SB2023111714 - SUSE update for xen

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Division by zero (CVE-ID: CVE-2023-20588)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a divide by zero error that can return speculative data. A local user can gain access to potentially sensitive information.

2) Resource management error (CVE-ID: CVE-2023-34322)

The vulnerability allows a malicious guest to escalate privileges on the system.

The vulnerability exists due to improper management of internal resources when running PV guests in shadow paging mode. A malicious guest can run a specially crafted application on the system that causes shortage of memory in the associated with the domain shadow pool and forces Xen to tear down page tables. This can result in memory leak, denial of service or privilege escalation.

The vulnerability can be exploited by 64-bit PV guests on x86 systems.

3) Stack-based buffer overflow (CVE-ID: CVE-2023-34325)

The vulnerability allows a remote guest to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in libfsimage. A remote guest can use pygrab to trigger stack-based buffer overflow and execute arbitrary code on the host system.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-34326)

The vulnerability allows a remote guest to escalate privileges on the system.

The vulnerability exists due to missing IOMMU TLB flushing on x86/AMD systems. A malicious guest can access memory not owned by the guest and escalate privileges on the system.

5) State Issues (CVE-ID: CVE-2023-34327)

The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of guest state when using Debug Masks in HVM vCPU. A malicious guest can perform a denial of service (DoS) attack against the guest OS.

6) State Issues (CVE-ID: CVE-2023-34328)

The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of guest state in PV vCPU. A malicious guest place a breakpoint over the live GDT and perform a denial of service (DoS) attack against the host.

7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-46835)

The vulnerability allows a remote guest to gain access to sensitive information.

The vulnerability exists due to improperly imposed security restrictions caused by a mismatch in IOMMU quarantine page table levels. A device in quarantine mode can access data from previous quarantine page table usages, possibly leaking data used by previous domains that also had the device assigned.

8) Security features bypass (CVE-ID: CVE-2023-46836)

The vulnerability allows a remote guest to bypass implemented security restrictions.

The vulnerability exists due to improper implementation of mitigations against BTC/SRSO. A malicious guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen, which can result in memory access to other guests.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2023/suse-su-20234475-1/