Information

Files

Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2023-34323 / XSA-440
                               version 4

        xenstored: A transaction conflict can crash C Xenstored

UPDATES IN VERSION 4
====================

Normalize version tags

ISSUE DESCRIPTION
=================

When a transaction is committed, C Xenstored will first check
the quota is correct before attempting to commit any nodes.  It would
be possible that accounting is temporarily negative if a node has
been removed outside of the transaction.

Unfortunately, some versions of C Xenstored are assuming that the
quota cannot be negative and are using assert() to confirm it.  This
will lead to C Xenstored crash when tools are built without -DNDEBUG
(this is the default).

IMPACT
======

A malicious guest could craft a transaction that will hit the C
Xenstored bug and crash it.  This will result to the inability to
perform any further domain administration like starting new guests,
or adding/removing resources to or from any existing guest.

VULNERABLE SYSTEMS
==================

All versions of Xen up to and including 4.17 are vulnerable if XSA-326
was ingested.

All Xen systems using C Xenstored are vulnerable.  C Xenstored built
using -DNDEBUG (can be specified via EXTRA_CFLAGS_XEN_TOOLS=-DNDEBUG)
are not vulnerable.  Systems using the OCaml variant of Xenstored are
not vulnerable.

MITIGATION
==========

The problem can be avoided by using OCaml Xenstored variant.

CREDITS
=======

This issue was discovered by Stanislav Uschakow and Julien Grall, all
from Amazon.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa440-4.17.patch      Xen 4.17.x - Xen 4.15.x

$ sha256sum xsa440*
187b7edef4f509f3d7ec1662901fa638a900ab4213447438171fb2935f387014  xsa440.meta
431dab53baf2b57a299d1a151b330b62d9a007715d700e8515db71ff813d0037  xsa440-4.17.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/wMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZGWQIAJ3UDtve8zZyOlqG9fpIMr67TTq0ZjHpyaY+qoYx
PKtL/OoTyD/gQP0EIoyISvmwCfDIajkUNX6y/C9QnUPp42fZN+RXzDmK/ceTMonm
iuNv+Awqz7clBgjH/zrwR9oaYaPFCNoBfDFOc6Gb7rKYIOMVruMt/Wqsg3silxxX
Kscy5v+V5uGmrV9PKBKq6hVLNfkbYB/mw1krD1mUNZGnAxX0gyCTu1UHVonw4LcS
i7HtASqrJLwLV3y4vjNJdWPBzi9xNDqWwVKkMWqnOq8baeSDISnyK4LZGy8Q6hs6
5XIDjWx9/chWbp6VJQJa3tVAYyOnYzR6P2XqtcUd9YVD3/w=
=uHSW
-----END PGP SIGNATURE-----