Xen: Security Vulnerabilities
The caching invalidation guidelines from the AMD-Vi specification (48882—Rev
3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction
(see stale DMA mappings) if some fields of the DTE are updated but the IOMMU
TLB is not flushed.
Such stale DMA mappings can point to memory ranges not owned by the guest, thus
allowing access to unindented memory regions.
CVSS Score
7.8
EPSS Score
0.001
Published
2024-01-05
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.
Xen supports guests using these extensions.
Unfortunately there are errors in Xen's handling of the guest state, leading
to denials of service.
1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of
a previous vCPUs debug mask state.
2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.
This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock
up the CPU entirely.
CVSS Score
5.5
EPSS Score
0.001
Published
2024-01-05
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.
Xen supports guests using these extensions.
Unfortunately there are errors in Xen's handling of the guest state, leading
to denials of service.
1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of
a previous vCPUs debug mask state.
2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.
This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock
up the CPU entirely.
CVSS Score
5.5
EPSS Score
0.001
Published
2024-01-05
Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412
where software, under certain circumstances, could deadlock a core
due to the execution of either a load to device or non-cacheable memory,
and either a store exclusive or register read of the Physical
Address Register (PAR_EL1) in close proximity.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-12-08
An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation.
CVSS Score
8.1
EPSS Score
0.0
Published
2023-11-10
The fix for XSA-423 added logic to Linux'es netback driver to deal with
a frontend splitting a packet in a way such that not all of the headers
would come in one piece. Unfortunately the logic introduced there
didn't account for the extreme case of the entire packet being split
into as many pieces as permitted by the protocol, yet still being
smaller than the area that's specially dealt with to keep all (possible)
headers together. Such an unusual packet would therefore trigger a
buffer overrun in the driver.
CVSS Score
7.8
EPSS Score
0.0
Published
2023-09-22
Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVSS Score
6.5
EPSS Score
0.004
Published
2023-08-11
A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.
CVSS Score
5.5
EPSS Score
0.04
Published
2023-08-08
An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.
CVSS Score
5.5
EPSS Score
0.063
Published
2023-07-24
The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Contributor+ level privileges to upload arbitrary files on the affected sites server which makes remote code execution possible.
CVSS Score
8.8
EPSS Score
0.049
Published
2023-06-07