d  xsa444-4.17-1.patch
18dcbb62b5c5f1fba205cfbc83f3b4b1ffa39490bbfd1f1263320f8aef16e83c  xsa444-4.17-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUlNO0MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZoGcH+gMuZqrzWTDFKflh1MO9EPI5iQzyJgQEHicacoBP
rO6gAUMQ2OvgqM1CO6e7qZ7qU+CPP2dfp1aR+Zxz0ynzeku2cVJY1SiAhZ+ZODso
pBZg/3DKtX0kGP27nStInbZQu2TGfTUQLJ80sYxb3A7Fl8uGWmlCFuZoYGK7R9+P
KU2sutmFJJipQVoQm38AQmTed1f+xjtX3AGwWFNGnuHkAC9pQGCQ29YL7wqhtvjw
FndF1aLLVCX5Wt6LIK6K5z8DncfrDTwXDha3XMbFmY37HGOOa96jTPJhThmnYEU1
SWc43m9HnCiP/DdBeQ9t2JmVVkx8Qc5kZQigFdpQ0aR/wj8=
=n97C
-----END PGP SIGNATURE-----

Download attachment "xsa444-1.patch" of type "application/octet-stream" (4057 bytes)

Download attachment "xsa444-2.patch" of type "application/octet-stream" (3682 bytes)

Download attachment "xsa444-4.16-1.patch" of type "application/octet-stream" (4057 bytes)

Download attachment "xsa444-4.16-2.patch" of type "application/octet-stream" (3188 bytes)

Download attachment "xsa444-4.17-1.patch" of type "application/octet-stream" (4057 bytes)

Download attachment "xsa444-4.17-2.patch" of type "application/octet-stream" (3208 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.