Qubes OS 30 Published by

A new security update for Qubes OS has been released to address Zenbleed, a hardware bug that causes vector register corruption.

QSB-090: Zenbleed (CVE-2023-20593, XSA-433)

---===[ Qubes Security Bulletin 090 ]===--- 2023-07-24 Zenbleed (CVE-2023-20593, XSA-433) User action required --------------------- Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.1, in dom0: - linux-firmware 20230625-146 - Xen packages 4.14.5-21 For Qubes 4.2, in dom0: - linux-firmware 20230625-147 - Xen packages 4.17.1-3 These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. [1] Once available, the packages are to be installed via the Qubes Update tool or its command-line equivalents. [2] Dom0 must be restarted afterward in order for the updates to take effect. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen and initramfs binaries. Summary -------- On 2023-07-24, the Xen Project published XSA-433, "x86/AMD: Zenbleed" [3]: | Researchers at Google have discovered Zenbleed, a hardware bug causing | corruption of the vector registers. | | When a VZEROUPPER instruction is discarded as part of a bad transient | execution path, its effect on internal tracking are not unwound | correctly. This manifests as the wrong micro-architectural state | becoming architectural, and corrupting the vector registers. | | Note: While this malfunction is related to speculative execution, this | is not a speculative sidechannel vulnerability. | | The corruption is not random. It happens to be stale values from the | physical vector register file, a structure competitively shared between | sibling threads. Therefore, an attacker can directly access data from | the sibling thread, or from a more privileged context. | | For more details, see: | https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html | | https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8 Impact ------- As explained in XSA-433, this vulnerability is specific to the AMD Zen 2 microarchitecture, and AMD does not believe that other microarchitectures are affected. Exploiting this vulnerability would allow an attacker to read data from different contexts on the same core. Examples of such data include key material, ciphertext and plaintext from AES-NI operations, and the contents of REP-MOVS instructions, which are commonly used to implement `memcpy()`. In order to exploit this vulnerability, an attacker must be capable of executing code at any privilege level in any qube, e.g., JavaScript in a web browser. Moreover, the code to reliably exploit this vulnerability is publicly available. Accordingly, there is a high risk of this vulnerability being exploited in practice. Credits -------- Tavis Ormandy of Google Project Zero. References ----------- [1] https://www.qubes-os.org/doc/testing/ [2] https://www.qubes-os.org/doc/how-to-update/ [3] https://xenbits.xen.org/xsa/advisory-433.html