Bug 1209019 (CVE-2022-42331) - VUL-0: CVE-2022-42331: xen: x86: speculative vulnerability in 32bit SYSCALL path (XSA-429)
Summary: VUL-0: CVE-2022-42331: xen: x86: speculative vulnerability in 32bit SYSCALL p...
Status: RESOLVED FIXED
Alias: CVE-2022-42331
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/359383/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-42331:5.6:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-07 15:53 UTC by Carlos López
Modified: 2023-04-27 16:30 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Attached patches (2.81 KB, application/zip)
2023-03-07 15:53 UTC, Carlos López
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-03-07 15:53:39 UTC
Created attachment 865334 [details]
Attached patches

Xen Security Advisory CVE-2022-42331 / XSA-429

          x86: speculative vulnerability in 32bit SYSCALL path

              *** EMBARGOED UNTIL 2023-03-21 12:00 UTC ***

ISSUE DESCRIPTION
=================

Due to an oversight in the very original Spectre/Meltdown security work
(XSA-254), one entrypath performs its speculation-safety actions too
late.

In some configurations, there is an unprotected RET instruction which
can be attacked with a variety of speculative attacks.

IMPACT
======

An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 CPUs are potentially vulnerable.  CPUs of other architectures
are not vulnerable.

The problematic codepath is only reachable on x86 CPUs which follow
AMD's behaviour with respect to SYSCALL instructions from compatibility
mode segments.  This means that AMD and Hygon CPUs are potentially
vulnerable, whereas Intel CPUs are not.  Other vendors have not been
checked.

Only PV guests can leverage the vulnerability.

On Xen 4.16 and later, the vulnerability is only present if 32bit PV
guest support is compiled in - i.e. CONFIG_PV32=y.  On Xen 4.15 and
older, all supported build configurations are vulnerable.

The vulnerability is only present when booting on hardware that supports
SMEP or SMAP (Supervisor Mode Execution/Access Prevention).  This is
believed to be some Family 0x16 models, and all later CPUs.

MITIGATION
==========

Not running untrusted PV guests will avoid the issue.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa429.patch           xen-unstable - Xen 4.16
xsa429-4.15.patch      Xen 4.15 - Xen 4.14

$ sha256sum xsa429*
2d7be90d917c475ab5217e657d2b44f5d8b107d9023dca034fcfb7feab07b2f0  xsa429.meta
36ed36dbfaad9e5df5fa87b9a3d9e9c531f476f97eeb2afe280aa238032a0540  xsa429.patch
7ac3d4182585e5d2d39231f10e7c0c9fcb972c82cf81cb884e95b628187de3a7  xsa429-4.15.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 3 Jan Beulich 2023-03-09 08:58:25 UTC
(In reply to Carlos López from comment #0)
> VULNERABLE SYSTEMS
> ==================
> 
> All versions of Xen are vulnerable.

Imo this isn't correct - the offending code doesn't exist in 4.4 and older. This is under discussion upstream.
Comment 5 Carlos López 2023-03-14 14:24:55 UTC
            Xen Security Advisory CVE-2022-42331 / XSA-429
                               version 2

          x86: speculative vulnerability in 32bit SYSCALL path

              *** EMBARGOED UNTIL 2023-03-21 12:00 UTC ***

UPDATES IN VERSION 2
====================

Update affected versions.

ISSUE DESCRIPTION
=================

Due to an oversight in the very original Spectre/Meltdown security work
(XSA-254), one entrypath performs its speculation-safety actions too
late.

In some configurations, there is an unprotected RET instruction which
can be attacked with a variety of speculative attacks.

IMPACT
======

An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.

VULNERABLE SYSTEMS
==================

Xen versions 4.5 through 4.17 are vulnerable.  Older versions are not
vulnerable.

Only x86 CPUs are potentially vulnerable.  CPUs of other architectures
are not vulnerable.

The problematic codepath is only reachable on x86 CPUs which follow
AMD's behaviour with respect to SYSCALL instructions from compatibility
mode segments.  This means that AMD and Hygon CPUs are potentially
vulnerable, whereas Intel CPUs are not.  Other vendors have not been
checked.

Only PV guests can leverage the vulnerability.

