CVE-2022-23033
Vulnerability from cvelistv5
Published
2022-01-25 13:36
Modified
2024-08-03 03:28
Severity ?
EPSS score ?
Summary
arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@xen.org | http://www.openwall.com/lists/oss-security/2022/01/25/2 | Mailing List, Patch, Third Party Advisory | |
| security@xen.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/ | ||
| security@xen.org | https://security.gentoo.org/glsa/202208-23 | Third Party Advisory | |
| security@xen.org | https://www.debian.org/security/2022/dsa-5117 | Third Party Advisory | |
| security@xen.org | https://xenbits.xenproject.org/xsa/advisory-393.txt | Vendor Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:42.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-393.txt"
},
{
"name": "[oss-security] 20220125 Xen Security Advisory 393 v2 (CVE-2022-23033) - arm: guest_physmap_remove_page not removing the p2m mappings",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/2"
},
{
"name": "FEDORA-2022-0cc3916e08",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/"
},
{
"name": "DSA-5117",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5117"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-393"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Dmytro Firsov of EPAM.\u0027}]}}}"
}
],
"descriptions": [
{
"lang": "en",
"value": "arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn\u0027t have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes."
}
],
"metrics": [
{
"other": {
"content": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "A malicious guest may be able to access Xen and other domains\u0027 memory.\nThis could cause information leaks, host or domain Denial of Service\n(DoS), and privilege escalations."
}
]
}
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "unknown",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-14T20:08:37",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-393.txt"
},
{
"name": "[oss-security] 20220125 Xen Security Advisory 393 v2 (CVE-2022-23033) - arm: guest_physmap_remove_page not removing the p2m mappings",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/2"
},
{
"name": "FEDORA-2022-0cc3916e08",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/"
},
{
"name": "DSA-5117",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5117"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@xen.org",
"ID": "CVE-2022-23033",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_affected": "?",
"version_value": "consult Xen advisory XSA-393"
}
]
}
}
]
},
"vendor_name": "Xen"
}
]
}
},
"configuration": {
"configuration_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "Xen version 4.12 and newer are vulnerable. Only Arm systems are\nvulnerable.\n\nx86 systems are not vulnerable."
}
]
}
}
},
"credit": {
"credit_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "This issue was discovered by Dmytro Firsov of EPAM."
}
]
}
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn\u0027t have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes."
}
]
},
"impact": {
"impact_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "A malicious guest may be able to access Xen and other domains\u0027 memory.\nThis could cause information leaks, host or domain Denial of Service\n(DoS), and privilege escalations."
}
]
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "unknown"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://xenbits.xenproject.org/xsa/advisory-393.txt",
"refsource": "MISC",
"url": "https://xenbits.xenproject.org/xsa/advisory-393.txt"
},
{
"name": "[oss-security] 20220125 Xen Security Advisory 393 v2 (CVE-2022-23033) - arm: guest_physmap_remove_page not removing the p2m mappings",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/2"
},
{
"name": "FEDORA-2022-0cc3916e08",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/"
},
{
"name": "DSA-5117",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5117"
},
{
"name": "GLSA-202208-23",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-23"
}
]
},
"workaround": {
"workaround_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is no known mitigation."
}
]
}
}
}
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2022-23033",
"datePublished": "2022-01-25T13:36:25",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-08-03T03:28:42.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-23033\",\"sourceIdentifier\":\"security@xen.org\",\"published\":\"2022-01-25T14:15:08.967\",\"lastModified\":\"2023-11-07T03:44:01.610\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn\u0027t have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes.\"},{\"lang\":\"es\",\"value\":\"arm: la funci\u00f3n guest_physmap_remove_page no elimina los mapeos p2m Las funciones para eliminar una o m\u00e1s entradas de una tabla de p\u00e1ginas p2m de hu\u00e9sped en Arm (p2m_remove_mapping, guest_physmap_remove_page y p2m_set_entry con mfn establecido como INVALID_MFN) no borran realmente la entrada de la tabla de p\u00e1ginas si la entrada no presenta el bit v\u00e1lido establecido. Es posible tener una entrada v\u00e1lida en la tabla de p\u00e1ginas sin el bit v\u00e1lido establecido cuando un sistema operativo hu\u00e9sped usa instrucciones de mantenimiento de cach\u00e9 set/way. Por ejemplo, un hu\u00e9sped que emite una instrucci\u00f3n de mantenimiento de cach\u00e9 set/way, y luego llama a la hiperllamada XENMEM_decrease_reservation para devolver p\u00e1ginas de memoria a Xen, podr\u00eda ser capaz de retener el acceso a esas p\u00e1ginas incluso despu\u00e9s de que Xen empezara a reusarlas para otros prop\u00f3sitos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":4.6},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-404\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:xen:xen:*:*:*:*:*:*:arm:*\",\"versionStartIncluding\":\"4.12.0\",\"matchCriteriaId\":\"396875EE-05D8-4BD5-B345-9E6FB343C02B\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/01/25/2\",\"source\":\"security@xen.org\",\"tags\":[\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/\",\"source\":\"security@xen.org\"},{\"url\":\"https://security.gentoo.org/glsa/202208-23\",\"source\":\"security@xen.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2022/dsa-5117\",\"source\":\"security@xen.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://xenbits.xenproject.org/xsa/advisory-393.txt\",\"source\":\"security@xen.org\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.