CVE-2023-34328 - OpenCVE

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Xen	Xen

Configuration 1 [-]

cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*

References

Link	Resource
https://xenbits.xenproject.org/xsa/advisory-444.html	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: XEN

Published: 2024-01-05T16:34:11.100Z

Updated: 2024-01-05T16:34:11.100Z

Reserved: 2023-06-01T10:44:17.066Z

Link: CVE-2023-34328

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-05T17:15:08.730

Modified: 2024-01-11T15:56:17.957

Link: CVE-2023-34328

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-34328", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2023-06-01T10:44:17.066Z", "datePublished": "2024-01-05T16:34:11.100Z", "dateUpdated": "2024-01-05T16:34:11.100Z"}, "containers": {"cna": {"title": "x86/AMD: Debug Mask handling", "datePublic": "2023-10-10T12:00:00Z", "descriptions": [{"lang": "en", "value": "\n[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nAMD CPUs since ~2014 have extensions to normal x86 debugging functionality.\nXen supports guests using these extensions.\n\nUnfortunately there are errors in Xen's handling of the guest state, leading\nto denials of service.\n\n 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of\n a previous vCPUs debug mask state.\n\n 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.\n This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock\n up the CPU entirely.\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for\nit's own purposes can cause incorrect behaviour in an unrelated HVM\nvCPU, most likely resulting in a guest crash.\n\nFor CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the\nhost.\n"}]}], "affected": [{"defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-444"}]}], "configurations": [{"lang": "en", "value": "Only AMD/Hygon hardware supporting the DBEXT feature are vulnerable.\nThis is believed to be the Steamroller microarchitecture and later.\n\nFor CVE-2023-34327, Xen versions 4.5 and later are vulnerable.\n\nFor CVE-2023-34328, Xen version between 4.5 and 4.13 are vulnerable.\nThe issue is benign in Xen 4.14 and later owing to an unrelated change.\n"}], "workarounds": [{"lang": "en", "value": "For CVE-2023-34327, HVM VMs which can see the DBEXT feature are not\nsusceptible to running in the wrong state. By default, VMs will see the\nDBEXT feature on capable hardware, and when not explicitly levelled for\nmigration compatibility.\n\nFor CVE-2023-34328, PV VMs which cannot see the DBEXT feature cannot\nleverage the vulnerability.\n"}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Andrew Cooper of XenServer.\n"}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-444.html"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:34:11.100Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*", "matchCriteriaId": "853DC15E-4B7F-40A1-8932-7FE496D93D82", "versionEndExcluding": "4.14.0", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\n[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nAMD CPUs since ~2014 have extensions to normal x86 debugging functionality.\nXen supports guests using these extensions.\n\nUnfortunately there are errors in Xen's handling of the guest state, leading\nto denials of service.\n\n 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of\n a previous vCPUs debug mask state.\n\n 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.\n This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock\n up the CPU entirely.\n"}, {"lang": "es", "value": "[Este registro de informaci\u00f3n de la CNA se relaciona con m\u00faltiples CVE; el texto explica qu\u00e9 aspectos/vulnerabilidades corresponden a cada CVE.] Las CPU AMD desde ~2014 tienen extensiones a la funcionalidad de depuraci\u00f3n x86 normal. Xen admite invitados que utilizan estas extensiones. Desafortunadamente, hay errores en el manejo del estado invitado por parte de Xen, lo que lleva a denegaciones de servicio. 1) CVE-2023-34327: una vCPU HVM puede terminar funcionando en el contexto de un estado de m\u00e1scara de depuraci\u00f3n de vCPU anterior. 2) CVE-2023-34328: una vCPU PV puede colocar un punto de interrupci\u00f3n sobre la GDT en vivo. Esto permite que PV vCPU aproveche XSA-156/CVE-2015-8104 y bloquee la CPU por completo."}], "id": "CVE-2023-34328", "lastModified": "2024-01-11T15:56:17.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-05T17:15:08.730", "references": [{"source": "security@xen.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-444.html"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}