certfr_avis - CERTFR-2023-AVI-1016

CERTFR-2023-AVI-1016

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte Xen. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
XEN	Xen	Xen 4.17.x versions sans le dernier correctif de sécurité pour systèmes 32 bits
XEN	Xen	Xen 4.16.x versions sans le dernier correctif de sécurité pour systèmes 32 bits
XEN	Xen	Xen 4.15.x versions sans le dernier correctif de sécurité pour systèmes 32 bits

References

Title

Publication Time

CVE-2023-46837 (GCVE-0-2023-46837)

Vulnerability from cvelistv5 – Published: 2024-01-05 16:36 – Updated: 2025-11-04 18:18

Summary

Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. This undefined behavior was meant to be addressed by XSA-437, but the approach was not sufficient.

Severity ?

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Assigner

XEN

References

URL

Tags

	https://xenbits.xenproject.org/xsa/advisory-447.html
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…

Impacted products

	Vendor	Product	Version
	Xen	Xen	Unknown: consult Xen advisory XSA-447

Credits

This issue was discovered by Michal Orzel from AMD.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T18:18:50.284Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://xenbits.xenproject.org/xsa/advisory-447.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLL6SQ6IKFYXLYWITYZCRV5IBRK5G35R/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFVKWYQFRUU3CAS53THTUKXEOUDWI42G/"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-447.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 3.3,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-46837",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-01T20:11:12.746031Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-119",
                "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-16T19:35:47.025Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-447"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Systems running all version of Xen are affected.\n\nOnly systems running Xen on Arm 32-bit are vulnerable.  Xen on Arm 64-bit\nis not affected."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Michal Orzel from AMD."
        }
      ],
      "datePublic": "2023-12-12T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Arm provides multiple helpers to clean \u0026 invalidate the cache\nfor a given region.  This is, for instance, used when allocating\nguest memory to ensure any writes (such as the ones during scrubbing)\nhave reached memory before handing over the page to a guest.\n\nUnfortunately, the arithmetics in the helpers can overflow and would\nthen result to skip the cache cleaning/invalidation.  Therefore there\nis no guarantee when all the writes will reach the memory.\n\nThis undefined behavior was meant to be addressed by XSA-437, but the\napproach was not sufficient."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "A malicious guest may be able to read sensitive data from memory that\npreviously belonged to another guest."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-15T02:05:59.441Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-447.html"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLL6SQ6IKFYXLYWITYZCRV5IBRK5G35R/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFVKWYQFRUU3CAS53THTUKXEOUDWI42G/"
        }
      ],
      "title": "arm32: The cache may not be properly cleaned/invalidated (take two)",
      "workarounds": [
        {
          "lang": "en",
          "value": "There is no known mitigation."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2023-46837",
    "datePublished": "2024-01-05T16:36:10.881Z",
    "dateReserved": "2023-10-27T07:55:35.332Z",
    "dateUpdated": "2025-11-04T18:18:50.284Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted