CVE-2023-34327 (GCVE-0-2023-34327)
Vulnerability from cvelistv5
Published
2024-01-05 16:34
Modified
2024-08-02 16:10
Severity ?
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely.
References
security@xen.orghttps://xenbits.xenproject.org/xsa/advisory-444.htmlPatch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://xenbits.xenproject.org/xsa/advisory-444.htmlPatch, Vendor Advisory
Impacted products
Vendor Product Version
Xen Xen Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T16:10:06.637Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://xenbits.xenproject.org/xsa/advisory-444.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unknown",
               product: "Xen",
               vendor: "Xen",
               versions: [
                  {
                     status: "unknown",
                     version: "consult Xen advisory XSA-444",
                  },
               ],
            },
         ],
         configurations: [
            {
               lang: "en",
               value: "Only AMD/Hygon hardware supporting the DBEXT feature are vulnerable.\nThis is believed to be the Steamroller microarchitecture and later.\n\nFor CVE-2023-34327, Xen versions 4.5 and later are vulnerable.\n\nFor CVE-2023-34328, Xen version between 4.5 and 4.13 are vulnerable.\nThe issue is benign in Xen 4.14 and later owing to an unrelated change.\n",
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               value: "This issue was discovered by Andrew Cooper of XenServer.\n",
            },
         ],
         datePublic: "2023-10-10T12:00:00Z",
         descriptions: [
            {
               lang: "en",
               value: "\n[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nAMD CPUs since ~2014 have extensions to normal x86 debugging functionality.\nXen supports guests using these extensions.\n\nUnfortunately there are errors in Xen's handling of the guest state, leading\nto denials of service.\n\n 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of\n    a previous vCPUs debug mask state.\n\n 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.\n    This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock\n    up the CPU entirely.\n",
            },
         ],
         impacts: [
            {
               descriptions: [
                  {
                     lang: "en",
                     value: "For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for\nit's own purposes can cause incorrect behaviour in an unrelated HVM\nvCPU, most likely resulting in a guest crash.\n\nFor CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the\nhost.\n",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-01-05T16:34:10.958Z",
            orgId: "23aa2041-22e1-471f-9209-9b7396fa234f",
            shortName: "XEN",
         },
         references: [
            {
               url: "https://xenbits.xenproject.org/xsa/advisory-444.html",
            },
         ],
         title: "x86/AMD: Debug Mask handling",
         workarounds: [
            {
               lang: "en",
               value: "For CVE-2023-34327, HVM VMs which can see the DBEXT feature are not\nsusceptible to running in the wrong state.  By default, VMs will see the\nDBEXT feature on capable hardware, and when not explicitly levelled for\nmigration compatibility.\n\nFor CVE-2023-34328, PV VMs which cannot see the DBEXT feature cannot\nleverage the vulnerability.\n",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "23aa2041-22e1-471f-9209-9b7396fa234f",
      assignerShortName: "XEN",
      cveId: "CVE-2023-34327",
      datePublished: "2024-01-05T16:34:10.958Z",
      dateReserved: "2023-06-01T10:44:17.066Z",
      dateUpdated: "2024-08-02T16:10:06.637Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.5.0\", \"matchCriteriaId\": \"1EB1D53B-D24B-44D3-BB44-3734EF08801F\"}]}]}]",
         descriptions: "[{\"lang\": \"en\", \"value\": \"\\n[This CNA information record relates to multiple CVEs; the\\ntext explains which aspects/vulnerabilities correspond to which CVE.]\\n\\nAMD CPUs since ~2014 have extensions to normal x86 debugging functionality.\\nXen supports guests using these extensions.\\n\\nUnfortunately there are errors in Xen's handling of the guest state, leading\\nto denials of service.\\n\\n 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of\\n    a previous vCPUs debug mask state.\\n\\n 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.\\n    This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock\\n    up the CPU entirely.\\n\"}, {\"lang\": \"es\", \"value\": \"[Este registro de informaci\\u00f3n de la CNA se relaciona con m\\u00faltiples CVE; el texto explica qu\\u00e9 aspectos/vulnerabilidades corresponden a cada CVE.] Las CPU AMD desde ~2014 tienen extensiones a la funcionalidad de depuraci\\u00f3n x86 normal. Xen admite invitados que utilizan estas extensiones. Desafortunadamente, hay errores en el manejo del estado invitado por parte de Xen, lo que lleva a denegaciones de servicio. 1) CVE-2023-34327: una vCPU HVM puede terminar funcionando en el contexto de un estado de m\\u00e1scara de depuraci\\u00f3n de vCPU anterior. 2) CVE-2023-34328: una vCPU PV puede colocar un punto de interrupci\\u00f3n sobre la GDT en vivo. Esto permite que PV vCPU aproveche XSA-156/CVE-2015-8104 y bloquee la CPU por completo.\"}]",
         id: "CVE-2023-34327",
         lastModified: "2024-11-21T08:07:01.247",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
         published: "2024-01-05T17:15:08.683",
         references: "[{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-444.html\", \"source\": \"security@xen.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://xenbits.xenproject.org/xsa/advisory-444.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
         sourceIdentifier: "security@xen.org",
         vulnStatus: "Modified",
         weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2023-34327\",\"sourceIdentifier\":\"security@xen.org\",\"published\":\"2024-01-05T17:15:08.683\",\"lastModified\":\"2024-11-21T08:07:01.247\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\n[This CNA information record relates to multiple CVEs; the\\ntext explains which aspects/vulnerabilities correspond to which CVE.]\\n\\nAMD CPUs since ~2014 have extensions to normal x86 debugging functionality.\\nXen supports guests using these extensions.\\n\\nUnfortunately there are errors in Xen's handling of the guest state, leading\\nto denials of service.\\n\\n 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of\\n    a previous vCPUs debug mask state.\\n\\n 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.\\n    This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock\\n    up the CPU entirely.\\n\"},{\"lang\":\"es\",\"value\":\"[Este registro de información de la CNA se relaciona con múltiples CVE; el texto explica qué aspectos/vulnerabilidades corresponden a cada CVE.] Las CPU AMD desde ~2014 tienen extensiones a la funcionalidad de depuración x86 normal. Xen admite invitados que utilizan estas extensiones. Desafortunadamente, hay errores en el manejo del estado invitado por parte de Xen, lo que lleva a denegaciones de servicio. 1) CVE-2023-34327: una vCPU HVM puede terminar funcionando en el contexto de un estado de máscara de depuración de vCPU anterior. 2) CVE-2023-34328: una vCPU PV puede colocar un punto de interrupción sobre la GDT en vivo. Esto permite que PV vCPU aproveche XSA-156/CVE-2015-8104 y bloquee la CPU por completo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.5.0\",\"matchCriteriaId\":\"1EB1D53B-D24B-44D3-BB44-3734EF08801F\"}]}]}],\"references\":[{\"url\":\"https://xenbits.xenproject.org/xsa/advisory-444.html\",\"source\":\"security@xen.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://xenbits.xenproject.org/xsa/advisory-444.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.