CVE-2023-34328: 
NixOS vulnerability analysis and mitigation

CVE-2023-34328 is a vulnerability discovered in Xen versions between 4.5 and 4.13, affecting AMD CPUs since ~2014 with extensions to normal x86 debugging functionality. The vulnerability was publicly disclosed on January 5, 2024, and allows a PV vCPU to place a breakpoint over the live GDT, enabling exploitation of XSA-156/CVE-2015-8104 to lock up the CPU entirely (Xen Advisory).

The vulnerability specifically affects AMD/Hygon hardware supporting the DBEXT feature, believed to be present in the Steamroller microarchitecture and later. The issue stems from errors in Xen's handling of guest state related to debug mask functionality. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

A buggy or malicious PV guest kernel can exploit this vulnerability to lock up the host system entirely. The vulnerability allows a PV vCPU to place a breakpoint over the live GDT, which can then be used to exploit XSA-156/CVE-2015-8104, resulting in a complete CPU lockup (Xen Advisory).

PV VMs which cannot see the DBEXT feature cannot leverage the vulnerability. The issue has been fixed in Xen 4.14 and later versions. For affected versions, patches have been provided and can be applied to resolve the issue. The patches are available for different Xen versions including xen-unstable, Xen 4.17.x, and Xen 4.16.x (Xen Advisory).