Bug 1196915 - VUL-0: CVE-2022-0001, CVE-2022-0002,CVE-2021-26401: xen: BHB speculation issues (XSA-398)
VUL-0: CVE-2022-0001, CVE-2022-0002,CVE-2021-26401: xen: BHB speculation issu...
Status: RESOLVED FIXED
: 1196901 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/312331/
:
Depends on:
Blocks: CVE-2022-0001
  Show dependency treegraph
 
Reported: 2022-03-09 10:38 UTC by Marcus Meissner
Modified: 2022-09-14 07:34 UTC (History)
18 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xsa398.tar.bz2 (15.40 KB, application/x-bzip)
2022-03-09 12:23 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2022-03-09 10:38:01 UTC
+++ This bug was initially created as a clone of Bug #1191580 +++

XEN part

                    Xen Security Advisory XSA-398

                  Multiple speculative security issues

ISSUE DESCRIPTION
=================

Note: Multiple issues are contained in this XSA due to their interactions.

1) Researchers at VU Amsterdam have discovered Spectre-BHB, pertaining
   to the use of Branch History between privilege levels.

   ARM have assigned CVE-2022-23960.  Intel have assigned CVE-2022-0001
   (Branch History Injection) and CVE-2022-0002 (Intra-mode BTI).  AMD
   have no statement at the time of writing.

   For more details, see:
     https://vusec.net/projects/bhi-spectre-bhb
     https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
     https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html

2) Researchers at Open Source Security, Inc. have discovered that AMD
   CPUs may speculate beyond direct branches.

   AMD have assigned CVE-2021-26341.

   For more details, see:
     https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before
     https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1026

3) Researchers at Intel have discovered that previous Spectre-v2
   recommendations of using lfence/jmp is incomplete.

   AMD have assigned CVE-2021-26401.

   For more details, see:
     https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036

IMPACT
======

An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.
VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Whether a CPU is potentially vulnerable depends on its
microarchitecture.  Consult your hardware vendor.

Xen does not have a managed runtime environment, so is not believed to
be vulnerable to CVE-2022-0002 irrespective of any hardware
susceptibility.

Xen does not have any known gadgets vulnerable to Direct Branch Straight
Line Speculation.  Therefore, no changes for CVE-2021-26341 are being
provided at this time.

The AMD BTI (Spectre v2) protections do not depend on isolating
predictions between different privileges, so the fact that Branch
History is shared (just like the Branch Target Buffer) is not believed
to be relevant to existing mitigations.  Therefore, there is no believed
impact from Spectre-BHB on AMD hardware.

Patches to mitigate CVE-2022-23960 on affected ARM CPUs are provided.

Intel have recommended not making any changes by default for
CVE-2022-0001.  Existing Spectre-v2 mitigations on pre-eIBRS hardware
are believed to be sufficient.  On eIBRS capable hardware, there is
uncertainty over the utility of Branch History Injection to an
adversary.  However, the risk can be removed by using eIBRS in
combination with retpoline.

For CVE-2021-26401, AMD have recommended using retpoline in preference
to lfence/jmp as previously recommended to mitigate Spectre-v2.  This
recommendation also mitigates any risk from Branch History Injection.

For both CVE-2022-0001 on Intel, and CVE-2021-26401 on AMD, the
suggestion to use retpoline is incompatible with CET Shadow Stacks as
implemented in Xen 4.14 and later.  The security team has decided that
disabling CET Shadow Stacks to work around speculation problems is not a
reasonable option for downstreams and end users.

Therefore, patches are also provided to:
 * Use IBRS on capable AMD hardware.  This also mitigates
   CVE-2021-26401.
 * Use CET Indirect Branch Tracking on capable Intel hardware.  CET-IBT
   has architectural guarantees about halting speculation, on top of
   being a hardware mechanism to protect against Call/Jump Oriented
   Programming attacks.

Both provide CET Shadow Stack compatible mitigations to these issues.  A
practical consequence of this decision is that CET Shadow Stacks are now
considered security supported, upgraded from Tech Preview previously.

Note: CET-IBT patches are incomplete and will be backported at a later date.

MITIGATION
==========

On AMD systems, CVE-2021-26401 can be mitigated by specifying:

 With CET-SS,    `spec-ctrl=bti-thunk=jmp,ibrs`
 Without CET-SS, `spec-ctrl=bti-thunk=retpoline`

on Xen's command line, and rebooting.
Comment 1 Marcus Meissner 2022-03-09 12:23:38 UTC
Created attachment 856878 [details]
xsa398.tar.bz2

xsa398.tar.bz2 patches attached
Comment 3 Marcus Meissner 2022-03-09 13:50:08 UTC
*** Bug 1196901 has been marked as a duplicate of this bug. ***
Comment 5 OBSbugzilla Bot 2022-03-14 22:20:03 UTC
This is an autogenerated message for OBS integration:
This bug (1196915) was mentioned in
https://build.opensuse.org/request/show/961753 Factory / xen
Comment 8 Gianluca Gabrielli 2022-03-18 15:27:49 UTC
                    Xen Security Advisory XSA-398
                              version 2

                  Multiple speculative security issues

UPDATES IN VERSION 2
====================

 * Provide more specific ARM URL
 * Provide additional link to the Intel technical whitepaper

ISSUE DESCRIPTION
=================

Note: Multiple issues are contained in this XSA due to their interactions.

