Debian Xen vulnerabilities

CVE-2024-28956 [MEDIUM] CVE-2024-28956: intel-microcode - Exposure of Sensitive Information in Shared Microarchitectural Structures during... Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Scope: local bookworm: resolved (fixed in 3.20250512.1~deb12u1) bullseye: resolved (fixed in 3.20250512.1~deb11u1) forky: resolved (f

CVE-2024-2201 [MEDIUM] CVE-2024-2201: linux - A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deploy... A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems. Scope: local bookworm: resolved (fixed in 6.1.85-1) bullseye: open forky: resolved (fixed in 6.8.9-1) sid: resolved (fixed in 6.8.9-1) trixie: resolved (fixed in 6.8.9-1)

CVE-2024-36357 [MEDIUM] CVE-2024-36357: amd64-microcode - A transient execution vulnerability in some AMD processors may allow an attacker... A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 3.20251202.1) sid: resolved (fixed in 3.20251202.1) trixie: open

CVE-2024-2193 [MEDIUM] CVE-2024-2193: linux - A Speculative Race Condition (SRC) vulnerability that impacts modern CPU archite... A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. Scope: local bookworm: open bullseye

CVE-2024-45818 [MEDIUM] CVE-2024-45818: xen - The hypervisor contains code to accelerate VGA memory accesses for HVM guests, w... The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the (virtual) VGA is in "standard" mode. Locking involved there has an unusual discipline, leaving a lock acquired past the return from the function that acquired it. This behavior results in a problem when emulating an instruction with two memory accesses, both of which touch VGA memo

CVE-2024-45819 [MEDIUM] CVE-2024-45819: xen - PVH guests have their ACPI tables constructed by the toolstack. The constructio... PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is left with its prior contents. Scope: local bookworm: resolved (fixed in 4.17.5+23-ga4e5191d

CVE-2023-34328 [CRITICAL] CVE-2023-34328: xen - [This CNA information record relates to multiple CVEs; the text explains which a... [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 -

CVE-2023-34327 [CRITICAL] CVE-2023-34327: xen - [This CNA information record relates to multiple CVEs; the text explains which a... [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 -

CVE-2023-34326 [HIGH] CVE-2023-34326: xen - The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.0... The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory reg

CVE-2023-34322 [HIGH] CVE-2023-34322: xen - For migration as well as to work around kernels unaware of L1TF (see XSA-273), P... For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this means running on the shadow of the guest root page table. In the course of dealing with shor

CVE-2023-34325 [HIGH] CVE-2023-34325: xen - [This CNA information record relates to multiple CVEs; the text explains which a... [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the same user as the toolstack (root in a priviledged domain). At least one i

CVE-2023-20588 [MEDIUM] CVE-2023-20588: linux - A division-by-zero error on some AMD processors can potentially return speculati... A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. Scope: local bookworm: resolved (fixed in 6.1.52-1) bullseye: resolved (fixed in 5.10.197-1) forky: resolved (fixed in 6.4.13-1) sid: resolved (fixed in 6.4.13-1) trixie: resolved (fixed in 6.4.13-1)

CVE-2023-46840 [MEDIUM] CVE-2023-46840: xen - Incorrect placement of a preprocessor directive in source code results in logic ... Incorrect placement of a preprocessor directive in source code results in logic that doesn't operate as intended when support for HVM guests is compiled out of Xen. Scope: local bookworm: resolved (fixed in 4.17.3+10-g091466ba55-1~deb12u1) bullseye: resolved forky: resolved (fixed in 4.17.3+10-g091466ba55-1) sid: resolved (fixed in 4.17.3+10-g091466ba55-1) trixie: res

CVE-2023-46839 [MEDIUM] CVE-2023-46839: xen - PCI devices can make use of a functionality called phantom functions, that when ... PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is

CVE-2023-28746 [MEDIUM] CVE-2023-28746: intel-microcode - Information exposure through microarchitectural state after transient execution ... Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Scope: local bookworm: resolved (fixed in 3.20240312.1~deb12u1) bullseye: resolved (fixed in 3.20240312.1~deb11u1) forky:

CVE-2023-46842 [MEDIUM] CVE-2023-46842: xen - Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other m... Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercal

CVE-2023-46835 [MEDIUM] CVE-2023-46835: xen - The current setup of the quarantine page tables assumes that the quarantine doma... The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the

CVE-2023-46841 [MEDIUM] CVE-2023-46841: xen - Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (C... Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more tha

CVE-2023-34323 [MEDIUM] CVE-2023-34323: xen - When a transaction is committed, C Xenstored will first check the quota is corre... When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. Thi

CVE-2023-34320 [MEDIUM] CVE-2023-34320: xen - Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software,... Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Register (PAR_EL1) in close proximity. Scope: local bookworm: resolved (fixed in 4.17.2+76-ge1f