| Summary: | <app-emulation/xen-{4.16.6_pre2,4.17.3}: multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Christopher Fore <csfore> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ajak, hydrapolic, proxy-maint, trunnelshine, xen |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://xenbits.xenproject.org/xsa/advisory-443.html | ||
| See Also: | https://github.com/gentoo/gentoo/pull/34713 | ||
| Whiteboard: | B2 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 922051 | ||
| Bug Blocks: | |||
|
Description
Christopher Fore
2023-11-27 19:17:01 UTC
CVE-2022-42336/XSA-431 (https://xenbits.xenproject.org/xsa/advisory-431.html): An attacker with control over a guest can mislead other guests into observing SSBD active when it is not. CVE-2023-34320/XSA-436 (https://xenbits.xenproject.org/xsa/advisory-436.html): A (malicious) guest that doesn't include the workaround for erratum 1508412 could deadlock the core. This will ultimately result to a deadlock of the system. CVE-2023-34319/XSA-432 (https://xenbits.xenproject.org/xsa/advisory-432.html): An unprivileged guest can cause Denial of Service (DoS) of the host by sending network packets to the backend, causing the backend to crash. Data corruption or privilege escalation seem unlikely but have not been ruled out. CVE-2023-34321/XSA-437 (https://xenbits.xenproject.org/xsa/advisory-437.html): A malicious guest may be able to read sensitive data from memory that previously belonged to another guest. CVE-2023-34322/XSA-438 (https://xenbits.xenproject.org/xsa/advisory-438.html): Privilege escalation, Denial of Service (DoS) affecting the entire host, and information leaks all cannot be ruled out. CVE-2023-20588/XSA-439 (https://xenbits.xenproject.org/xsa/advisory-439.html): An attacker might be able to infer data from a different execution context on the same CPU core. CVE-2023-34323/XSA-440 (https://xenbits.xenproject.org/xsa/advisory-440.html): A malicious guest could craft a transaction that will hit the C Xenstored bug and crash it. This will result to the inability to perform any further domain administration like starting new guests, or adding/removing resources to or from any existing guest. CVE-2023-34324/XSA-441 (https://xenbits.xenproject.org/xsa/advisory-441.html): A (malicious) guest administrator could cause a denial of service (DoS) in a backend domain (other than dom0) by disabling a paravirtualized device. A malicious backend could cause DoS in a guest running a Linux kernel by disabling a paravirtualized device. CVE-2023-34326/XSA-442 (https://xenbits.xenproject.org/xsa/advisory-442.html): Privilege escalation, Denial of Service (DoS) affecting the entire host, and information leaks. CVE-2023-34327/CVE-2023-34328/XSA-444 (https://xenbits.xenproject.org/xsa/advisory-444.html): For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for it's own purposes can cause incorrect behaviour in an unrelated HVM vCPU, most likely resulting in a guest crash. For CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the host. CVE-2023-34325/CVE-2022-4949/XSA-443 (https://xenbits.xenproject.org/xsa/advisory-443.html): A guest using pygrub can escalate its privilege to that of the domain construction tools (i.e., normally, to control of the host). CVE-2023-46835/XSA-445 (https://xenbits.xenproject.org/xsa/advisory-445.html): A device in quarantine mode can access data from previous quarantine page table usages, possibly leaking data used by previous domains that also had the device assigned. CVE-2023-46836/XSA-446 (https://xenbits.xenproject.org/xsa/advisory-446.html): An attacker in a PV guest might be able to infer the contents of memory belonging to other guests. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1da2b08b738151d1c02a097dbb56313d371dd9c7 commit 1da2b08b738151d1c02a097dbb56313d371dd9c7 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2024-01-08 16:35:11 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2024-01-09 08:52:43 +0000 app-emulation/xen: add upstream patches Bug: https://bugs.gentoo.org/918669 Bug: https://bugs.gentoo.org/921355 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/34713 Signed-off-by: Florian Schmaus <flow@gentoo.org> app-emulation/xen/Manifest | 2 + app-emulation/xen/xen-4.16.6_pre2.ebuild | 174 ++++++++++++++++++++++++++++++ app-emulation/xen/xen-4.17.3.ebuild | 179 +++++++++++++++++++++++++++++++ 3 files changed, 355 insertions(+) (In reply to Christopher Fore from comment #0) > CVE-2023-34325 (https://xenbits.xenproject.org/xsa/advisory-443.html): > > ISSUE DESCRIPTION > ================= > > libfsimage contains parsing code for several filesystems, most of them based > on https://tinyfishing.world > grub-legacy code. libfsimage is used by pygrub to inspect guest disks. > > Pygrub runs as the same user as the toolstack (root in a priviledged domain). > > At least one issue has been reported to the Xen Security Team that allows an > attacker to trigger a stack buffer overflow in libfsimage. After further > analisys the Xen Security Team is no longer confident in the suitability of > libfsimage when run against guest controlled input with super user > priviledges. > > In order to not affect current deployments that rely on pygrub patches are > provided in the resolution section of the advisory that allow running pygrub > in > deprivileged mode. > > CVE-2023-4949 refers to the original issue in the upstream grub > project ("An attacker with local access to a system (either through a > disk or external drive) can present a modified XFS partition to > grub-legacy in such a way to exploit a memory corruption in grub’s XFS > file system implementation.") CVE-2023-34325 refers specifically to > the vulnerabilities in Xen's copy of libfsimage, which is decended > from a very old version of grub. > > IMPACT > ====== > > A guest using pygrub can escalate its privilege to that of the domain > construction tools (i.e., normally, to control of the host). > > VULNERABLE SYSTEMS > ================== > > All Xen versions are affected. Apply Patches: Update libfsimage: Check for and apply any available patches that address these vulnerabilities. The Xen Security Team may have released specific patches to mitigate these issues. Update Xen and GRUB: Ensure that both Xen and GRUB (if applicable) are updated to versions that resolve these vulnerabilities. This might include updating your Xen hypervisor to a version where libfsimage has been patched. Run pygrub in Deprivileged Mode: Configuration Change: Modify your configuration to run pygrub in a deprivileged mode if possible. This reduces the risk associated with having pygrub running with superuser privileges. Monitor and Audit: Security Monitoring: Keep an eye on security advisories and monitoring systems for any signs of exploitation attempts. System Audits: Regularly audit your systems to ensure no unauthorized changes or access have occurred. Mitigate Risks: Limit Guest Access: Restrict access to guest systems and ensure that only trusted sources can interact with your virtualized environments. Security Practices: Follow best practices for securing your virtualization environment, including applying principle of least privilege and regularly updating software. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=ea0d6e72b1ba346264d25ab8bdd78f6551eaaadf commit ea0d6e72b1ba346264d25ab8bdd78f6551eaaadf Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-22 06:41:59 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-22 06:42:08 +0000 [ GLSA 202409-10 ] Xen: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/918669 Bug: https://bugs.gentoo.org/921355 Bug: https://bugs.gentoo.org/923741 Bug: https://bugs.gentoo.org/928620 Bug: https://bugs.gentoo.org/929038 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-10.xml | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) |