1) Researchers at VU Amsterdam have discovered Spectre-BHB, pertaining
   to the use of Branch History between privilege levels.

   ARM have assigned CVE-2022-23960.  Intel have assigned CVE-2022-0001
   (Branch History Injection) and CVE-2022-0002 (Intra-mode BTI).  AMD
   have no statement at the time of writing.

   For more details, see:
     https://vusec.net/projects/bhi-spectre-bhb
     https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb
     https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html
     https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html

2) Researchers at Open Source Security, Inc. have discovered that AMD
   CPUs may speculate beyond direct branches.

   AMD have assigned CVE-2021-26341.

   For more details, see:
     https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before
     https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1026

3) Researchers at Intel have discovered that previous Spectre-v2
   recommendations of using lfence/jmp is incomplete.

   AMD have assigned CVE-2021-26401.

   For more details, see:
     https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036
Comment 9 Swamp Workflow Management 2022-03-22 14:23:28 UTC
SUSE-SU-2022:0931-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1196915
CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xen-4.12.4_20-3.63.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xen-4.12.4_20-3.63.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xen-4.12.4_20-3.63.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xen-4.12.4_20-3.63.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xen-4.12.4_20-3.63.1
SUSE Enterprise Storage 6 (src):    xen-4.12.4_20-3.63.1
SUSE CaaS Platform 4.0 (src):    xen-4.12.4_20-3.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-03-23 14:16:48 UTC
SUSE-SU-2022:0940-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1191668,1194267,1196915
CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    xen-4.14.4_02-150300.3.21.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xen-4.14.4_02-150300.3.21.1
SUSE Linux Enterprise Micro 5.1 (src):    xen-4.14.4_02-150300.3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-03-23 14:19:44 UTC
SUSE-SU-2022:0939-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1196915
CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.4_20-3.61.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.4_20-3.61.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-03-23 14:20:44 UTC
openSUSE-SU-2022:0940-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1191668,1194267,1196915
CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xen-4.14.4_02-150300.3.21.1
Comment 17 Swamp Workflow Management 2022-04-20 19:20:15 UTC
SUSE-SU-2022:1285-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1196915,1197423,1197425,1197426
CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_28-2.73.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_28-2.73.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_28-2.73.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_28-2.73.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-04-22 10:19:55 UTC
SUSE-SU-2022:1300-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1194267,1196915,1197423,1197425,1197426
CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    xen-4.13.4_08-150200.3.50.1
SUSE Manager Retail Branch Server 4.1 (src):    xen-4.13.4_08-150200.3.50.1
SUSE Manager Proxy 4.1 (src):    xen-4.13.4_08-150200.3.50.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    xen-4.13.4_08-150200.3.50.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    xen-4.13.4_08-150200.3.50.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    xen-4.13.4_08-150200.3.50.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    xen-4.13.4_08-150200.3.50.1
SUSE Linux Enterprise Micro 5.0 (src):    xen-4.13.4_08-150200.3.50.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    xen-4.13.4_08-150200.3.50.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    xen-4.13.4_08-150200.3.50.1
SUSE Enterprise Storage 7 (src):    xen-4.13.4_08-150200.3.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2022-04-25 16:22:21 UTC
SUSE-SU-2022:1359-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1196915,1197423,1197425,1197426
CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_34-150000.3.74.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_34-150000.3.74.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_34-150000.3.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2022-04-25 19:32:59 UTC
SUSE-SU-2022:1375-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1182846,1196915,1197423,1197425,1197426
CVE References: CVE-2021-20257,CVE-2021-26401,CVE-2022-0001,CVE-2022-0002,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_22-43.88.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2022-04-26 13:18:50 UTC
SUSE-SU-2022:1408-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1196915,1197423,1197425,1197426
CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_28-3.103.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_28-3.103.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_28-3.103.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_28-3.103.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_28-3.103.1
HPE Helion Openstack 8 (src):    xen-4.9.4_28-3.103.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Jan Beulich 2022-07-26 08:14:31 UTC
(In reply to Marcus Meissner from comment #0)
> VULNERABLE SYSTEMS
> ==================
> 
> Systems running all versions of Xen are affected.

This is wrong, at least as far as our trees are concerned. In Xen 4.4 and earlier LFENCE based thunks were never introduced, due to the lack of alternatives patching. Therefore the switching away from this form of thunks is a no-op on these branches.

Afaict on this basis all affected trees have been dealt with here.
Comment 23 Charles Arnold 2022-07-26 11:46:47 UTC
(In reply to Jan Beulich from comment #22)
> (In reply to Marcus Meissner from comment #0)
> > VULNERABLE SYSTEMS
> > ==================
> > 
> > Systems running all versions of Xen are affected.
> 
> This is wrong, at least as far as our trees are concerned. In Xen 4.4 and
> earlier LFENCE based thunks were never introduced, due to the lack of
> alternatives patching. Therefore the switching away from this form of thunks
> is a no-op on these branches.
> 
> Afaict on this basis all affected trees have been dealt with here.

Reassigning back to security.
Comment 24 Hu 2022-09-14 07:34:50 UTC
Fixed