918669 – (CVE-2022-42336, CVE-2022-4949, CVE-2023-34319, CVE-2023-34320, CVE-2023-34321, CVE-2023-34322, CVE-2023-34323, CVE-2023-34324, CVE-2023-34325, CVE-2023-34327, CVE-2023-34328, CVE-2023-46835, CVE-2023-46836, XSA-431, XSA-432, XSA-436, XSA-437, XSA-438, XSA-439, XSA-440, XSA-441, XSA-442) <app-emulation/xen-{4.16.6_pre2,4.17.3}: multiple vulnerabilities

Bug 918669 (CVE-2022-42336, CVE-2022-4949, CVE-2023-34319, CVE-2023-34320, CVE-2023-34321, CVE-2023-34322, CVE-2023-34323, CVE-2023-34324, CVE-2023-34325, CVE-2023-34327, CVE-2023-34328, CVE-2023-46835, CVE-2023-46836, XSA-431, XSA-432, XSA-436, XSA-437, XSA-438, XSA-439, XSA-440, XSA-441, XSA-442) - <app-emulation/xen-{4.16.6_pre2,4.17.3}: multiple vulnerabilities

Summary: <app-emulation/xen-{4.16.6_pre2,4.17.3}: multiple vulnerabilities

Status:	UNCONFIRMED

Alias:	CVE-2022-42336, CVE-2022-4949, CVE-2023-34319, CVE-2023-34320, CVE-2023-34321, CVE-2023-34322, CVE-2023-34323, CVE-2023-34324, CVE-2023-34325, CVE-2023-34327, CVE-2023-34328, CVE-2023-46835, CVE-2023-46836, XSA-431, XSA-432, XSA-436, XSA-437, XSA-438, XSA-439, XSA-440, XSA-441, XSA-442

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://xenbits.xenproject.org/xsa/ad...
Whiteboard:	B2 [glsa?]
Keywords:	PullRequest

Depends on:	922051
Blocks:
	Show dependency tree

Reported:	2023-11-27 19:17 UTC by Christopher Fore
Modified:	2024-02-12 02:16 UTC (History)
CC List:	4 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/34713
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2023-11-27 19:17:01 UTC

CVE-2023-34325 (https://xenbits.xenproject.org/xsa/advisory-443.html):

ISSUE DESCRIPTION
=================

libfsimage contains parsing code for several filesystems, most of them based on
grub-legacy code.  libfsimage is used by pygrub to inspect guest disks.

Pygrub runs as the same user as the toolstack (root in a priviledged domain).

At least one issue has been reported to the Xen Security Team that allows an
attacker to trigger a stack buffer overflow in libfsimage.  After further
analisys the Xen Security Team is no longer confident in the suitability of
libfsimage when run against guest controlled input with super user priviledges.

In order to not affect current deployments that rely on pygrub patches are
provided in the resolution section of the advisory that allow running pygrub in
deprivileged mode.

CVE-2023-4949 refers to the original issue in the upstream grub
project ("An attacker with local access to a system (either through a
disk or external drive) can present a modified XFS partition to
grub-legacy in such a way to exploit a memory corruption in grub’s XFS
file system implementation.")  CVE-2023-34325 refers specifically to
the vulnerabilities in Xen's copy of libfsimage, which is decended
from a very old version of grub.

IMPACT
======

A guest using pygrub can escalate its privilege to that of the domain
construction tools (i.e., normally, to control of the host).

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

Comment 1 John Helmert III archtester

2023-11-28 19:42:10 UTC

CVE-2022-42336/XSA-431 (https://xenbits.xenproject.org/xsa/advisory-431.html):

An attacker with control over a guest can mislead other guests into
observing SSBD active when it is not.

CVE-2023-34320/XSA-436 (https://xenbits.xenproject.org/xsa/advisory-436.html):

A (malicious) guest that doesn't include the workaround for erratum
1508412 could deadlock the core. This will ultimately result to
a deadlock of the system.

CVE-2023-34319/XSA-432 (https://xenbits.xenproject.org/xsa/advisory-432.html):

An unprivileged guest can cause Denial of Service (DoS) of the host by
sending network packets to the backend, causing the backend to crash.

Data corruption or privilege escalation seem unlikely but have not been
ruled out.

CVE-2023-34321/XSA-437 (https://xenbits.xenproject.org/xsa/advisory-437.html):

A malicious guest may be able to read sensitive data from memory that
previously belonged to another guest.

CVE-2023-34322/XSA-438 (https://xenbits.xenproject.org/xsa/advisory-438.html):

Privilege escalation, Denial of Service (DoS) affecting the entire host,
and information leaks all cannot be ruled out.

CVE-2023-20588/XSA-439 (https://xenbits.xenproject.org/xsa/advisory-439.html):

An attacker might be able to infer data from a different execution
context on the same CPU core.

CVE-2023-34323/XSA-440 (https://xenbits.xenproject.org/xsa/advisory-440.html):

A malicious guest could craft a transaction that will hit the C
Xenstored bug and crash it. This will result to the inability to
perform any further domain administration like starting new guests,
or adding/removing resources to or from any existing guest.

CVE-2023-34324/XSA-441 (https://xenbits.xenproject.org/xsa/advisory-441.html):

A (malicious) guest administrator could cause a denial of service (DoS)
in a backend domain (other than dom0) by disabling a paravirtualized
device.

A malicious backend could cause DoS in a guest running a Linux kernel by
disabling a paravirtualized device.

CVE-2023-34326/XSA-442 (https://xenbits.xenproject.org/xsa/advisory-442.html):

Privilege escalation, Denial of Service (DoS) affecting the entire host,
and information leaks.

CVE-2023-34327/CVE-2023-34328/XSA-444 (https://xenbits.xenproject.org/xsa/advisory-444.html):

For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for
it's own purposes can cause incorrect behaviour in an unrelated HVM
vCPU, most likely resulting in a guest crash.

For CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the
host.

CVE-2023-34325/CVE-2022-4949/XSA-443 (https://xenbits.xenproject.org/xsa/advisory-443.html):

A guest using pygrub can escalate its privilege to that of the domain
construction tools (i.e., normally, to control of the host).

CVE-2023-46835/XSA-445 (https://xenbits.xenproject.org/xsa/advisory-445.html):

A device in quarantine mode can access data from previous quarantine
page table usages, possibly leaking data used by previous domains that
also had the device assigned.

CVE-2023-46836/XSA-446 (https://xenbits.xenproject.org/xsa/advisory-446.html):

An attacker in a PV guest might be able to infer the contents of memory
belonging to other guests.

Comment 2 Larry the Git Cow gentoo-dev

2024-01-09 08:53:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1da2b08b738151d1c02a097dbb56313d371dd9c7

commit 1da2b08b738151d1c02a097dbb56313d371dd9c7
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-01-08 16:35:11 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-01-09 08:52:43 +0000

    app-emulation/xen: add upstream patches
    
    Bug: https://bugs.gentoo.org/918669
    Bug: https://bugs.gentoo.org/921355
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/34713
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen/Manifest               |   2 +
 app-emulation/xen/xen-4.16.6_pre2.ebuild | 174 ++++++++++++++++++++++++++++++
 app-emulation/xen/xen-4.17.3.ebuild      | 179 +++++++++++++++++++++++++++++++
 3 files changed, 355 insertions(+)