QSB-086: Speculative security issues on AMD CPUs (XSA-422)
We have just published Qubes Security Bulletin (QSB) 086: Speculative security issues on AMD CPUs (XSA-422). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). More information about QSBs, including a complete historical list, is available here.
---===[ Qubes Security Bulletin 086 ]===---
2022-11-08
Speculative security issues on AMD CPUs (XSA-422)
User action required
---------------------
Users must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.1, in dom0:
- Xen packages, version 4.14.5-13
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Summary
--------
On 2022-11-08, the Xen Project published XSA-422, "x86: Multiple
speculative security issues" [3]:
| Researchers have discovered that on some AMD CPUs, the
| implementation of IBPB (Indirect Branch Prediction Barrier) does not
| behave according to the specification.
|
| Specifically, IBPB fails to properly flush the RAS (Return Address
| Stack, also RSB - Return Stack Buffer - in Intel terminology; one of
| the hardware prediction structures), allowing attacker controlled
| values to survive across a deliberate attempt to purge said values.
|
| AMD have allocated CVE-2022-23824.
XSA-422 also describes a second AMD vulnerability. However, since it
is believed not to affect Xen, and therefore not to affect Qubes OS,
it is omitted here.
Impact
-------
On Qubes OS installations with affected CPUs, a VM running in PV mode
may be capable of inferring the memory contents of other running VMs,
including dom0. In the default Qubes OS configuration, only the
stubdomains for HVMs are in a position to exploit this vulnerability
in order to attack other VMs. (Dom0 also runs in PV mode, but it is
fully trusted.)
Only certain AMD CPUs are affected. Please see AMD-SB-1040 [4] for the
official list of affected models.
(Note: XSA-422 states that Xen versions prior to 4.16 are not affected
by this vulnerability. While Qubes OS uses a Xen version prior to
4.16, we have backported a Xen performance optimization [5] that
assumes that IBPB works as previously specified. Therefore, the
version of Xen used in Qubes is affected by this vulnerability even
though its version numbers is lower than 4.16.)
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-422.html
[4] https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1040
[5] https://github.com/QubesOS/qubes-vmm-xen/blob/v4.14.5-12/patch-0001-x86-spec-ctrl-Skip-RSB-overwriting-when-safe-to-do-s.patch
--
The Qubes Security Team
https://www.qubes-os.org/security/