Bugzilla – Bug 1214082
VUL-0: CVE-2023-20569: xen: x86/AMD: Speculative Return Stack Overflow (XSA-434)
Last modified: 2024-01-24 10:14:13 UTC
+++ This bug was initially created as a clone of Bug #1213287 +++ Xen Security Advisory CVE-2023-20569 / XSA-434 x86/AMD: Speculative Return Stack Overflow ISSUE DESCRIPTION ================= Researchers from ETH Zurich have extended their prior research (XSA-422, Branch Type Confusion, a.k.a Retbleed) and have discovered INCEPTION, also know as RAS (Return Address Stack) Poisoning, and Speculative Return Stack Overflow. The RAS is updated when a CALL instruction is predicted, rather than at a later point in the pipeline. However, the RAS is still fundamentally a circular stack. It is possible to poison the branch type and target predictions such that, at a point of the attackers choosing, the branch predictor predicts enough CALLs back-to-back to wrap around the entire RAS and overwrite a correct return prediction with one of the attackers choosing. This allows the attacker to control RET speculation in a victim context, and leak arbitrary data as a result. For more details, see: https://comsec.ethz.ch/inception https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-7005 IMPACT ====== An attacker might be able to infer the contents of memory belonging to other guests. VULNERABLE SYSTEMS ================== Only CPUs from AMD are believed to be potentially vulnerable. CPUs from other manufacturers are not believed to be impacted. At the time of writing, all in-support AMD CPUs (that is, Zen1 thru Zen4 microarchitectures) are believed to be potentially vulnerable. Older CPUs have not been analysed. By default following XSA-422, Xen mitigates BTC on AMD Zen2 and older CPUs by issuing an IBPB on entry to Xen. On Zen2 and older CPUs, this is believed to be sufficient to protect against SRSO too. AMD Zen3 and Zen4 CPUs are susceptible to SRSO too. All versions of Xen are vulnerable on these CPUs. MITIGATION ========== On Zen3 and Zen4, there is no mitigation. RESOLUTION ========== AMD are producing microcode updates for Zen3 and Zen4. Consult your dom0 OS vendor. With the microcode update applied, booting Xen with `spec-ctrl=ibpb-entry` is sufficient to protect against SRSO. The appropriate set of patches will default to using IBPB-on-entry on Zen3 and Zen4 CPUs, as well as synthesise new CPUID bits for guests to use in order to determine their susceptibility in a migration-safe way. The patches for this issue interact texturally but not logically with the fixes for XSA-435, which itself has complexities. See XSA-435 for details of how to obtain the fixes.
SUSE-SU-2023:3395-1: An update that solves three vulnerabilities and has one fix can now be installed. Category: security (moderate) Bug References: 1027519, 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: openSUSE Leap 15.4 (src): xen-4.16.5_02-150400.4.31.1 openSUSE Leap Micro 5.3 (src): xen-4.16.5_02-150400.4.31.1 openSUSE Leap Micro 5.4 (src): xen-4.16.5_02-150400.4.31.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.5_02-150400.4.31.1 SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.5_02-150400.4.31.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.5_02-150400.4.31.1 SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.5_02-150400.4.31.1 Basesystem Module 15-SP4 (src): xen-4.16.5_02-150400.4.31.1 Server Applications Module 15-SP4 (src): xen-4.16.5_02-150400.4.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3447-1: An update that solves three vulnerabilities and has two fixes can now be installed. Category: security (moderate) Bug References: 1027519, 1212684, 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: Server Applications Module 15-SP5 (src): xen-4.17.2_02-150500.3.6.1 openSUSE Leap 15.5 (src): xen-4.17.2_02-150500.3.6.1 Basesystem Module 15-SP5 (src): xen-4.17.2_02-150500.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3446-1: An update that solves three vulnerabilities and has two fixes can now be installed. Category: security (moderate) Bug References: 1027519, 1204489, 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: SUSE Manager Proxy 4.2 (src): xen-4.14.6_02-150300.3.51.1 SUSE Manager Retail Branch Server 4.2 (src): xen-4.14.6_02-150300.3.51.1 SUSE Manager Server 4.2 (src): xen-4.14.6_02-150300.3.51.1 SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.6_02-150300.3.51.1 SUSE Linux Enterprise Micro 5.2 (src): xen-4.14.6_02-150300.3.51.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): xen-4.14.6_02-150300.3.51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3496-1: An update that solves three vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1027519, 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_02-150200.3.74.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_02-150200.3.74.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xen-4.13.5_02-150200.3.74.1 SUSE Enterprise Storage 7 (src): xen-4.13.5_02-150200.3.74.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3495-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xen-4.12.4_36-3.91.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xen-4.12.4_36-3.91.2 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xen-4.12.4_36-3.91.2 SUSE Linux Enterprise Server 12 SP5 (src): xen-4.12.4_36-3.91.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3494-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1214082, 1214083 CVE References: CVE-2022-40982, CVE-2023-20569, CVE-2023-20593 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_36-150100.3.89.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_36-150100.3.89.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): xen-4.12.4_36-150100.3.89.1 SUSE CaaS Platform 4.0 (src): xen-4.12.4_36-150100.3.89.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Submission done.
done