Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0583 arm: The cache may not be cleaned for newly allocated scrubbed pages 17 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Arm Publisher: Xen Operating System: Xen Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-26933 Original Bulletin: http://xenbits.xen.org/xsa/advisory-364.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2021-26933 / XSA-364 version 3 arm: The cache may not be cleaned for newly allocated scrubbed pages UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= On Arm, a guest is allowed to control whether memory access bypass the cache. This means that Xen needs to ensure that all writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately the operation to clean the cache happens before checking if the page was scrubbed. Therefore there is no guarantee when all the writes will reach the memory. IMPACT ====== A malicious guest may be able to read sensitive data from memory that previously belonged to another guest. VULNERABLE SYSTEMS ================== Xen version 4.9 onwards are vulnerable. Only Arm systems are vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Julien Grall of Amazon. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa364.patch xen-unstable - 4.11 $ sha256sum xsa364* c9dcb3052bb6ca4001e02b3ad889c70b4eebf1931bef83dfb7de86452851f3c8 xsa364.meta dc313c70bb07b4096bbc4612cbbc180589923277411dede2fda37f04ecc846d6 xsa364.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html - -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAru/UMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZT0UH/0Lzw4sShqmyO06n0HWcXyzXKx7Qh67tjBglmB0D XHKrlTKR0Cs1S2NR3GCSZCSPNKXcXU689qEXlvK07EpheO/xCUgpZNkt/Eab/JFK NngYbuev1z6+bGeCi70b6RItCXoWiwDWEJqLlLKROwBXMZaodwgjY7/o3GR2D8ZV Qyz2EcAdJUIYmMsLC3hJ7gTLXvdySp+0lZ9oO6qe4YYQ3CIwPJnlflWFTzcASfML D9lMVG6u6ratiqt4N1egE0gxBe3/QP8KoptSqiV+MDdwPnsK009g/G+0Ea430ZEh lviVSgCxhdELx2Tv+Q7qSSbnfMSdnibSHAxipcbyhvjiEJU= =mHyv - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYCyuUeNLKJtyKPYoAQigwhAAqf/agj81n1kHk1UzK07jWADeUp0T08rg n2xN9IO0PtPVOpddyBFVufpva7UVDrUyoWeF3tMh0hE1EQU8dDKN2FGiRfqyj+C1 ufUMhKddHJ7aqe6jTbZPXxLux7TQRT0r4t/Uq+xbdG8YG4vjOymoEfNCsz7TmVOu S2uVnFz13Lk6E5ljGRWS8s3RXhhsJesnbXX7Z0IJnnLVcU9XL3VU5mx1fZ33C2pd HMiRNg0OM8kkUIp/sItKs3J4ZM0uPj2nqbbjLJ0GRaR5o/kmImRDWLB3WCjfCent Po5rT5u7yA3jSpk44Jd0xOW/UpHvU9dyb89wKDzX7Pio2t7eaqYPQSzp5FFPj1zh /uwpmzCoEvZvPxnUyLf4pLAG8LgrWHxmxsKwO4pnGJ5Z23pnU/Am+7LevvoLGalA c/ZLP6iOuCOUWJItsr3fGTWGFfTXE6Q0Cah4QftHTJloc1gadIcfE6LRmUfHrFwp OFpTPIuj3yWEryYVMRjn+tDfP5lsH1kqT83HoSVSe/OgxN1A1tiIPIrsGxwuK09F wOfNBCM7A4Csy8kF4kC/7LSH+Skn4W6hqZSxkPsog1us6WcWnbEu9es2rvKWgqhj UdWiGRtSRRgpN9AOmOmohzL1RrNq5W21huS5k3PdsLhmlTEIFXL/V4G4okTCcdtl 4BUUvrk3uDg= =iR/f -----END PGP SIGNATURE-----