QSB-090: Zenbleed (CVE-2023-20593, XSA-433)

Qubes OS 40 Published by

A new security update for Qubes OS has been released to address Zenbleed, a hardware bug that causes vector register corruption.



QSB-090: Zenbleed (CVE-2023-20593, XSA-433)



             ---===[ Qubes Security Bulletin 090 ]===---

                              2023-07-24

                 Zenbleed (CVE-2023-20593, XSA-433)

User action required
---------------------

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.1, in dom0:
  - linux-firmware 20230625-146
  - Xen packages 4.14.5-21

  For Qubes 4.2, in dom0:
  - linux-firmware 20230625-147
  - Xen packages 4.17.1-3

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen and initramfs binaries.

Summary
--------

On 2023-07-24, the Xen Project published XSA-433, "x86/AMD: Zenbleed"
[3]:
| Researchers at Google have discovered Zenbleed, a hardware bug causing
| corruption of the vector registers.
|
| When a VZEROUPPER instruction is discarded as part of a bad transient
| execution path, its effect on internal tracking are not unwound
| correctly.  This manifests as the wrong micro-architectural state
| becoming architectural, and corrupting the vector registers.
|
| Note: While this malfunction is related to speculative execution, this
|       is not a speculative sidechannel vulnerability.
|
| The corruption is not random.  It happens to be stale values from the
| physical vector register file, a structure competitively shared between
| sibling threads.  Therefore, an attacker can directly access data from
| the sibling thread, or from a more privileged context.
|
| For more details, see:
|   https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html
|
| https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8


Impact
-------

As explained in XSA-433, this vulnerability is specific to the AMD Zen 2
microarchitecture, and AMD does not believe that other
microarchitectures are affected. Exploiting this vulnerability would
allow an attacker to read data from different contexts on the same core.
Examples of such data include key material, ciphertext and plaintext
from AES-NI operations, and the contents of REP-MOVS instructions, which
are commonly used to implement `memcpy()`.

In order to exploit this vulnerability, an attacker must be capable of
executing code at any privilege level in any qube, e.g., JavaScript in a
web browser. Moreover, the code to reliably exploit this vulnerability
is publicly available. Accordingly, there is a high risk of this
vulnerability being exploited in practice.

Credits
--------

Tavis Ormandy of Google Project Zero.

References
-----------

[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-433.html

Linux Kernel 4.19.289 released

Liquorix Linux Kernel 6.4-7 released

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...