Operating System:

[WIN][UNIX/Linux][Virtual]

Published:

10 June 2020

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2020.2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2011
    Xen: Special Register Buffer speculative side channel vulnerability
                               10 June 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
                   Virtualisation
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-0543  

Reference:         ESB-2020.2005
                   ESB-2020.2003
                   ESB-2020.1999
                   ESB-2020.1994

Original Bulletin: 
   http://xenbits.xen.org/xsa/advisory-320.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-0543 / XSA-320

           Special Register Buffer speculative side channel

ISSUE DESCRIPTION
=================

This issue is related to the MDS and TAA vulnerabilities.  Please see
https://xenbits.xen.org/xsa/advisory-297.html (MDS) and
https://xenbits.xen.org/xsa/advisory-305.html (TAA) for details.

Certain processor operations microarchitecturally need to read data from
outside the physical core (e.g. to communicate with the random number
generator).  In some implementations, this operation is called a Special
Register Read.

In some implementations, data are staged in a single shared buffer, and
a full cache line at a time is returned to the core which made the
Special Register Read.  On parts vulnerable to MFBDS or TAA, an attacker
may be able to access stale data requested by other cores in the system.

For more details, see:
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html

IMPACT
======

An attacker, which could include a malicious untrusted user process on a
trusted guest, or an untrusted guest, can sample the contents of
certain off-core accesses by other cores in the system.

This can include data whose use may depend on the secrecy of the value,
such as data from the Random Number Generator (e.g. RDRAND/RDSEED
instructions).

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Only x86 processors are vulnerable.
ARM processors are not believed to be vulnerable.

Only Intel based processors are affected.  Processors from other
manufacturers (e.g. AMD) are not believed to be vulnerable.

Please consult the Intel Security Advisory for details on the affected
processors.

MITIGATION
==========

There is no mitigation available.

RESOLUTION
==========

New microcode is being released on affected parts to work around the
vulnerability.  It may be available via a firmware update (consult your
hardware vendor), or available for OS loading (consult your dom0 OS
vendor).

On Xen 4.13 and later, OS microcode can be loaded at runtime. See
https://xenbits.xen.org/docs/latest/admin-guide/microcode-loading.html#runtime-microcode-loading
for details on the xen-ucode utility.

Loading the microcode, either at boot or at runtime, suffices to
mitigate the issue, as protections are active by default.  The
mitigations do have an impact on latency of individual RDRAND/RDSEED
instructions.

The patches below are for Xen, and offer boot time information, defaults
selection, and opt-out controls.  They are recommended to take, but not
absolutely necessary for protection.

Note that patches for released versions are generally prepared to apply
to the stable branches, and may not apply cleanly to the most recent
release tarball.  Downstreams are encouraged to update to the tip of the
stable branch before applying these patches.

xsa320/xsa320-.patch        xen-unstable
xsa320/xsa320-4.13-.patch   Xen 4.13.x
xsa320/xsa320-4.12-.patch   Xen 4.12.x
xsa320/xsa320-4.11-.patch   Xen 4.11.x
xsa320/xsa320-4.10-.patch   Xen 4.10.x
xsa320/xsa320-4.9-.patch    Xen 4.9.x

