Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0873
Xen: Load Value Injection (LVI) speculative side channel
11 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-0551
Reference: ESB-2020.0869
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-315.html
Comment: Xen notes:
"Only Intel based processors are potentially affected. Processors from
other manufacturers (e.g. AMD) are not believed to be vulnerable."
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2020-0551 / XSA-315
Load Value Injection (LVI) speculative side channel
ISSUE DESCRIPTION
=================
This is very closely related to the Microarchitectural Data Sampling
vulnerabilities from May 2019.
Please see https://xenbits.xen.org/xsa/advisory-297.html for details
about MDS.
A new way of using the micro-architectural details behind MDS has been
identified. Instead of simply trying to sample data from a different
privilege context, an attacker can arrange for poisoned data to be
consumed (speculatively) in a victim context.
This expands the range of tools by which an attacker can manipulate
speculation in the victim context to leak data via a side channel.
For more details, see:
https://software.intel.com/security-software-guidance/insights/deep-dive-load-value-injection
IMPACT
======
An attacker, which could include a malicious untrusted user process on a
trusted guest, or an untrusted guest, can potentially cause a victim
context (process, or guest, or guest kernel, or hypervisor) to leak
secrets available to it.
VULNERABLE SYSTEMS
==================
Systems running all versions of Xen are affected.
Only x86 processors are vulnerable.
ARM processors are not believed to be vulnerable.
Only Intel based processors are potentially affected. Processors from
other manufacturers (e.g. AMD) are not believed to be vulnerable.
Please consult the Intel Security Advisory for details on the affected
processors.
MITIGATION
==========
Xen does not support the use of SGX (Software Guard Extensions).
Outside of the SGX enclave case, the attacker has a limited ability to
control the paging behaviour in the victim context.
Therefore, it is not believed that there is a practical way to attack a
victim context which is not an SGX enclave.
Furthermore, preexisting work (including fixes for MDS, SMAP hardening
for user pointers) and in-progress work (core scheduling for SMT
systems) all raise the bar further for an attacker.
There are no known LVI gadgets within Xen. As a result, we have
decided not to make any changes to default configurations of Xen.
Systems with untrusted PV guests, and whose host administrators are
worried about potential LVI gadgets, might wish to consider changing
the VM to be HVM instead, or make use of PV-Shim, to limit the scope
of a potential attack.
NOTE REGARDING PAGE MODIFICATION LOGGING
========================================
Included for completeness, rather than due to being a realistic concern:
On Intel Broadwell and later systems, Xen uses Page Modification Logging
to accelerate logdirty tracking on migration. The use of this does put
the guest kernel at a higher risk of being attacked, due to the use of
EPT Access/Dirty bits used behind the scenes. Userspace shouldn't be
able to influence when a migration occurs, but booting Xen with
`ept=no-ad` will mitigate this concern by causing Xen to fall back to
software logdirty tracking.
RESOLUTION
==========
There is no complete resolution available.
In general, administrators of Xen systems are recommended to take no
action in response to this vulnerability.
If potential LVI gadgets are discovered in Xen, they will be addressed
on a case by case basis, in the same way as Spectre v1 hardening.
NOTE REGARDING LACK OF EMBARGO
==============================
Despite an attempt to organise predisclosure, the discoverers ultimately
did not authorise a predisclosure.
- -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl5nyAsMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZposH/0ZH/AXAFND2aBRdxKoWZtWyAaxrI0NPRz/H+AEZ
CKtoV7E0HmwCSucxJOCe95yv/shKYSqoG4mMkxT+6v1gH7Hv/2dbl12G0Nlo5lyq
LSkbvyLwCa1ceL6xa5qanx0GkJL+tiOP3EPDBKpO5Lqok5WS/uXQRwIequArPLNi
S4xmE0oKv/yOXRRe2BhnAp6+lY/U6kuMxVNEXF5/6p3/31tnZhabkLJp5N2yl5Ts
OEVjwnzEYRgi5npes1TW6PkPA5p0L4rq/oiVPvTqJsNWRkCmHvR2uRXDc1cI/9gs
wnam4wTVF2tOXZ8/+n+XvUVUPeLAqzncv2D8+RWkX8pKu18=
=DFQP
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXmh7b2aOgq3Tt24GAQiRhw/+O0wmdEzvBi1XVQed/LFyWO5SNfzApcIt
9vJyUscT3nyke79BMREB2b5oewEwkPTU21AsilCtOTejs7ohP2JVcYbGGB7rS3IV
bAjU556C9Vk03Yq/qf9CtupVL229FUZ3yL8qz4Q58hOaCrrYEL+x5Sr7eQcawN7X
dFd5PRzUb4BB4TeqY9oWGwP52aYBck1mMe8BnlpFaa/q3kMlhM5TBmtYFtb8pwsE
VYlBQ8HjT/2YeT9698AqZW0WX6Qxz/RRx/yFsS/3UJcnbMSasqQIi3DvzjLzMCtf
Zv3cfrCbBZhkgeuM+bmWvevh1wHH6i90QFQDPloUqUYMYXj9XZ5sye1OW4/kxOSw
xh8qBfUVGs+W1NEMv+GtEnsycXJBa5gxbjG4lKSVD4dW8ClhbkKTAarYd8NuecMr
KuBzYKPH+ogzU87QklUgdN7uZGaGE+Ow5DjL32PfVT5se80PxRqgpmj6ycqAfN5j
Y0eXcIBo1zOCE5iSnj19H2z3Kcuv+Gmm/OFXU48Klxwsclh4Q1hPo8LseqNH3jTg
jBAJPAmTLP0goUFn7Z2eiMswYP90lZ+qiTnAdInxGko83aR1iaIebkOZW6wMajGC
tJeKg1iR1vSY7vbnJQLq000S692QIPYbDoTVLXINQ3WtSied6rSrIlofS6NRbcQb
WA6s2tJ4op4=
=s4jW
-----END PGP SIGNATURE-----