A new security update is available for the only currently supported release of XCP-ng: 8.2 LTS.
Updating your hardware's firmware remains the preferred way to update microcode, and any newer microcode found in the firmware will take precedence over the microcode we provide in XCP-ng.
The Xen Project has released two new updates addressing security issues – one related to IOMMU and the other concerning PV guests. It's important to note that these updates do not impact XCP-ng in the nominal case. Read further to get a more detailed picture!
🔒 Fixed Vulnerability
INTEL-SA-00950: CVE-2023-23583 - "2023.4 IPU Out-of-Band (OOB)". According to the advisory this could allow a privilege escalation or information disclosure or a denial of service. This vulnerability was mitigated for newer hardware in a previous microcode release from Intel that we already integrated and for which the vulnerability was not disclosed yet. This update addresses it for some older hardware that was also impacted:
|server||3rd generation Xeon Scalable, Xeon D, and Server Processors|
|desktop||11th generation Core Processors|
|embedded||11th generation Core and Server Processors|
|mobile||10th and 11th generation Core Processors|
For more details on the CPU and Platform IDs impacted, look at the INTEL-SA-00950 page.
🔓 Fixes to come
- XSA-445: CVE-2023-46835 - "x86/AMD: mismatch in IOMMU quarantine page table levels". This arises when using the
dom_ioto quarantine memory pages. Note that this feature is not enabled in XCP-ng. However, if you have tinkered with Xen command line arguments to activate it, you could be impacted. If you have not intentionally passed
iommu=quarantine:trueto Xen during boot time, your hosts remain unaffected.
- XSA-446: CVE-2023-46836 - "x86: BTC/SRSO fixes not fully effective". Fixes to XSA-422 (Branch Type Confusion) and XSA-434 (SpeculativeReturn Stack Overflow) were not fully IRQ-safe, in conjunction with the fix for XSA-254 addressing Meltdown (XPTI), a race condition can emerge where a malicious PV guest can bypass the protection and still trigger an attack against the first two XSAs. As mentionned this is only possible in PV guest which are not officially supported in XCP-ng, so if you're following our usage recommandation and and avoid PV guests, you're not impacted by this issue.
✨ Our Plan
The updated microcode for this Intel SA is part of this XCP-ng update for your convenience, in case your hardware vendor does not yet provide an updated firmware.
Regarding the XSAs, as mentionned in the vulnerabilities details, the default and recommended usage of XCP-ng should not be affected by these two issues. The decision was made not to proactively work on integrating these fixes into XCP-ng ahead of time in order to limit the update burden for users. Unfortunately the last minute microcode update led to an update, while the integration of these XSAs patches is not yet ready. The current plan is to incorporate them in a future release or if the need arises in the coming days.