Date: Thu, 16 Jun 2022 16:10:02 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 404 v2 (CVE-2022-21123,CVE-2022-21125,CVE-2022-21166) - x86: MMIO Stale Data vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-21123,CVE-2022-21125,CVE-2022-21166 / XSA-404 version 2 x86: MMIO Stale Data vulnerabilities UPDATES IN VERSION 2 ==================== Correct one CVE. The title for version 1 gave CVE-2022-21124 which was incorrect and should have been CVE-2022-21125. Patches are now reviewed. Backports are available. ISSUE DESCRIPTION ================= This issue is related to the SRBDS, TAA and MDS vulnerabilities. Please see: https://xenbits.xen.org/xsa/advisory-320.html (SRBDS) https://xenbits.xen.org/xsa/advisory-305.html (TAA) https://xenbits.xen.org/xsa/advisory-297.html (MDS) Please see Intel's whitepaper: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html IMPACT ====== An attacker might be able to directly read or infer data from other security contexts in the system. This can include data belonging to other VMs, or to Xen itself. The degree to which an attacker can obtain data depends on the CPU, and the system configuration. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. Only x86 processors are vulnerable. Processors from other manufacturers (e.g. ARM) are not believed to be vulnerable. Only Intel based processors are affected. Processors from other x86 manufacturers (e.g. AMD) are not believed to be vulnerable. Please consult the Intel Security Advisory for details on the affected processors and configurations. Per Xen's support statement, PCI passthrough should be to trusted domains because the overall system security depends on factors outside of Xen's control. As such, Xen, in a supported configuration, is not vulnerable to DRPW/SBDR. MITIGATION ========== All mitigations depend on functionality added in the IPU 2022.1 (May 2022) microcode release from Intel. Consult your dom0 OS vendor. To the best of the security team's understanding, the summary is as follows: Server CPUs (Xeon EP/EX, Scalable, and some Atom servers), excluding Xeon E3 (which use the client CPU design), are potentially vulnerable to DRPW (CVE-2022-21166). Client CPUs (inc Xeon E3) are, furthermore, potentially vulnerable to SBDR (CVE-2022-21123) and SBDS (CVE-2022-21125). SBDS only affects CPUs vulnerable to MDS. On these CPUs, there are previously undiscovered leakage channels. There is no change to the existing MDS mitigations. DRPW and SBDR only affects configurations where less privileged domains have MMIO mappings of buggy endpoints. Consult your hardware vendor. In configurations where less privileged domains have MMIO access to buggy endpoints, `spec-ctrl=unpriv-mmio` can be enabled which will cause Xen to mitigate cross-domain fill buffer leakage, and extend SRBDS protections to protect RNG data from leakage. RESOLUTION ========== Applying the appropriate attached patches and enabling the newly introduced command line option, if appropriate, mitigates these issues. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa404/xsa404-?.patch xen-unstable xsa404/xsa404-4.16-?.patch Xen 4.16.x xsa404/xsa404-4.15-?.patch Xen 4.15.x xsa404/xsa404-4.14-?.patch Xen 4.14.x xsa404/xsa404-4.13-?.patch Xen 4.13.x $ sha256sum xsa404*/* 51a812b3e37fb5067aff94d7e587c3fed0de4fcc89e694c7b7dbf1ef2d7e2acc xsa404/xsa404-1.patch 99d9657cd811f5ed86949bd44777b6bfbb4356fea70795edaa9c7ede341603a0 xsa404/xsa404-2.patch 7e61db8f1741a9e2e9e68e7221cc532f4d17c4d0b2e02ce9ba4468ce187b7b57 xsa404/xsa404-3.patch be78110d460db361be29f5e5f4b4608bbd25d2032c5f14eed05fd10e66e99e87 xsa404/xsa404-4.13-1.patch 7734bc21a04eb0cea30564bd0855ecc969b7b427a250b5ea6efc6fab46483b70 xsa404/xsa404-4.13-2.patch 6abbdcf5308c033ab7b59c6c75514e29aa14f06c61ef807e2d0c80695af1cace xsa404/xsa404-4.13-3.patch ccff36c3615d0068ade29e1d25abd6112b9e90490a5b0ef3d189b27aa53976b2 xsa404/xsa404-4.14-1.patch