918669 – (CVE-2022-42336, CVE-2022-4949, CVE-2023-34319, CVE-2023-34320, CVE-2023-34321, CVE-2023-34322, CVE-2023-34323, CVE-2023-34324, CVE-2023-34325, CVE-2023-34327, CVE-2023-34328, CVE-2023-46835, CVE-2023-46836, XSA-431, XSA-432, XSA-436, XSA-437, XSA-438, XSA-439, XSA-440, XSA-441, XSA-442) <app-emulation/xen-{4.16.6_pre2,4.17.3}: multiple vulnerabilities

Bug 918669 (CVE-2022-42336, CVE-2022-4949, CVE-2023-34319, CVE-2023-34320, CVE-2023-34321, CVE-2023-34322, CVE-2023-34323, CVE-2023-34324, CVE-2023-34325, CVE-2023-34327, CVE-2023-34328, CVE-2023-46835, CVE-2023-46836, XSA-431, XSA-432, XSA-436, XSA-437, XSA-438, XSA-439, XSA-440, XSA-441, XSA-442) - <app-emulation/xen-{4.16.6_pre2,4.17.3}: multiple vulnerabilities

Summary: <app-emulation/xen-{4.16.6_pre2,4.17.3}: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-42336, CVE-2022-4949, CVE-2023-34319, CVE-2023-34320, CVE-2023-34321, CVE-2023-34322, CVE-2023-34323, CVE-2023-34324, CVE-2023-34325, CVE-2023-34327, CVE-2023-34328, CVE-2023-46835, CVE-2023-46836, XSA-431, XSA-432, XSA-436, XSA-437, XSA-438, XSA-439, XSA-440, XSA-441, XSA-442

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://xenbits.xenproject.org/xsa/ad...
Whiteboard:	B2 [glsa+]
Keywords:	PullRequest

Depends on:	922051
Blocks:
	Show dependency tree

Reported:	2023-11-27 19:17 UTC by Christopher Fore
Modified:	2024-09-22 06:43 UTC (History)
CC List:	5 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/34713
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2023-11-27 19:17:01 UTC

CVE-2023-34325 (https://xenbits.xenproject.org/xsa/advisory-443.html):

ISSUE DESCRIPTION
=================

libfsimage contains parsing code for several filesystems, most of them based on
grub-legacy code.  libfsimage is used by pygrub to inspect guest disks.

Pygrub runs as the same user as the toolstack (root in a priviledged domain).

At least one issue has been reported to the Xen Security Team that allows an
attacker to trigger a stack buffer overflow in libfsimage.  After further
analisys the Xen Security Team is no longer confident in the suitability of
libfsimage when run against guest controlled input with super user priviledges.

In order to not affect current deployments that rely on pygrub patches are
provided in the resolution section of the advisory that allow running pygrub in
deprivileged mode.

CVE-2023-4949 refers to the original issue in the upstream grub
project ("An attacker with local access to a system (either through a
disk or external drive) can present a modified XFS partition to
grub-legacy in such a way to exploit a memory corruption in grub’s XFS
file system implementation.")  CVE-2023-34325 refers specifically to
the vulnerabilities in Xen's copy of libfsimage, which is decended
from a very old version of grub.

IMPACT
======

A guest using pygrub can escalate its privilege to that of the domain
construction tools (i.e., normally, to control of the host).

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

Comment 1 John Helmert III archtester

2023-11-28 19:42:10 UTC

CVE-2022-42336/XSA-431 (https://xenbits.xenproject.org/xsa/advisory-431.html):

An attacker with control over a guest can mislead other guests into
observing SSBD active when it is not.

CVE-2023-34320/XSA-436 (https://xenbits.xenproject.org/xsa/advisory-436.html):

A (malicious) guest that doesn't include the workaround for erratum
1508412 could deadlock the core. This will ultimately result to
a deadlock of the system.

CVE-2023-34319/XSA-432 (https://xenbits.xenproject.org/xsa/advisory-432.html):

An unprivileged guest can cause Denial of Service (DoS) of the host by
sending network packets to the backend, causing the backend to crash.

Data corruption or privilege escalation seem unlikely but have not been
ruled out.

CVE-2023-34321/XSA-437 (https://xenbits.xenproject.org/xsa/advisory-437.html):

A malicious guest may be able to read sensitive data from memory that
previously belonged to another guest.

CVE-2023-34322/XSA-438 (https://xenbits.xenproject.org/xsa/advisory-438.html):

Privilege escalation, Denial of Service (DoS) affecting the entire host,
and information leaks all cannot be ruled out.

CVE-2023-20588/XSA-439 (https://xenbits.xenproject.org/xsa/advisory-439.html):

An attacker might be able to infer data from a different execution
context on the same CPU core.

CVE-2023-34323/XSA-440 (https://xenbits.xenproject.org/xsa/advisory-440.html):

A malicious guest could craft a transaction that will hit the C
Xenstored bug and crash it. This will result to the inability to
perform any further domain administration like starting new guests,
or adding/removing resources to or from any existing guest.

CVE-2023-34324/XSA-441 (https://xenbits.xenproject.org/xsa/advisory-441.html):

A (malicious) guest administrator could cause a denial of service (DoS)
in a backend domain (other than dom0) by disabling a paravirtualized
device.

