QSB-097: "Reptar" Intel redundant prefix vulnerability
We have published Qubes Security Bulletin 097: “Reptar” Intel redundant prefix vulnerability. The text of this QSB and its accompanying cryptographic signatures are reproduced below. For an explanation of this announcement and instructions for authenticating this QSB, please see the end of this announcement.
Qubes Security Bulletin 097
---===[ Qubes Security Bulletin 097 ]===---
2023-11-14
"Reptar" Intel redundant prefix vulnerability
(CVE-2023-23583, INTEL-SA-00950)
User action
------------
Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.
Summary
--------
On 2023-11-14, Intel published INTEL-SA-00950, "2023.4 IPU Out-of-Band
(OOB) - Intel® Processor Advisory" [3] accompanied by advisory guidance
[4] that states:
| Under certain microarchitectural conditions, Intel has identified
| cases where execution of an instruction (REP MOVSB) encoded with a
| redundant REX prefix may result in unpredictable system behavior
| resulting in a system crash/hang, or, in some limited scenarios, may
| allow escalation of privilege (EoP) from CPL3 to CPL0.
This vulnerability has been assigned CVE-2023-23583. [5]
Impact
-------
On affected systems, a qube running in PV mode can attempt to exploit
this vulnerability in order to escalate its privileges to those of dom0.
In the default Qubes OS configuration, the stubdomains for sys-net and
sys-usb run in PV mode. (Dom0 also runs in PV mode, but it is fully
trusted.)
In addition, any qube can attempt to exploit this vulnerability in order
to crash the system, resulting in a denial of service (DoS).
Tavis Ormandy's write-up [6] suggests that disabling hyper-threading
(which Qubes OS does by default) might reduce the impact to that of a
denial-of-service attack, but we cannot completely rule out the
possibility of privilege escalation even with hyper-threading disabled.
Affected systems
-----------------
Only systems with Intel processors are affected, specifically:
- 10th generation Core and newer processors
- Certain server processors
According to Intel, some recent processor families already have
mitigations. For details, see the tables of affected products in
INTEL-SA-00950. [3]
Patching
---------
The following packages contain security updates that address the
vulnerabilities described in this bulletin:
For Qubes 4.1, in dom0:
- microcode_ctl, version 2.1-56.qubes1
For Qubes 4.2, in dom0:
- microcode_ctl, version 2.1-56.qubes1
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
initramfs binaries.
Credits
--------
See the Intel security advisory. [3]
References
-----------
[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html
[4] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/redundant-prefix-issue.html
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583
[6] https://lock.cmpxchg8b.com/reptar.html
The Qubes Security Team
https://www.qubes-os.org/security/
Source: https://github.com/QubesOS/qubes-secpack/blob/main/QSBs/qsb-097-2023.txt
Marek Marczykowski-Górecki’s PGP signature
A microcode_ctl security update has been released for Qubes OS.
