Bugzilla – Bug 1213616
VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed (XSA-433)
Last modified: 2024-05-22 11:14:10 UTC
Created attachment 868410 [details] Upstream patches for Xen to use a control register to avoid the issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-433 x86/AMD: Zenbleed ISSUE DESCRIPTION ================= Researchers at Google have discovered Zenbleed, a hardware bug causing corruption of the vector registers. When a VZEROUPPER instruction is discarded as part of a bad transient execution path, its effect on internal tracking are not unwound correctly. This manifests as the wrong micro-architectural state becoming architectural, and corrupting the vector registers. Note: While this malfunction is related to speculative execution, this is not a speculative sidechannel vulnerability. The corruption is not random. It happens to be stale values from the physical vector register file, a structure competitively shared between sibling threads. Therefore, an attacker can directly access data from the sibling thread, or from a more privileged context. For more details, see: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8 IMPACT ====== With very low probability, corruption of the vector registers can occur. This data corruption causes mis-calculations in subsequent logic. An attacker can exploit this bug to read data from different contexts on the same core. Examples of such data includes key material, cypher and plaintext from the AES-NI instructions, or the contents of REP-MOVS instructions, commonly used to implement memcpy(). VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. This bug is specific to the AMD Zen2 microarchitecture. AMD do not believe that other microarchitectures are affected. MITIGATION ========== This issue can be mitigated by disabling AVX, either by booting Xen with `cpuid=no-avx` on the command line, or by specifying `cpuid="host:avx=0"` in the vm.cfg file of all untrusted VMs. However, this will come with a significant impact on the system and is not recommended for anyone able to deploy the microcode or patch described below. RESOLUTION ========== AMD are producing microcode updates to address the bug. Consult your dom0 OS vendor. This microcode is effective when late-loaded, which can be performed on a live system without reboot. In cases where microcode is not available, the appropriate attached patch updates Xen to use a control register to avoid the issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa433.patch xen-unstable xsa433-4.17.patch Xen 4.17.x xsa433-4.16.patch Xen 4.16.x xsa433-4.15.patch Xen 4.15.x xsa433-4.14.patch Xen 4.14.x $ sha256sum xsa433* a9331733b63e3e566f1436a48e9bd9e8b86eb48da6a8ced72ff4affb7859e027 xsa433.patch 6f1db2a2078b0152631f819f8ddee21720dabe185ec49dc9806d4a9d3478adfd xsa433-4.14.patch ca3a92605195307ae9b6ff87240beb52a097c125a760c919d7b9a0aff6e557c0 xsa433-4.15.patch e5e94b3de68842a1c8d222802fb204d64acd118e3293c8e909dfaf3ada23d912 xsa433-4.16.patch 41d12104869b7e8307cd93af1af12b4fd75a669aeff15d31b234dc72981ae407 xsa433-4.17.patch $ NOTE CONCERNING TIMELINE ======================== This issue is subject to coordinated disclosure on August 8th. The discoverer chose to publish details ahead of this timeline. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmS+oDEMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ4JkIAMOW9i78luUOEgggrQDp97T1CMAhew+3v+r2ZPMl z7a6ATRU3oW7yeepYEP/1mrRFi2E09zrj0rDLvLVrYrhqeDGVIL+ZfI480508/5Y ubRYZC13rA3jDMDu9r+oBIzObumecRAVj54j5BQmuKyXDqkDMGfbVShpMMvARvhE wqlBXNFB1Z+ARlDrDZZo6sKhfUqHS4Fo8iilWthKxY9Eb0cxxA1PazMJz5OOaqe6 6Y3hHrSN4dq3DseAhYGgtw+BOTa/XlgAzkdlJM0DvooS22HFuHqwB7dckrtpCMlC 6I3P3p0GfsnG8U99lxYWzuEbtAKwSsFf/da2S8A4rel0aOE= =xmQd -----END PGP SIGNATURE-----
(fyi the kernel bug is bug 1213286 )
(In reply to Marcus Meissner from comment #1) > (fyi the kernel bug is bug 1213286 ) CRD: 2023-07-24 19:00 UTC So already public.
Created attachment 868575 [details] Updated upstream patches
UPDATES IN VERSION 3 ==================== The patch provided with earlier versions was buggy. It unintentionally disable more bits than expected in the control register. The contents of this register is not generally known, so the effects on the system are unknown. A patch correcting this error has been committed and backported to all stable trees which got the XSA-433 fix originally. Additionally, it is attached to this advisory as xsa433-bugfix.patch, and applicable to all branches in this form.