$ sha256sum xsa320*/*
84e4f66492042b08e69b0894ea7feb20c17c89a696cf95f05a8826fba4f26355  xsa320/xsa320-1.patch
5a3a06c72d0281fa1191ba18e39b836d2748400d9bf6a59dd45447850530c88b  xsa320/xsa320-2.patch
759259ef88c980363d44e11d9c272f6a4a15918e5e6bcdfe971b1ce7ea160cd9  xsa320/xsa320-4.9-1.patch
ebac2c011841c55c3c1e99d9e8afc53e56e54268d379ec8b904f6bfe6a1a5045  xsa320/xsa320-4.9-2.patch
5c622c74358ab21cbd27484c649f26df0f08e89ec333c346415bc51e35ba26c1  xsa320/xsa320-4.10-1.patch
f112e34a6a4564a043926fc255a15c7e319001bd023a97ae2947228024e1c306  xsa320/xsa320-4.10-2.patch
f24b51292be0cb5de80c6eff0b26983629dd48cc39ae5a331e2e38e15a6cf712  xsa320/xsa320-4.11-1.patch
03579810eaf2e9eeb1a82de4b50ff5c4b01e60b30ccf7609c9e3378ef576d81e  xsa320/xsa320-4.11-2.patch
282537ffe2fd4332c0e061ddc537bea3e135a7bbd9253ec298becb49047323cf  xsa320/xsa320-4.12-1.patch
e4417429297354c233e8f5c261aff4888aae602f8c68897c09b16ea1aa44b1ca  xsa320/xsa320-4.12-2.patch
611f2ab1a1c67e04767188d9803b6afd7d304e81a5b4f1eb1744d3e8a68ced66  xsa320/xsa320-4.13-1.patch
cd1bc0071e72e2342ff4508ea3d937988694f4c03506b3afb3184f7d81aa1c86  xsa320/xsa320-4.13-2.patch
$

NOTE REGARDING LACK OF EMBARGO
==============================

Despite an attempt to organise predisclosure, the discoverers ultimately
did not authorise a predisclosure.
- -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl7fufEMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZCNgIALz6dLCvvznL7n3HFzYgKcelmOySjoZ52hJhg6ki
N4C1AaPQmo1QPprycmuJ4uQIcLUP55Nh+h19V5PnRqSX1+7Qa8TXnv2TTpVK58fC
JBfWBZ3xiXYdmaQOWYlJtD1Nq3vywA0LII9TZ7JdCUxjmPxn2y5ZOv6lRG6P9CVJ
U+w3py0Zt32ZwYvVCbBPP49SdQmArH2BItEbGSQR5xeKnD/8Bx2/9odN0Mrnq5RQ
euJxRled3nCGw6tWZJj3uYOy+dWWfmFwPFoFvI++zhrcwWGprcgjFuSGFbsGttMD
ZB9+CZIJAHvgU4wu/B4SflHDgsmJS+iCmDR6e/NUlLohej0=
=w+E7
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXuBfxuNLKJtyKPYoAQhkjg/+KAmoCYDUwwET8pW+2/NGDjYhzAqLGyEZ
aNvOcbF1Yoj5OD+CEaTItm913WTOzKlSuqeNR7rsVwXJI1VYeyx1pCNzxCb9mQE+
cUsQ48EsNWA7pNOan3A5SDhbFBbNEGidfqOOq3X/GNa6Om8EH3MgXmevwyO+rrM5
8vJaYQZ+ksWc4PwcRuNYYQ5aYIGVej+KysUlyHAdxzSDmW/SBrFhEe0kMJT0NuEh
f7YR+O5v5A3ND2No+GHkJH8ZCZZqkXj6DT66Jd/UzobFOqOJDYhkaYm+K3DOlP1h
jkl4Q+smtJB4eHv5InVz4P5xDfuJTwU3XY02MwK0dv/0xccf9zRGjc0CffI1PVGa
LtkAYPqwIQzHzpZV3UWYUxcZYb21JkQwpW1Wcvn5dPtyol50xM16cjzE0iTpXNKA
tUl35fDnaQ+WdqH8yVmTF5E6//JPAJ3mT4n8EjRcLBARUOWivTodHAnvPpqLYUnr
IrQ7jpJqtlpOgB30OYmA+k9CNtTugqTb6SEzXYY+cbH77h4XnuoQVJi9fZHSCR6y
NHo8GWrsUcQQjLYoOWITf2996wPNbD3S9m8KDf0/jn44EBCk+VEbgpKjKpxep+eZ
EGaMLN5WiQteLGYdqVMFqMu1DLegCDdhSz3QAewrjpC1Auz0QCJrCAqk1dzSTa4o
WTyUulMlOls=
=po1z
-----END PGP SIGNATURE-----