Xen官网安全更新（2023-10-10）

x86/AMD: Debug Mask handling

<br/><br/><br/>XSA-444 - Xen Security Advisories<br/><br/><br/><br/>InformationAdvisory XSA-444Public release 2023-10-10 12:00Updated 2023-10-10 12:09Version 3CVE(s) CVE-2023-34327 CVE-2023-34328Title x86/AMD: Debug Mask handlingFilesadvisory-444.txt (signed advisory file)xsa444-1.patchxsa444-2.patchxsa444-4.16-1.patchxsa444-4.16-2.patchxsa444-4.17-1.patchxsa444-4.17-2.patchAdvisory-----BEGIN PGP SIGNED MESSAGE-----<br/>Hash: SHA256<br/><br/> Xen Security Advisory CVE-2023-34327,CVE-2023-34328 / XSA-444<br/> version 3<br/><br/> x86/AMD: Debug Mask handling<br/><br/>UPDATES IN VERSION 3<br/>====================<br/><br/>Public release.<br/><br/>ISSUE DESCRIPTION<br/>=================<br/><br/>AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.<br/>Xen supports guests using these extensions.<br/><br/>Unfortunately there are errors in Xen&amp;#39;s handling of the guest state, leading<br/>to denials of service.<br/><br/> 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of<br/> a previous vCPUs debug mask state.<br/><br/> 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.<br/> This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock<br/> up the CPU entirely.<br/><br/>IMPACT<br/>======<br/><br/>For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for<br/>it&amp;#39;s own purposes can cause incorrect behaviour in an unrelated HVM<br/>vCPU, most likely resulting in a guest crash.<br/><br/>For CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the<br/>host.<br/><br/>VULNERABLE SYSTEMS<br/>==================<br/><br/>Only AMD/Hygon hardware supporting the DBEXT feature are vulnerable.<br/>This is believed to be the Steamroller microarchitecture and later.<br/><br/>For CVE-2023-34327, Xen versions 4.5 and later are vulnerable.<br/><br/>For CVE-2023-34328, Xen version between 4.5 and 4.13 are vulnerable.<br/>The issue is benign in Xen 4.14 and later owing to an unrelated change.<br/><br/>MITIGATION<br/>==========<br/><br/>For CVE-2023-34327, HVM VMs which can see the DBEXT feature are not<br/>susceptible to running in the wrong state. By default, VMs will see the<br/>DBEXT feature on capable hardware, and when not explicitly levelled for<br/>migration compatibility.<br/><br/>For CVE-2023-34328, PV VMs which cannot see the DBEXT feature cannot<br/>leverage the vulnerability.<br/><br/>CREDITS<br/>=======<br/><br/>This issue was discovered by Andrew Cooper of XenServer.<br/><br/>RESOLUTION<br/>==========<br/><br/>Applying the appropriate set of attached patches resolves this issue.<br/><br/>Note that patches for released versions are generally prepared to<br/>apply to the stable branches, and may not apply cleanly to the most<br/>recent release tarball. Downstreams are encouraged to update to the<br/>tip of the stable branch before applying these patches.<br/><br/>xsa444-?.patch xen-unstable<br/>xsa444-4.17-?.patch Xen 4.17.x<br/>xsa444-4.16-?.patch Xen 4.16.x - Xen 4.15.x<br/><br/>$ sha256sum xsa444*<br/>d1a10243d08295ffed2721aaa150efad9e9bd624428f0c24d04e69435a8ddc2e xsa444-1.patch<br/>9ce44c08030780c2e0432169ce679da0a5793ee254e38a0dbe506edf5f1587fd xsa444-2.patch<br/>ff0142be5b71679df0f425ea8f74e77589db5b5312e631541d2ab7968b9ea779 xsa444-4.16-1.patch<br/>4ecf44680bd95fb4adddb1c5ced21e8b2754bca2f5cf3e028cf6ea3d9a90d239 xsa444-4.16-2.patch<br/>9c1244f06c2cd0ad4c2023d224363d5d4ad063d80f8682ee66056520cabfb52d xsa444-4.17-1.patch<br/>18dcbb62b5c5f1fba205cfbc83f3b4b1ffa39490bbfd1f1263320f8aef16e83c xsa444-4.17-2.patch<br/>$<br/><br/>DEPLOYMENT DURING EMBARGO<br/>=========================<br/><br/>Deployment of the patches and described above (or others which are<br/>substantially similar) is permitted during the embargo, even on<br/>public-facing systems with untrusted guest users and administrators.<br/><br/>But: Distribution of updated software is prohibited (except to other<br/>members of the predisclosure list).<br/><br/>Predisclosure list members who wish to deploy significantly different<br/>patches and/or mitigations, please contact the Xen Project Security<br/>Team.<br/><br/>(Note: this during-embargo deployment notice is retained in<br/>post-embargo publicly released Xen Project advisories, even though it<br/>is then no longer applicable. This is to enable the community to have<br/>oversight of the Xen Project Security Team&amp;#39;s decisionmaking.)<br/><br/>For more information about permissible uses of embargoed information,<br/>consult the Xen Project community&amp;#39;s agreed Security Policy:<br/> http://www.xenproject.org/security-policy.html<br/>-----BEGIN PGP SIGNATURE-----<br/><br/>iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUlNO0MHHBncEB4ZW4u<br/>b3JnAAoJEIP+FMlX6CvZoGcH+gMuZqrzWTDFKflh1MO9EPI5iQzyJgQEHicacoBP<br/>rO6gAUMQ2OvgqM1CO6e7qZ7qU+CPP2dfp1aR+Zxz0ynzeku2cVJY1SiAhZ+ZODso<br/>pBZg/3DKtX0kGP27nStInbZQu2TGfTUQLJ80sYxb3A7Fl8uGWmlCFuZoYGK7R9+P<br/>KU2sutmFJJipQVoQm38AQmTed1f+xjtX3AGwWFNGnuHkAC9pQGCQ29YL7wqhtvjw<br/>FndF1aLLVCX5Wt6LIK6K5z8DncfrDTwXDha3XMbFmY37HGOOa96jTPJhThmnYEU1<br/>SWc43m9HnCiP/DdBeQ9t2JmVVkx8Qc5kZQigFdpQ0aR/wj8=<br/>=n97C<br/>-----END PGP SIGNATURE-----<br/>Xenproject.org Security Team<br/><br/>

Xen 是一个开放源代码虚拟机监视器，由剑桥大学开发。它打算在单个计算机上运行多达100个满特征的操作系统。操作系统必须进行显式地修改（“移植”）以在Xen上运行（但是提供对用户应用的兼容性）。这使得Xen无需特殊硬件支持，就能达到高性能的虚拟化。

<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34327">CVE-2023-34327</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34328">CVE-2023-34328</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8104">CVE-2015-8104</a></p>

暂无

暂无

http://xenbits.xen.org/xsa/advisory-444.html