On Xen 4.16 and later, the vulnerability is only present if 32bit PV
guest support is compiled in - i.e. CONFIG_PV32=y.  On Xen 4.15 and
older, all supported build configurations are vulnerable.

The vulnerability is only present when booting on hardware that supports
SMEP or SMAP (Supervisor Mode Execution/Access Prevention).  This is
believed to be some Family 0x16 models, and all later CPUs.

MITIGATION
==========

Not running untrusted PV guests will avoid the issue.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa429.patch           xen-unstable - Xen 4.16
xsa429-4.15.patch      Xen 4.15 - Xen 4.14

$ sha256sum xsa429*
2d7be90d917c475ab5217e657d2b44f5d8b107d9023dca034fcfb7feab07b2f0  xsa429.meta
36ed36dbfaad9e5df5fa87b9a3d9e9c531f476f97eeb2afe280aa238032a0540  xsa429.patch
7ac3d4182585e5d2d39231f10e7c0c9fcb972c82cf81cb884e95b628187de3a7  xsa429-4.15.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 6 Carlos López 2023-03-14 14:25:56 UTC
(In reply to Jan Beulich from comment #3)
> (In reply to Carlos López from comment #0)
> > VULNERABLE SYSTEMS
> > ==================
> > 
> > All versions of Xen are vulnerable.
> 
> Imo this isn't correct - the offending code doesn't exist in 4.4 and older.
> This is under discussion upstream.

Right, so SUSE:SLE-12-SP2:Update and newer (which I see are already submitted).
Comment 7 Carlos López 2023-03-21 12:14:08 UTC
Public:
https://www.openwall.com/lists/oss-security/2023/03/21/3
Comment 8 Maintenance Automation 2023-03-21 16:30:16 UTC
SUSE-SU-2023:0862-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xen-4.13.4_20-150200.3.71.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xen-4.13.4_20-150200.3.71.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xen-4.13.4_20-150200.3.71.1
SUSE Enterprise Storage 7 (src): xen-4.13.4_20-150200.3.71.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-03-21 16:30:24 UTC
SUSE-SU-2023:0859-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE OpenStack Cloud 9 (src): xen-4.11.4_38-2.89.1
SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_38-2.89.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): xen-4.11.4_38-2.89.1
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): xen-4.11.4_38-2.89.1
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): xen-4.11.4_38-2.89.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-03-21 16:30:28 UTC
SUSE-SU-2023:0858-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_34-150100.3.86.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_34-150100.3.86.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): xen-4.12.4_34-150100.3.86.1
SUSE CaaS Platform 4.0 (src): xen-4.12.4_34-150100.3.86.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-03-21 16:30:39 UTC
SUSE-SU-2023:0848-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
openSUSE Leap Micro 5.3 (src): xen-4.16.3_06-150400.4.25.1
openSUSE Leap 15.4 (src): xen-4.16.3_06-150400.4.25.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.3_06-150400.4.25.1
SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.3_06-150400.4.25.1
Basesystem Module 15-SP4 (src): xen-4.16.3_06-150400.4.25.1
Server Applications Module 15-SP4 (src): xen-4.16.3_06-150400.4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-03-21 16:30:43 UTC
SUSE-SU-2023:0847-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Real Time 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Manager Proxy 4.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Manager Retail Branch Server 4.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Manager Server 4.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Enterprise Storage 7.1 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Micro 5.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): xen-4.14.5_12-150300.3.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-03-21 16:30:47 UTC
SUSE-SU-2023:0846-1: An update that solves two vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1209017, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332
Sources used:
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): xen-4.7.6_32-43.104.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2023-03-21 16:30:50 UTC
SUSE-SU-2023:0845-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xen-4.12.4_34-3.88.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xen-4.12.4_34-3.88.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xen-4.12.4_34-3.88.1
SUSE Linux Enterprise Server 12 SP5 (src): xen-4.12.4_34-3.88.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Carlos López 2023-04-13 15:08:37 UTC
Done, closing.
Comment 16 Maintenance Automation 2023-04-27 16:30:34 UTC
SUSE-SU-2023:0848-2: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.3_06-150400.4.25.1
SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.3_06-150400.4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.