Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.1700
x86: speculative vulnerability in 32bit SYSCALL path
22 March 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: Linux variants
Virtualisation
Resolution: Patch/Upgrade
CVE Names: CVE-2022-42331
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-429.html
Comment: CVSS (Max): 5.6 CVE-2022-42331 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2022-42331 / XSA-429
version 3
x86: speculative vulnerability in 32bit SYSCALL path
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
Due to an oversight in the very original Spectre/Meltdown security work
(XSA-254), one entrypath performs its speculation-safety actions too
late.
In some configurations, there is an unprotected RET instruction which
can be attacked with a variety of speculative attacks.
IMPACT
======
An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.
VULNERABLE SYSTEMS
==================
Xen versions 4.5 through 4.17 are vulnerable. Older versions are not
vulnerable.
Only x86 CPUs are potentially vulnerable. CPUs of other architectures
are not vulnerable.
The problematic codepath is only reachable on x86 CPUs which follow
AMD's behaviour with respect to SYSCALL instructions from compatibility
mode segments. This means that AMD and Hygon CPUs are potentially
vulnerable, whereas Intel CPUs are not. Other vendors have not been
checked.
Only PV guests can leverage the vulnerability.
On Xen 4.16 and later, the vulnerability is only present if 32bit PV
guest support is compiled in - i.e. CONFIG_PV32=y. On Xen 4.15 and
older, all supported build configurations are vulnerable.
The vulnerability is only present when booting on hardware that supports
SMEP or SMAP (Supervisor Mode Execution/Access Prevention). This is
believed to be some Family 0x16 models, and all later CPUs.
MITIGATION
==========
Not running untrusted PV guests will avoid the issue.
CREDITS
=======
This issue was discovered by Andrew Cooper of XenServer.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa429.patch xen-unstable - Xen 4.16
xsa429-4.15.patch Xen 4.15 - Xen 4.14
$ sha256sum xsa429*
2d7be90d917c475ab5217e657d2b44f5d8b107d9023dca034fcfb7feab07b2f0 xsa429.meta
36ed36dbfaad9e5df5fa87b9a3d9e9c531f476f97eeb2afe280aa238032a0540 xsa429.patch
7ac3d4182585e5d2d39231f10e7c0c9fcb972c82cf81cb884e95b628187de3a7 xsa429-4.15.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmQZlWMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZil4H/2b1DkLLz4RQqAgvaB8+SBeVLPqoZ7QxGLl8QXWT
AMjFdy+M5T1OtbrMvEYCZNYhZnGOJgmVagERUvg/yZbPYx28NIHjG4+u90Ot6OId
AQPqdrJ0wjEzN/ppNpnu1ALofAGbjsnAypEouGPh12gh5fcpcLQdT0rvpl2ff5f6
Qi4ShtUXhBiduBQcJ0TSneSCf5s7cq1+sMenntenK5Nrsvg7gu51YR45FyKyXdZc
raonkGDny9kmDAjdKkywS2Au2763ph9nHbW5TbD17s65AKUDTupzk+QlFPhJLIP+
/gxDoUjKFiD/eY0AABWMAFGGvHFRNvdhTfUd6ImmWhqdEeE=
=HxUJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZBpoM8kNZI30y1K9AQiuQRAAkvTenTeImtqWD476GvVqgdSG8DCrAr+z
XqkZ09V4kTn6NPW8OWxBN0LhEVrP/OkP7CyF6sucBZccDdV4j6LS/xV+9NDss05y
o2brwrqYP1CPI8dUXfzMFD/YQvF7YeSwik1Va4zJLvJ9SrgSZU/AIObPmlyO4Zwf
IsFLoj93TzpMzLxS/Ivv5xmvUJtuQctqAot4XivLnNE+wuip4+0ybrc7YzCicEUT
WtGN9vbNSkeihMsy8jWPmHBIjdYpZI4ItHWWk3WPTJ3IySXPU54hddGfBN70o1Si
o6W1kVKE0f9zJq5s9ACYfs6yQ2z7FKH2kiPhuYRY9suCtPbBsKasBG70iZ+qv+Oz
3Rwe3gofzlYNn1DEBixH2EBe8RFd12hdo9eYZUGe+iWCqajhpRoq5q60R3T6Aivb
ux3wXze7x0BpbFUOSFA8Cor5uTtE2PS/cR2VDg+NV6ni2uEiwt7SlRBrHWoxdgRm
5Ms1tp6dgpTvv88Lh2DjILg8yqyfuZb/yhBKmCQ/3ERKGQo8bN6EOS20pk4F1BYR
gEeV/9YKG5AHE0vIHTl1B/RfZnapm51XOnZ8UIlWK5n+DmQfjt0wR7Ige8k7f6XF
sI0iXL4QtV82wxgyxH4eYtwzDWOqBwAA8gjvlx8oQuQg5g7rjgTQw1cL34zm+e5L
BEIU2gilqmY=
=MWhy
-----END PGP SIGNATURE-----