OpenCVE

When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default).

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Xen	Xen

Configuration 1 [-]

cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://xenbits.xenproject.org/xsa/advisory-440.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: XEN

Published: 2024-01-05T16:30:32.305Z

Updated: 2024-08-02T16:10:06.813Z

Reserved: 2023-06-01T10:44:17.065Z

Link: CVE-2023-34323

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-05T17:15:08.493

Modified: 2024-01-11T17:07:26.057

Link: CVE-2023-34323

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34323", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2023-06-01T10:44:17.065Z", "datePublished": "2024-01-05T16:30:32.305Z", "dateUpdated": "2024-08-02T16:10:06.813Z"}, "containers": {"cna": {"title": "xenstored: A transaction conflict can crash C Xenstored", "datePublic": "2023-10-10T11:26:00Z", "descriptions": [{"lang": "en", "value": "When a transaction is committed, C Xenstored will first check\nthe quota is correct before attempting to commit any nodes. It would\nbe possible that accounting is temporarily negative if a node has\nbeen removed outside of the transaction.\n\nUnfortunately, some versions of C Xenstored are assuming that the\nquota cannot be negative and are using assert() to confirm it. This\nwill lead to C Xenstored crash when tools are built without -DNDEBUG\n(this is the default).\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "A malicious guest could craft a transaction that will hit the C\nXenstored bug and crash it. This will result to the inability to\nperform any further domain administration like starting new guests,\nor adding/removing resources to or from any existing guest.\n"}]}], "affected": [{"defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-440"}]}], "configurations": [{"lang": "en", "value": "All versions of Xen up to and including 4.17 are vulnerable if XSA-326\nwas ingested.\n\nAll Xen systems using C Xenstored are vulnerable. C Xenstored built\nusing -DNDEBUG (can be specified via EXTRA_CFLAGS_XEN_TOOLS=-DNDEBUG)\nare not vulnerable. Systems using the OCaml variant of Xenstored are\nnot vulnerable.\n"}], "workarounds": [{"lang": "en", "value": "The problem can be avoided by using OCaml Xenstored variant.\n"}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Stanislav Uschakow and Julien Grall, all\nfrom Amazon.\n"}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-440.html"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:30:32.305Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:06.813Z"}, "title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-440.html", "tags": ["x_transferred"]}]}]}}