cve-2022-23034
Vulnerability from cvelistv5
Published
2022-01-25 13:43
Modified
2024-08-03 03:28
Severity ?
EPSS score ?
Summary
A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@xen.org | http://www.openwall.com/lists/oss-security/2022/01/25/3 | Mailing List, Third Party Advisory | |
| security@xen.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/ | ||
| security@xen.org | https://security.gentoo.org/glsa/202208-23 | Third Party Advisory | |
| security@xen.org | https://www.debian.org/security/2022/dsa-5117 | Third Party Advisory | |
| security@xen.org | https://xenbits.xenproject.org/xsa/advisory-394.txt | Patch, Vendor Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-394.txt"
},
{
"name": "[oss-security] 20220125 Xen Security Advisory 394 v3 (CVE-2022-23034) - A PV guest could DoS Xen while unmapping a grant",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/3"
},
{
"name": "FEDORA-2022-0cc3916e08",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/"
},
{
"name": "DSA-5117",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5117"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-394"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Julien Grall of Amazon.\u0027}]}}}"
}
],
"descriptions": [
{
"lang": "en",
"value": "A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check."
}
],
"metrics": [
{
"other": {
"content": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "Malicious guest kernels may be able to mount a Denial of Service (DoS)\nattack affecting the entire system."
}
]
}
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "unknown",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-14T20:09:01",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-394.txt"
},
{
"name": "[oss-security] 20220125 Xen Security Advisory 394 v3 (CVE-2022-23034) - A PV guest could DoS Xen while unmapping a grant",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/3"
},
{
"name": "FEDORA-2022-0cc3916e08",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/"
},
{
"name": "DSA-5117",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5117"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@xen.org",
"ID": "CVE-2022-23034",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_affected": "?",
"version_value": "consult Xen advisory XSA-394"
}
]
}
}
]
},
"vendor_name": "Xen"
}
]
}
},
"configuration": {
"configuration_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "All Xen versions from at least 3.2 onwards are vulnerable in principle,\nif they have the XSA-380 fixes applied.\n\nOnly x86 systems are vulnerable. Arm systems are not vulnerable.\n\nOnly x86 PV guests with access to PCI devices can leverage the\nvulnerability. x86 HVM and PVH guests, as well as PV guests without\naccess to PCI devices, cannot leverage the vulnerability.\n\nAdditionally from Xen 4.13 onwards x86 PV guests can leverage this\nvulnerability only when being granted access to pages owned by another\ndomain."
}
]
}
}
},
"credit": {
"credit_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "This issue was discovered by Julien Grall of Amazon."
}
]
}
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check."
}
]
},
"impact": {
"impact_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "Malicious guest kernels may be able to mount a Denial of Service (DoS)\nattack affecting the entire system."
}
]
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "unknown"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://xenbits.xenproject.org/xsa/advisory-394.txt",
"refsource": "MISC",
"url": "https://xenbits.xenproject.org/xsa/advisory-394.txt"
},
{
"name": "[oss-security] 20220125 Xen Security Advisory 394 v3 (CVE-2022-23034) - A PV guest could DoS Xen while unmapping a grant",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/3"
},
{
"name": "FEDORA-2022-0cc3916e08",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/"
},
{
"name": "DSA-5117",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5117"
},
{
"name": "GLSA-202208-23",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-23"
}
]
},
"workaround": {
"workaround_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "Not running PV guests will avoid the vulnerability.\n\nFor Xen 4.12 and older not passing through PCI devices to PV guests will\navoid the vulnerability.\n\nFor Xen 4.13 and newer not enabling PCI device pass-through for PV\nguests will avoid the vulnerability. This can be achieved via omitting\nany \"passthrough=...\" and \"pci=...\" settings from xl guest configuration\nfiles, or by setting \"passthrough=disabled\" there.\n\n- From Xen 4.13 onwards, XSM SILO can be available as a security policy\ndesigned to permit guests to only be able to communicate with Dom0.\nDom0 does not normally offer its pages for guests to map, which means\nthe use of SILO mode normally mitigates the vulnerability."
}
]
}
}
}
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2022-23034",
"datePublished": "2022-01-25T13:43:08",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-08-03T03:28:43.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-23034\",\"sourceIdentifier\":\"security@xen.org\",\"published\":\"2022-01-25T14:15:09.010\",\"lastModified\":\"2023-11-07T03:44:01.683\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check.\"},{\"lang\":\"es\",\"value\":\"Un hu\u00e9sped PV podr\u00eda hacer DoS a Xen mientras desmapea una concesi\u00f3n Para abordar XSA-380, fue introducido el recuento de referencias para las asignaciones de concesi\u00f3n para el caso en que un hu\u00e9sped PV tuviera el IOMMU habilitado. Los hu\u00e9spedes PV pueden solicitar dos formas de mapeo. Cuando ambas est\u00e1n usadas para cualquier mapeo individual, el desmapeo de tal mapeo puede ser solicitado en dos pasos. El conteo de referencia para tal mapeo ser\u00eda entonces err\u00f3neamente decrementado dos veces. Se detecta un desbordamiento de los contadores, resultando en el desencadenamiento de una comprobaci\u00f3n de errores del hipervisor\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:N/I:N/A:P\",\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":2.1},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-191\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*\",\"versionStartIncluding\":\"3.2.0\",\"versionEndExcluding\":\"4.13.0\",\"matchCriteriaId\":\"79DBA39F-1E66-4962-98C5-18B48C2F6E41\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/01/25/3\",\"source\":\"security@xen.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/\",\"source\":\"security@xen.org\"},{\"url\":\"https://security.gentoo.org/glsa/202208-23\",\"source\":\"security@xen.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2022/dsa-5117\",\"source\":\"security@xen.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://xenbits.xenproject.org/xsa/advisory-394.txt\",\"source\":\"security@xen.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.