CVE-2023-34323: 
NixOS vulnerability analysis and mitigation

CVE-2023-34323 is a vulnerability in Xen's C Xenstored component that was discovered in 2023. The issue affects all versions of Xen up to and including 4.17 where XSA-326 was implemented. The vulnerability was discovered by Stanislav Uschakow and Julien Grall from Amazon and was publicly disclosed on October 10, 2023 (Xen Advisory).

When a transaction is committed, C Xenstored performs a quota check before attempting to commit any nodes. The vulnerability arises when a node has been removed outside of the transaction, potentially causing the accounting to become temporarily negative. The C Xenstored implementation incorrectly assumes that the quota cannot be negative and uses assert() to verify this assumption. This leads to a crash when tools are built without -DNDEBUG, which is the default configuration. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

A malicious guest can exploit this vulnerability by crafting a specific transaction that triggers the C Xenstored bug, resulting in a crash. The impact of such a crash is significant as it prevents any further domain administration tasks, including starting new guests or modifying resources for existing guests (Xen Advisory).

The vulnerability can be mitigated by either using the OCaml Xenstored variant instead of C Xenstored, or by applying the appropriate security patches. For systems that cannot immediately apply patches, building C Xenstored with -DNDEBUG flag (specified via EXTRA_CFLAGS_XEN_TOOLS=-DNDEBUG) provides a temporary workaround (Xen Advisory).