Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2041 x86: TSX Async Abort protections not restored after S3 9 June 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Transactional Synchronization Extensions (TSX) Publisher: Xen Operating System: Xen Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-28690 Original Bulletin: http://xenbits.xen.org/xsa/advisory-377.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2021-28690 / XSA-377 version 2 x86: TSX Async Abort protections not restored after S3 UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAA by disabling TSX (the default and preferred option) requires selecting a non-default setting in MSR_TSX_CTRL. This setting isn't restored after S3 suspend. IMPACT ====== After using S3 suspend at least once, CPU0 remains vulnerable to TAA. This is an information leak. For full details of the impact, see XSA-305. VULNERABLE SYSTEMS ================== See XSA-305 for details of susceptibility to TAA. Only systems which are susceptible to TAA and have the XSA-305 fix are vulnerable. Only systems which support S3 suspend/resume are vulnerable. The vulnerability is only exposed if S3 suspend/resume is used. MITIGATION ========== Not using S3 suspend/resume avoids the vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa377.patch xen-unstable - Xen 4.13.x xsa377-4.12.patch Xen 4.12.x xsa377-4.11.patch Xen 4.11.x $ sha256sum xsa377* 532cb030f97d72e8e534ad97182cd5e3aa0efeef405e255bb49649b4f0dd9947 xsa377.meta 21a30dbf80f6e78057cc7e785c8fda475d5a8a0b6b9442af3bd8ca31dd69becf xsa377.patch 3279317d56e7b8d0a2b0152b64b4c577381b8b01fa0a1a21ec6f855bb964278a xsa377-4.11.patch 65f61f1cb7bb0e068fd32e40755b9a9aae464d15ccd42c94dae68e495c5a45e0 xsa377-4.12.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html - -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmC/oxIMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZZ0wH/AyYmZO221SvMaSa1kGaV9+tATBWtxKEmUr2I+/Y jOHJ4Ydw2RarJtZ6reYJ+J0qlTdgI65ceo87VEm1bm+LyvxhlLRmkBfavdTg66aX VU6uPGqJ9HMUY4rwN7aUgsc/qhquMZQYSWd5A/QknhNHlOtXhX0bnaIqgXoAroi7 PRVs3sawkEizIn1Rqc8nLk+xkOrV3xvu+ollj/VNHgPDKU7SFKZiraBzUW7bErCZ AjCsgM7SalHDKIMpUqco4hutVJ7ykPE/pbEdC7q93TQ+PWE4/QY3JXcjC7L6KN1/ v9rRTIFTR6fc5EcJfhH2zpWi69OWfE/vjM7k9XhpMoAdUZc= =fqiA - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYMBZM+NLKJtyKPYoAQjguw/8CM9/7uvM33aKg99AVn0KK2mO1Elgnj1f v9ddAcZkpfw8V7yKyA2znDfl7bf46o+o7JJ+HbBsvqSoCO+7AGaBvS/U1hHR7gKb vEphtZeS1ITiO7TO1IGLxqnqpEBJ+hbbqMAMvMRMf/iS5x2TjUkOUhyaUSHGLNNJ IbDMa1uiA4SJ4EfF2mVo08yKvEgEWgRTpk7KeInBIaLZzgW0XQJajtX2ScBrsQBg Q/AhHfeIrP62hUyuSGX6E2Gaknb/WiqgOc7fb0iRHzsiLWNoaY1iyZITxvDlIX9a U9XEN5vMt5tGSV0BVvyMWnWfi0VC4rmK/aY4tgbG+g21HB9EEnBQDSkMAFLGBcbB yoST1uc8v4W3Yljwk5MU/lYFACHOd61cle5ojE+fE878xE1kOhHKcJ78ZHW7S0KO jHg+uEgJBzC6oYNeK8KCJkkiwl6yV1rnUnl1gV9N++uJJqwmuxwPdb+TjgEfzqyU M57Fdcgf6Hw0O8lMwD/LW9eLGXGxtKc9nnbJMwRzHUnZ0LbldPktsPIVTb0drm7I xt0pzjmTLcvAWJOYGYmxmKPwpri05UYYjKblc5JSWDU9/e2+m4bnfWLE/l32/wBA 5GnylsNZM96C30NOJ4hmIBM9h5K4MR4ChPdFT7vzPvaE/l1DW3YuV+32voZEsBG1 QyuJyonKrek= =YTEc -----END PGP SIGNATURE-----