CVE-2023-34322

top-level shadow reference dropped too early for 64-bit PV guests

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

For migration as well as to work around kernels unaware of L1TF (see
XSA-273), PV guests may be run in shadow paging mode. Since Xen itself
needs to be mapped when PV guests run, Xen and shadowed PV guests run
directly the respective shadow page tables. For 64-bit PV guests this
means running on the shadow of the guest root page table.

In the course of dealing with shortage of memory in the shadow pool
associated with a domain, shadows of page tables may be torn down. This
tearing down may include the shadow root page table that the CPU in
question is presently running on. While a precaution exists to
supposedly prevent the tearing down of the underlying live page table,
the time window covered by that precaution isn't large enough.

Para la migración, así como para evitar kernels que no conocen L1TF (consulte XSA-273), los invitados PV pueden ejecutarse en modo de página oculta. Dado que el propio Xen debe mapearse cuando se ejecutan las maquinas PV de invitado, Xen y las shadowed PV de invitado ejecutan directamente las respectivas tablas de páginas ocultas. Para invitados PV de 64 bits, esto significa ejecutar en la shadow de la tabla de página raíz del invitado. Al tratar con la escasez de memoria en el shadow pool asociado con un dominio, es posible que se eliminen las tablas de páginas de shadows. Esta eliminación puede incluir la shadow de la tabla de página raíz en la que se está ejecutando actualmente la CPU en cuestión. Si bien existe una precaución para supuestamente evitar la eliminación de la tabla de las páginas activas subyacente, el período de tiempo cubierto por esa precaución no es lo suficientemente grande.

*Credits: This issue was discovered by Tim Deegan, and Jan Beulich of SUSE.

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-06-01 CVE Reserved
2024-01-05 CVE Published
2024-01-10 EPSS Updated
2024-08-27 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-273: Improper Check for Dropped Privileges

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://xenbits.xenproject.org/xsa/advisory-438.html	2024-01-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				>= 3.2.0 < 4.15.0 Search vendor "Xen" for product "Xen" and version " >= 3.2.0 < 4.15.0"		x86		Affected