Bugzilla – Bug 1196915
VUL-0: CVE-2022-0001, CVE-2022-0002,CVE-2021-26401: xen: BHB speculation issues (XSA-398)
Last modified: 2022-09-14 07:34:50 UTC
+++ This bug was initially created as a clone of Bug #1191580 +++ XEN part Xen Security Advisory XSA-398 Multiple speculative security issues ISSUE DESCRIPTION ================= Note: Multiple issues are contained in this XSA due to their interactions. 1) Researchers at VU Amsterdam have discovered Spectre-BHB, pertaining to the use of Branch History between privilege levels. ARM have assigned CVE-2022-23960. Intel have assigned CVE-2022-0001 (Branch History Injection) and CVE-2022-0002 (Intra-mode BTI). AMD have no statement at the time of writing. For more details, see: https://vusec.net/projects/bhi-spectre-bhb https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html 2) Researchers at Open Source Security, Inc. have discovered that AMD CPUs may speculate beyond direct branches. AMD have assigned CVE-2021-26341. For more details, see: https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1026 3) Researchers at Intel have discovered that previous Spectre-v2 recommendations of using lfence/jmp is incomplete. AMD have assigned CVE-2021-26401. For more details, see: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036 IMPACT ====== An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. Whether a CPU is potentially vulnerable depends on its microarchitecture. Consult your hardware vendor. Xen does not have a managed runtime environment, so is not believed to be vulnerable to CVE-2022-0002 irrespective of any hardware susceptibility. Xen does not have any known gadgets vulnerable to Direct Branch Straight Line Speculation. Therefore, no changes for CVE-2021-26341 are being provided at this time. The AMD BTI (Spectre v2) protections do not depend on isolating predictions between different privileges, so the fact that Branch History is shared (just like the Branch Target Buffer) is not believed to be relevant to existing mitigations. Therefore, there is no believed impact from Spectre-BHB on AMD hardware. Patches to mitigate CVE-2022-23960 on affected ARM CPUs are provided. Intel have recommended not making any changes by default for CVE-2022-0001. Existing Spectre-v2 mitigations on pre-eIBRS hardware are believed to be sufficient. On eIBRS capable hardware, there is uncertainty over the utility of Branch History Injection to an adversary. However, the risk can be removed by using eIBRS in combination with retpoline. For CVE-2021-26401, AMD have recommended using retpoline in preference to lfence/jmp as previously recommended to mitigate Spectre-v2. This recommendation also mitigates any risk from Branch History Injection. For both CVE-2022-0001 on Intel, and CVE-2021-26401 on AMD, the suggestion to use retpoline is incompatible with CET Shadow Stacks as implemented in Xen 4.14 and later. The security team has decided that disabling CET Shadow Stacks to work around speculation problems is not a reasonable option for downstreams and end users. Therefore, patches are also provided to: * Use IBRS on capable AMD hardware. This also mitigates CVE-2021-26401. * Use CET Indirect Branch Tracking on capable Intel hardware. CET-IBT has architectural guarantees about halting speculation, on top of being a hardware mechanism to protect against Call/Jump Oriented Programming attacks. Both provide CET Shadow Stack compatible mitigations to these issues. A practical consequence of this decision is that CET Shadow Stacks are now considered security supported, upgraded from Tech Preview previously. Note: CET-IBT patches are incomplete and will be backported at a later date. MITIGATION ========== On AMD systems, CVE-2021-26401 can be mitigated by specifying: With CET-SS, `spec-ctrl=bti-thunk=jmp,ibrs` Without CET-SS, `spec-ctrl=bti-thunk=retpoline` on Xen's command line, and rebooting.
Created attachment 856878 [details] xsa398.tar.bz2 xsa398.tar.bz2 patches attached
*** Bug 1196901 has been marked as a duplicate of this bug. ***
This is an autogenerated message for OBS integration: This bug (1196915) was mentioned in https://build.opensuse.org/request/show/961753 Factory / xen
Xen Security Advisory XSA-398 version 2 Multiple speculative security issues UPDATES IN VERSION 2 ==================== * Provide more specific ARM URL * Provide additional link to the Intel technical whitepaper ISSUE DESCRIPTION ================= Note: Multiple issues are contained in this XSA due to their interactions. 1) Researchers at VU Amsterdam have discovered Spectre-BHB, pertaining to the use of Branch History between privilege levels. ARM have assigned CVE-2022-23960. Intel have assigned CVE-2022-0001 (Branch History Injection) and CVE-2022-0002 (Intra-mode BTI). AMD have no statement at the time of writing. For more details, see: https://vusec.net/projects/bhi-spectre-bhb https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html 2) Researchers at Open Source Security, Inc. have discovered that AMD CPUs may speculate beyond direct branches. AMD have assigned CVE-2021-26341. For more details, see: https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1026 3) Researchers at Intel have discovered that previous Spectre-v2 recommendations of using lfence/jmp is incomplete. AMD have assigned CVE-2021-26401. For more details, see: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036
SUSE-SU-2022:0931-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1196915 CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): xen-4.12.4_20-3.63.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): xen-4.12.4_20-3.63.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): xen-4.12.4_20-3.63.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): xen-4.12.4_20-3.63.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): xen-4.12.4_20-3.63.1 SUSE Enterprise Storage 6 (src): xen-4.12.4_20-3.63.1 SUSE CaaS Platform 4.0 (src): xen-4.12.4_20-3.63.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0940-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1191668,1194267,1196915 CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): xen-4.14.4_02-150300.3.21.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): xen-4.14.4_02-150300.3.21.1 SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.4_02-150300.3.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0939-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1196915 CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): xen-4.12.4_20-3.61.1 SUSE Linux Enterprise Server 12-SP5 (src): xen-4.12.4_20-3.61.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0940-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027519,1191668,1194267,1196915 CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002 JIRA References: Sources used: openSUSE Leap 15.3 (src): xen-4.14.4_02-150300.3.21.1
SUSE-SU-2022:1285-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1196915,1197423,1197425,1197426 CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_28-2.73.1 SUSE OpenStack Cloud 9 (src): xen-4.11.4_28-2.73.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): xen-4.11.4_28-2.73.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): xen-4.11.4_28-2.73.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1300-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1194267,1196915,1197423,1197425,1197426 CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 JIRA References: Sources used: SUSE Manager Server 4.1 (src): xen-4.13.4_08-150200.3.50.1 SUSE Manager Retail Branch Server 4.1 (src): xen-4.13.4_08-150200.3.50.1 SUSE Manager Proxy 4.1 (src): xen-4.13.4_08-150200.3.50.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): xen-4.13.4_08-150200.3.50.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): xen-4.13.4_08-150200.3.50.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): xen-4.13.4_08-150200.3.50.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): xen-4.13.4_08-150200.3.50.1 SUSE Linux Enterprise Micro 5.0 (src): xen-4.13.4_08-150200.3.50.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): xen-4.13.4_08-150200.3.50.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): xen-4.13.4_08-150200.3.50.1 SUSE Enterprise Storage 7 (src): xen-4.13.4_08-150200.3.50.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1359-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1196915,1197423,1197425,1197426 CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): xen-4.10.4_34-150000.3.74.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): xen-4.10.4_34-150000.3.74.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): xen-4.10.4_34-150000.3.74.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1375-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 1182846,1196915,1197423,1197425,1197426 CVE References: CVE-2021-20257,CVE-2021-26401,CVE-2022-0001,CVE-2022-0002,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): xen-4.7.6_22-43.88.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1408-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1196915,1197423,1197425,1197426 CVE References: CVE-2021-26401,CVE-2022-0001,CVE-2022-0002,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): xen-4.9.4_28-3.103.1 SUSE OpenStack Cloud 8 (src): xen-4.9.4_28-3.103.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): xen-4.9.4_28-3.103.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): xen-4.9.4_28-3.103.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): xen-4.9.4_28-3.103.1 HPE Helion Openstack 8 (src): xen-4.9.4_28-3.103.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Marcus Meissner from comment #0) > VULNERABLE SYSTEMS > ================== > > Systems running all versions of Xen are affected. This is wrong, at least as far as our trees are concerned. In Xen 4.4 and earlier LFENCE based thunks were never introduced, due to the lack of alternatives patching. Therefore the switching away from this form of thunks is a no-op on these branches. Afaict on this basis all affected trees have been dealt with here.
(In reply to Jan Beulich from comment #22) > (In reply to Marcus Meissner from comment #0) > > VULNERABLE SYSTEMS > > ================== > > > > Systems running all versions of Xen are affected. > > This is wrong, at least as far as our trees are concerned. In Xen 4.4 and > earlier LFENCE based thunks were never introduced, due to the lack of > alternatives patching. Therefore the switching away from this form of thunks > is a no-op on these branches. > > Afaict on this basis all affected trees have been dealt with here. Reassigning back to security.
Fixed