A malicious backend could cause DoS in a guest running a Linux kernel by
disabling a paravirtualized device.

CVE-2023-34326/XSA-442 (https://xenbits.xenproject.org/xsa/advisory-442.html):

Privilege escalation, Denial of Service (DoS) affecting the entire host,
and information leaks.

CVE-2023-34327/CVE-2023-34328/XSA-444 (https://xenbits.xenproject.org/xsa/advisory-444.html):

For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for
it's own purposes can cause incorrect behaviour in an unrelated HVM
vCPU, most likely resulting in a guest crash.

For CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the
host.

CVE-2023-34325/CVE-2022-4949/XSA-443 (https://xenbits.xenproject.org/xsa/advisory-443.html):

A guest using pygrub can escalate its privilege to that of the domain
construction tools (i.e., normally, to control of the host).

CVE-2023-46835/XSA-445 (https://xenbits.xenproject.org/xsa/advisory-445.html):

A device in quarantine mode can access data from previous quarantine
page table usages, possibly leaking data used by previous domains that
also had the device assigned.

CVE-2023-46836/XSA-446 (https://xenbits.xenproject.org/xsa/advisory-446.html):

An attacker in a PV guest might be able to infer the contents of memory
belonging to other guests.

Comment 2 Larry the Git Cow gentoo-dev

2024-01-09 08:53:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1da2b08b738151d1c02a097dbb56313d371dd9c7

commit 1da2b08b738151d1c02a097dbb56313d371dd9c7
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-01-08 16:35:11 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-01-09 08:52:43 +0000

    app-emulation/xen: add upstream patches
    
    Bug: https://bugs.gentoo.org/918669
    Bug: https://bugs.gentoo.org/921355
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/34713
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen/Manifest               |   2 +
 app-emulation/xen/xen-4.16.6_pre2.ebuild | 174 ++++++++++++++++++++++++++++++
 app-emulation/xen/xen-4.17.3.ebuild      | 179 +++++++++++++++++++++++++++++++
 3 files changed, 355 insertions(+)

Comment 3 Herman Gibbs 2024-08-13 02:40:30 UTC Comment hidden (spam)

(In reply to Christopher Fore from comment #0)
> CVE-2023-34325 (https://xenbits.xenproject.org/xsa/advisory-443.html):
> 
> ISSUE DESCRIPTION
> =================
> 
> libfsimage contains parsing code for several filesystems, most of them based
> on https://tinyfishing.world
> grub-legacy code.  libfsimage is used by pygrub to inspect guest disks.
> 
> Pygrub runs as the same user as the toolstack (root in a priviledged domain).
> 
> At least one issue has been reported to the Xen Security Team that allows an
> attacker to trigger a stack buffer overflow in libfsimage.  After further
> analisys the Xen Security Team is no longer confident in the suitability of
> libfsimage when run against guest controlled input with super user
> priviledges.
> 
> In order to not affect current deployments that rely on pygrub patches are
> provided in the resolution section of the advisory that allow running pygrub
> in
> deprivileged mode.
> 
> CVE-2023-4949 refers to the original issue in the upstream grub
> project ("An attacker with local access to a system (either through a
> disk or external drive) can present a modified XFS partition to
> grub-legacy in such a way to exploit a memory corruption in grub’s XFS
> file system implementation.")  CVE-2023-34325 refers specifically to
> the vulnerabilities in Xen's copy of libfsimage, which is decended
> from a very old version of grub.
> 
> IMPACT
> ======
> 
> A guest using pygrub can escalate its privilege to that of the domain
> construction tools (i.e., normally, to control of the host).
> 
> VULNERABLE SYSTEMS
> ==================
> 
> All Xen versions are affected.

Apply Patches:

Update libfsimage: Check for and apply any available patches that address these vulnerabilities. The Xen Security Team may have released specific patches to mitigate these issues.
Update Xen and GRUB: Ensure that both Xen and GRUB (if applicable) are updated to versions that resolve these vulnerabilities. This might include updating your Xen hypervisor to a version where libfsimage has been patched.
Run pygrub in Deprivileged Mode:

Configuration Change: Modify your configuration to run pygrub in a deprivileged mode if possible. This reduces the risk associated with having pygrub running with superuser privileges.
Monitor and Audit:

Security Monitoring: Keep an eye on security advisories and monitoring systems for any signs of exploitation attempts.
System Audits: Regularly audit your systems to ensure no unauthorized changes or access have occurred.
Mitigate Risks:

Limit Guest Access: Restrict access to guest systems and ensure that only trusted sources can interact with your virtualized environments.
Security Practices: Follow best practices for securing your virtualization environment, including applying principle of least privilege and regularly updating software.

Comment 4 Larry the Git Cow gentoo-dev

2024-09-22 06:42:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=ea0d6e72b1ba346264d25ab8bdd78f6551eaaadf

commit ea0d6e72b1ba346264d25ab8bdd78f6551eaaadf
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 06:41:59 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 06:42:08 +0000

    [ GLSA 202409-10 ] Xen: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/918669
    Bug: https://bugs.gentoo.org/921355
    Bug: https://bugs.gentoo.org/923741
    Bug: https://bugs.gentoo.org/928620
    Bug: https://bugs.gentoo.org/929038
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-10.xml | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)