CVE-2022-23033

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes.

arm: la función guest_physmap_remove_page no elimina los mapeos p2m Las funciones para eliminar una o más entradas de una tabla de páginas p2m de huésped en Arm (p2m_remove_mapping, guest_physmap_remove_page y p2m_set_entry con mfn establecido como INVALID_MFN) no borran realmente la entrada de la tabla de páginas si la entrada no presenta el bit válido establecido. Es posible tener una entrada válida en la tabla de páginas sin el bit válido establecido cuando un sistema operativo huésped usa instrucciones de mantenimiento de caché set/way. Por ejemplo, un huésped que emite una instrucción de mantenimiento de caché set/way, y luego llama a la hiperllamada XENMEM_decrease_reservation para devolver páginas de memoria a Xen, podría ser capaz de retener el acceso a esas páginas incluso después de que Xen empezara a reusarlas para otros propósitos

*Credits: This issue was discovered by Dmytro Firsov of EPAM.

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-10 CVE Reserved
2022-01-25 CVE Published
2023-05-02 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-404: Improper Resource Shutdown or Release

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2022/01/25/2	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3	2023-11-07
https://security.gentoo.org/glsa/202208-23	2023-11-07
https://www.debian.org/security/2022/dsa-5117	2023-11-07
https://xenbits.xenproject.org/xsa/advisory-393.txt	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				>= 4.12.0 Search vendor "Xen" for product "Xen" and version " >= 4.12.0"		arm		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected