Xen Hypervisor CET-SS Shadow Stack Removal Bug Exploits Replay Exception
CVE-2023-46841 Published on March 20, 2024

x86: shadow stack vs exceptions from emulation stubs
Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing.

NVD

Vulnerability Analysis

CVE-2023-46841 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Products Associated with CVE-2023-46841

stack.watch emails you whenever new vulnerabilities are published in Fedora Project Fedora or Citrix Xen Xen. Just hit a watch button to start following.

Fedora Project Fedora
 
Citrix Xen Xen
 

Affected Versions

Xen Version consult Xen advisory XSA-451 is unknown by CVE-2023-46841

Exploit Probability

EPSS
0.07%
Percentile
20.16%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.