November 2023 Security Update

A new security update is available for the only currently supported release of XCP-ng: 8.2 LTS.

📙
To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

Intel has issued an new security advisory: INTEL-SA-00950 and pushed  new microcode that is integrated in the latest update of XCP-ng.

⚠️
Updated firmware is provided as a convenience to help mitigates hardware vulnerabilities and other bugs.
Updating your hardware's firmware remains the preferred way to update microcode, and any newer microcode found in the firmware will take precedence over the microcode we provide in XCP-ng.

The Xen Project has released two new updates addressing security issues – one related to IOMMU and the other concerning PV guests. It's important to note that these updates do not impact XCP-ng in the nominal case. Read further to get a more detailed picture!

🔒 Fixed Vulnerability

INTEL-SA-00950: CVE-2023-23583 - "2023.4 IPU Out-of-Band (OOB)". According to the advisory this could allow a privilege escalation or information disclosure or a denial of service. This vulnerability was mitigated for newer hardware in a previous microcode release from Intel that we already integrated and for which the vulnerability was not disclosed yet. This update addresses it for some older hardware that was also impacted:

Processor segment Generations
server 3rd generation Xeon Scalable, Xeon D, and Server Processors
desktop 11th generation Core Processors
embedded 11th generation Core and Server Processors
mobile 10th and 11th generation Core Processors

For more details on the CPU and Platform IDs impacted, look at the INTEL-SA-00950 page.

🔓 Fixes to come

  • XSA-445: CVE-2023-46835 - "x86/AMD: mismatch in IOMMU quarantine page table levels". This arises when using the dom_io to quarantine memory pages. Note that this feature is not enabled in XCP-ng. However, if you have tinkered with Xen command line arguments to activate it, you could be impacted. If you have not intentionally passed iommu=quarantine:true to Xen during boot time, your hosts remain unaffected.
  • XSA-446: CVE-2023-46836 - "x86: BTC/SRSO fixes not fully effective".  Fixes to XSA-422  (Branch Type Confusion) and XSA-434 (Speculative‌‌Return Stack Overflow) were not fully IRQ-safe, in conjunction with the fix for XSA-254 addressing Meltdown (XPTI), a race condition can emerge where a malicious PV guest can bypass the protection and still trigger an attack against the first two XSAs. As mentionned this is only possible in PV guest which are not officially supported in XCP-ng, so if you're following our usage recommandation and and avoid PV guests, you're not impacted by this issue.
💭
If you want to read more on XCP-ng and PV guests, you can have a look at this previous blog post when we announced the removal of 32bits PV guests support and strongly advise to convert your 64bits ones to HVM.

✨ Our Plan

The updated microcode for this Intel SA is part of this XCP-ng update for your convenience, in case your hardware vendor does not yet provide an updated firmware.

Regarding the XSAs, as mentionned in the vulnerabilities details, the default and recommended usage of XCP-ng should not be affected by these two issues. The decision was made not to proactively work on integrating these fixes into XCP-ng ahead of time in order to limit the update burden for users. Unfortunately the last minute microcode update led to an update, while the integration of these XSAs patches is not yet ready. The current plan is to incorporate them in a future release or if the need arises in the coming days.