QSB-102: Multiple speculative-execution vulnerabilities: Spectre-BHB, BTC/SRSO (XSA-455, XSA-456)
QSB-102: Multiple speculative-execution vulnerabilities: Spectre-BHB, BTC/SRSO (XSA-455, XSA-456)
We have published Qubes Security Bulletin (QSB) 102: Multiple speculative-execution vulnerabilities: Spectre-BHB, BTC/SRSO (XSA-455, XSA-456). The text of this QSB and its accompanying cryptographic signatures are reproduced below, followed by a general explanation of this announcement and authentication instructions.
Qubes Security Bulletin 102
---===[ Qubes Security Bulletin 102 ]===---
2024-04-09
Multiple speculative-execution vulnerabilities:
Spectre-BHB, BTC/SRSO (XSA-455, XSA-456)
User action
------------
Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.
Summary
--------
The Xen Project published the following security advisories on
2024-04-09:
XSA-455 [3] "x86: Incorrect logic for BTC/SRSO mitigations":
| Because of a logical error in XSA-407 (Branch Type Confusion), the
| mitigation is not applied properly when it is intended to be used.
| XSA-434 (Speculative Return Stack Overflow) uses the same
| infrastructure, so is equally impacted.
|
| For more details, see:
| https://xenbits.xen.org/xsa/advisory-422.html
| https://xenbits.xen.org/xsa/advisory-434.html
XSA-456 [4] "x86: Native Branch History Injection":
| In August 2022, researchers at VU Amsterdam disclosed Spectre-BHB.
|
| Spectre-BHB was discussed in XSA-398. At the time, the susceptibility
| of Xen to Spectre-BHB was uncertain so no specific action was taken in
| XSA-398. However, various changes were made thereafter in upstream
| Xen as a consequence; more on these later.
|
| VU Amsterdam have subsequently adjusted the attack to be pulled off
| entirely from userspace, without the aid of a managed runtime in the
| victim context.
|
| For more details, see:
| https://vusec.net/projects/native-bhi
| https://vusec.net/projects/bhi-spectre-bhb
| https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html
| https://xenbits.xen.org/xsa/advisory-398.html
Impact
-------
On affected systems, an attacker who manages to compromise a qube may be
able to use it to infer the contents of arbitrary system memory,
including memory assigned to other qubes. For more information, see:
- QSB-077 [5] for XSA-389
- QSB-083 [6] for XSA-407
- QSB-093 [7] for XSA-434
Affected systems
-----------------
For XSA-455, the affected systems are the same as in QSB-083 [6] and
QSB-093 [7].
For XSA-456, only Intel CPUs with the eIBRS feature (available since
2019) are affected. You can check for the presence of the eIBRS feature
by looking for "eibrs" in the "Dynamic Sets" section of the `xen-cpuid
-v` command output. For example, you can execute the following command
in dom0:
xen-cpuid -v | sed -n '/^Dynamic/,$ { /eibrs/p }'
Empty output means that XSA-456 does not affect the CPU, while non-empty
output means that XSA-456 does affect the CPU.
Patching
---------
The following packages contain security updates that address the
vulnerabilities described in this bulletin:
For Qubes 4.1, in dom0:
- Xen packages, version 4.14.6-8
For Qubes 4.2, in dom0:
- Xen packages, version 4.17.3-5
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://xenbits.xen.org/xsa/advisory-455.html
[4] https://xenbits.xen.org/xsa/advisory-456.html
[5] https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-077-2022.txt
[6] https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-083-2022.txt
[7] https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-093-2023.txt
The Qubes Security Team
https://www.qubes-os.org/security/
Source: qsb-102-2024.txt
Marek Marczykowski-Górecki’s PGP signature
