资产安全
商业安全
安全服务
返回- 发布日期2023-09-20
- 感知时间2023-09-20
- 漏洞类型安全更新
- 风险等级未知
- 更新版本未知
- 情报贡献TSRC
top-level shadow reference dropped too early for 64-bit PV guests
<br/><br/><br/>XSA-438 - Xen Security Advisories<br/><br/><br/><br/>InformationAdvisory XSA-438Public release 2023-09-19 12:00Updated 2023-09-20 09:19Version 2CVE(s) CVE-2023-34322Title top-level shadow reference dropped too early for 64-bit PV guestsFilesadvisory-438.txt (signed advisory file)xsa438.patchxsa438-4.15.patchxsa438-4.16.patchxsa438-4.17.patchAdvisory-----BEGIN PGP SIGNED MESSAGE-----<br/>Hash: SHA256<br/><br/> Xen Security Advisory CVE-2023-34322 / XSA-438<br/> version 2<br/><br/> top-level shadow reference dropped too early for 64-bit PV guests<br/><br/>UPDATES IN VERSION 2<br/>====================<br/><br/>Public release.<br/><br/>ISSUE DESCRIPTION<br/>=================<br/><br/>For migration as well as to work around kernels unaware of L1TF (see<br/>XSA-273), PV guests may be run in shadow paging mode. Since Xen itself<br/>needs to be mapped when PV guests run, Xen and shadowed PV guests run<br/>directly the respective shadow page tables. For 64-bit PV guests this<br/>means running on the shadow of the guest root page table.<br/><br/>In the course of dealing with shortage of memory in the shadow pool<br/>associated with a domain, shadows of page tables may be torn down. This<br/>tearing down may include the shadow root page table that the CPU in<br/>question is presently running on. While a precaution exists to<br/>supposedly prevent the tearing down of the underlying live page table,<br/>the time window covered by that precaution isn&#39;t large enough.<br/><br/>IMPACT<br/>======<br/><br/>Privilege escalation, Denial of Service (DoS) affecting the entire host,<br/>and information leaks all cannot be ruled out.<br/><br/>VULNERABLE SYSTEMS<br/>==================<br/><br/>All Xen versions from at least 3.2 onwards are vulnerable. Earlier<br/>versions have not been inspected.<br/><br/>Only x86 systems are vulnerable. Only 64-bit PV guests can leverage the<br/>vulnerability, and only when running in shadow mode. Shadow mode would<br/>be in use when migrating guests or as a workaround for XSA-273 (L1TF).<br/><br/>MITIGATION<br/>==========<br/><br/>Running only HVM or PVH guests will avoid the vulnerability.<br/><br/>Running PV guests in the PV shim will also avoid the vulnerability.<br/><br/>CREDITS<br/>=======<br/><br/>This issue was discovered by Tim Deegan, and Jan Beulich of SUSE.<br/><br/>RESOLUTION<br/>==========<br/><br/>Applying the appropriate attached patch resolves this issue.<br/><br/>Note that patches for released versions are generally prepared to<br/>apply to the stable branches, and may not apply cleanly to the most<br/>recent release tarball. Downstreams are encouraged to update to the<br/>tip of the stable branch before applying these patches.<br/><br/>xsa438.patch xen-unstable<br/>xsa438-4.17.patch Xen 4.17.x<br/>xsa438-4.16.patch Xen 4.16.x<br/>xsa438-4.15.patch Xen 4.15.x<br/><br/>$ sha256sum xsa438*<br/>f30067fa3732fb52042b14a2836b610c29af47461425f1a1ccec21cb8a5a48b1 xsa438.patch<br/>a2e7d7c12ea19fb95e2d825fda5f7d0124cbb5c4a369cb58ab6036d266b7e297 xsa438-4.15.patch<br/>eb75fbeb4aa635d6104c12acd5f7311e477f7c159f2ec4eca8a345327a9aee24 xsa438-4.16.patch<br/>f3a305c86124e48b9afa14f3ba76b81d1f5d8d472e2412ae3d014305c749a86a xsa438-4.17.patch<br/>$<br/><br/>DEPLOYMENT DURING EMBARGO<br/>=========================<br/><br/>Deployment of the patches and/or mitigations described above (or<br/>others which are substantially similar) is permitted during the<br/>embargo, even on public-facing systems with untrusted guest users and<br/>administrators.<br/><br/>But: Distribution of updated software is prohibited (except to other<br/>members of the predisclosure list).<br/><br/>Predisclosure list members who wish to deploy significantly different<br/>patches and/or mitigations, please contact the Xen Project Security<br/>Team.<br/><br/>(Note: this during-embargo deployment notice is retained in<br/>post-embargo publicly released Xen Project advisories, even though it<br/>is then no longer applicable. This is to enable the community to have<br/>oversight of the Xen Project Security Team&#39;s decisionmaking.)<br/><br/>For more information about permissible uses of embargoed information,<br/>consult the Xen Project community&#39;s agreed Security Policy:<br/> http://www.xenproject.org/security-policy.html<br/>-----BEGIN PGP SIGNATURE-----<br/><br/>iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUKuSAMHHBncEB4ZW4u<br/>b3JnAAoJEIP+FMlX6CvZtL0IAL3mXsj7Q5Xfu/Tof0a1ie7TnpvZ2qXxzoLlyiFR<br/>Vra9gs83Nw7n45yXFFVLSzTjmz2bCbCmUowPp6TxF9Nawt0JocbF80JpYKEojEko<br/>6B2BAdUFhPXtx1D6NruzG2gVr5qn/eNJjIIos0o7tzxtBPLKX9qzLh3FmZK5BJm2<br/>HyKMLIEZuVipb3Qtb+avUDHvLjee6p4eaaWOk08g3sSWhtSfwxlS4IF9j1G2Oejj<br/>QKZ1XILCP8miXmuUZJ/L/7CzFvOm+DKNVFZYhFT0fjDWk3vNhtLcBv5s36Z65gKK<br/>MvKe7owffmclQLWjOekYNm8dG5gQ/OkWRAPbxiwRMegT22g=<br/>=L3du<br/>-----END PGP SIGNATURE-----<br/>Xenproject.org Security Team<br/><br/>
Xen 是一个开放源代码虚拟机监视器,由剑桥大学开发。它打算在单个计算机上运行多达100个满特征的操作系统。操作系统必须进行显式地修改(“移植”)以在Xen上运行(但是提供对用户应用的兼容性)。这使得Xen无需特殊硬件支持,就能达到高性能的虚拟化。
<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34322">CVE-2023-34322</a></p>
暂无
暂无
http://xenbits.xen.org/xsa/advisory-438.html
微信扫码关注公众号