ac446bed9d33d84e0b20e4898ce1424f3ed7ed4b05c3c559045a377a9a044b0c xsa404/xsa404-4.14-2.patch 0ca7801e0442dd304d62538a0861fe459b08dc367530d2142405d602930e1dab xsa404/xsa404-4.14-3.patch a26036a136c10810de88960704e6922a40b483a49c8b1821a6e265cae968bfc2 xsa404/xsa404-4.15-1.patch 25616a8665b96b965fbc0b799fb8cd17a360b4add71c6e6e504859cfd35f19ce xsa404/xsa404-4.15-2.patch a4c3608210f62e453f9c983ebc1a3b0846ca3a52ba32ee13143561710b4c4118 xsa404/xsa404-4.15-3.patch a18c04cfdacf7dbb518216ac85047a5851c1f64c62d64e234f8ed19b6905ba60 xsa404/xsa404-4.16-1.patch d22af75e0bc42e249a37bd91165b426c7146f69dfd6c4de4a06d6ed0b3e5e713 xsa404/xsa404-4.16-2.patch b04603668f61fbd40e2effaaeb7b3d9c555a8d8a4667208ae0ae42baf323230a xsa404/xsa404-4.16-3.patch $ In addition, the backports have already been pushed to xen.git. They are available in the following branches: staging 8c24b70fedcb52633b2370f834d8a2be3f7fa38e staging-4.16 2e82446cb252f6c8ac697e81f4155872c69afde4 staging-4.15 a3faf632606e54437146dbcac2c9bbb89b9a4007 staging-4.14 c5f774eaeeca195ef85b47713f0b21220c4b41e6 staging-4.13 87ff11354f0dc0d6e77e1695e6c1e14aa1382cdc NOTE CONCERNING CVE-2022-21127 / Update to SRBDS ================================================ An issue was discovered with the SRBDS microcode mitigation. A microcode update was released as part of Intel's IPU 2022.1 in May 2022. Updating microcode is sufficient to fix the issue, with no extra actions required on Xen's behalf. Consult your dom0 OS vendor or OEM for updated microcode. NOTE CONCERNING CVE-2022-21180 / Undefined MMIO Hang ==================================================== A related issue was discovered. See: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/undefined-mmio-hang.html Xen is not vulnerable to UMH in supported configurations. The only mitigation is to avoid passing impacted devices through to untrusted guests. NOTE CONCERNING LACK OF EMBARGO =============================== The discoverer did not authorise us to predisclose. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmKrVbAMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ2AcH/jWGiu0jpWMkQw/3U4DUu2a77PcC9jLH8NONesB7 SGfdhIMNqmStUI5VJf54ccDIrZSLQxvNVWWxXyQPhZXWhSPf5xE2uYK1qUL+Za8c kOIJr0Drzffr2Bmu3NnBCRdQDkmXl2GDgqig4YWK/+BOlOO+YxBGdyoE0mBOXMo4 +cQHHvYa16kZVuwxyS0mZxhKFo3JQZaKqh2DEzKZUWm3w8n3NKEYG8S00sttZfjs dS8rNXEu+yrmPjsJ+hFfJw8MfoETE6yGI47C89dFTN9Q0KedEYM28oD6ClMUC+ks kwnFAk561m4VUoTqkSv82PeJfS9Sp5D6yO4CDdC05Eyc9gA= =K9Tq -----END PGP SIGNATURE----- Download attachment "xsa404/xsa404-1.patch" of type "application/octet-stream" (9555 bytes) Download attachment "xsa404/xsa404-2.patch" of type "application/octet-stream" (5026 bytes) Download attachment "xsa404/xsa404-3.patch" of type "application/octet-stream" (8418 bytes) Download attachment "xsa404/xsa404-4.13-1.patch" of type "application/octet-stream" (9583 bytes) Download attachment "xsa404/xsa404-4.13-2.patch" of type "application/octet-stream" (3196 bytes) Download attachment "xsa404/xsa404-4.13-3.patch" of type "application/octet-stream" (8405 bytes) Download attachment "xsa404/xsa404-4.14-1.patch" of type "application/octet-stream" (9432 bytes) Download attachment "xsa404/xsa404-4.14-2.patch" of type "application/octet-stream" (4997 bytes) Download attachment "xsa404/xsa404-4.14-3.patch" of type "application/octet-stream" (8398 bytes) Download attachment "xsa404/xsa404-4.15-1.patch" of type "application/octet-stream" (9471 bytes) Download attachment "xsa404/xsa404-4.15-2.patch" of type "application/octet-stream" (4997 bytes) Download attachment "xsa404/xsa404-4.15-3.patch" of type "application/octet-stream" (8398 bytes) Download attachment "xsa404/xsa404-4.16-1.patch" of type "application/octet-stream" (9471 bytes) Download attachment "xsa404/xsa404-4.16-2.patch" of type "application/octet-stream" (4997 bytes) Download attachment "xsa404/xsa404-4.16-3.patch" of type "application/octet-stream" (8398 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.