SUSE-SU-2023:3395-1: An update that solves three vulnerabilities and has one fix can now be installed. Category: security (moderate) Bug References: 1027519, 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: openSUSE Leap 15.4 (src): xen-4.16.5_02-150400.4.31.1 openSUSE Leap Micro 5.3 (src): xen-4.16.5_02-150400.4.31.1 openSUSE Leap Micro 5.4 (src): xen-4.16.5_02-150400.4.31.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.5_02-150400.4.31.1 SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.5_02-150400.4.31.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.5_02-150400.4.31.1 SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.5_02-150400.4.31.1 Basesystem Module 15-SP4 (src): xen-4.16.5_02-150400.4.31.1 Server Applications Module 15-SP4 (src): xen-4.16.5_02-150400.4.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3447-1: An update that solves three vulnerabilities and has two fixes can now be installed. Category: security (moderate) Bug References: 1027519, 1212684, 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: Server Applications Module 15-SP5 (src): xen-4.17.2_02-150500.3.6.1 openSUSE Leap 15.5 (src): xen-4.17.2_02-150500.3.6.1 Basesystem Module 15-SP5 (src): xen-4.17.2_02-150500.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3446-1: An update that solves three vulnerabilities and has two fixes can now be installed. Category: security (moderate) Bug References: 1027519, 1204489, 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: SUSE Manager Proxy 4.2 (src): xen-4.14.6_02-150300.3.51.1 SUSE Manager Retail Branch Server 4.2 (src): xen-4.14.6_02-150300.3.51.1 SUSE Manager Server 4.2 (src): xen-4.14.6_02-150300.3.51.1 SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.6_02-150300.3.51.1 SUSE Linux Enterprise Micro 5.2 (src): xen-4.14.6_02-150300.3.51.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): xen-4.14.6_02-150300.3.51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3496-1: An update that solves three vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1027519, 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_02-150200.3.74.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_02-150200.3.74.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xen-4.13.5_02-150200.3.74.1 SUSE Enterprise Storage 7 (src): xen-4.13.5_02-150200.3.74.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3495-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xen-4.12.4_36-3.91.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xen-4.12.4_36-3.91.2 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xen-4.12.4_36-3.91.2 SUSE Linux Enterprise Server 12 SP5 (src): xen-4.12.4_36-3.91.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3494-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_36-150100.3.89.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_36-150100.3.89.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): xen-4.12.4_36-150100.3.89.1 SUSE CaaS Platform 4.0 (src): xen-4.12.4_36-150100.3.89.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3895-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1214083, 1215145, 1215474 CVE References: CVE-2022-40982, CVE-2023-20588, CVE-2023-20593, CVE-2023-34322 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_04-150200.3.77.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_04-150200.3.77.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xen-4.13.5_04-150200.3.77.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3894-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1214083, 1215145, 1215474 CVE References: CVE-2022-40982, CVE-2023-20588, CVE-2023-20593, CVE-2023-34322 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xen-4.12.4_38-3.94.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xen-4.12.4_38-3.94.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xen-4.12.4_38-3.94.1 SUSE Linux Enterprise Server 12 SP5 (src): xen-4.12.4_38-3.94.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3903-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1215145, 1215474 CVE References: CVE-2023-20588, CVE-2023-20593, CVE-2023-34322 Sources used: SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise Micro 5.2 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xen-4.14.6_04-150300.3.54.1 SUSE Manager Proxy 4.2 (src): xen-4.14.6_04-150300.3.54.1 SUSE Manager Retail Branch Server 4.2 (src): xen-4.14.6_04-150300.3.54.1 SUSE Manager Server 4.2 (src): xen-4.14.6_04-150300.3.54.1 SUSE Enterprise Storage 7.1 (src): xen-4.14.6_04-150300.3.54.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3902-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1214083, 1215145, 1215474 CVE References: CVE-2022-40982, CVE-2023-20588, CVE-2023-20593, CVE-2023-34322 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_38-150100.3.92.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_38-150100.3.92.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): xen-4.12.4_38-150100.3.92.1 SUSE CaaS Platform 4.0 (src): xen-4.12.4_38-150100.3.92.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Submission done.
done, closing