-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear Qubes Community,
We have just published Qubes Security Bulletin (QSB) #40: Information leaks due to processor speculative store bypass (XSA-263). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB #40 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-040-2018.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ View XSA-263 in the XSA Tracker: https://www.qubes-os.org/security/xsa/#263 ``` ---===[ Qubes Security Bulletin #40 ]===--- 2018-05-24 Information leaks due to processor speculative store bypass (XSA-263) Summary ======== On 2018-05-21, the Xen Security Team published Xen Security Advisory 263 (CVE-2018-3639 / XSA-263) [1] with the following description: | Contemporary high performance processors may use a technique commonly | known as Memory Disambiguation, whereby speculative execution may | proceed past unresolved stores. This opens a speculative sidechannel | in which loads from an address which have had a recent store can | observe and operate on the older, stale, value. Please note that this issue was neither predisclosed nor embargoed. Consequently, the Qubes Security Team has not had time to analyze it in advance of issuing this bulletin. Impact ======= According to XSA-263, the impact of this issue is as follows: | An attacker who can locate or create a suitable code gadget in a | different privilege context may be able to infer the content of | arbitrary memory accessible to that other privilege context. | | At the time of writing, there are no known vulnerable gadgets in the | compiled hypervisor code. Xen has no interfaces which allow JIT code | to be provided. Therefore we believe that the hypervisor itself is | not vulnerable. Additionally, we do not think there is a viable | information leak by one Xen guest against another non-cooperating | guest. | | However, in most configurations, within-guest information leak is | possible. Mitigation for this generally depends on guest changes | (for which you must consult your OS vendor) *and* on hypervisor | support, provided in this advisory. In light of this, XSA-263 appears to be less severe than the related Spectre and Meltdown vulnerabilities we discussed in QSB #37 [2]. Patching ========= The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes 3.2: - Xen packages, version 4.6.6-41 For Qubes 4.0: - Xen packages, version 4.8.3-8 The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. In addition, Intel Corporation has announced that microcode updates will be available soon [3]: | Variant 3a is mitigated in the same processor microcode updates as | Variant 4, and Intel has released these updates in beta form to OEM | system manufacturers and system software vendors. They are being | readied for production release, and will be delivered to consumers | and IT Professionals in the coming weeks. This bulletin will be updated once the Intel microcode updates are available. No microcode update is necessary for AMD processors. Credits ======== See the original Xen Security Advisory. References =========== [1] https://xenbits.xen.org/xsa/advisory-263.html [2] https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-037-2018.txt [3] https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2018/05/24/qsb-40/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlsHTIcACgkQ203TvDlQ MDCoHw//dx+GcN8QIz0ww1tUQZufTaDwSy0eiY+Ul3PFX5CVnhzmXk6r4iRSkYVU lxSitio+STe2WHnpS6dVQhRcR+RCBu5A07MPvzq9tv/tMw8nkRx5GnE54so9oVjB wv26jkMdo7XreZuih3MEjacsvgL9hogpTAzuxelpU3Ve9/J3GhiNbqgscx+Dop4n hloKnKmwKbJOgyZcxH/Px5nnDLpICR5Z5gTZDKQPvzXaPVRbQ8cS/WPLdbqxnAH8 x64lOeMLM5UtPXdnOKex2aWPKdnudCKsknsTvbVfS3NcSzths26B+HjVPoM1OOpc xkXUH9m36ie7QMCrwKGwr+RW4nilIBScMV4pSKnx1xtjaccbUVcNsyE86Zt2ozSw b13NjZIIsGstAVmmvXjxN/4oA6jDzYB94OCMkYMORujE1m0JbiiprYL5y+aAPL1E 8K+sxAqnDvFGliOZy4uIMNEV8L80aw5ENYtpnRCG3SNDdHu72Ujjiz/NXu/lnK8e xR4f1OOkIWc2OgqDkGJ9fWoPBIEgzsk59c81g5t3K5uI0ZpoYOtrJ2bT7lN4lQ05 VGY7s40SZdWiEHlG1NTiEhQ2kvcI293Gmhd/M8eOA9hca502UzpT0Kcbyn6hskkw WHmnqjaik1fghxuezHQ/nVKVeyZRNaJuT8QzlDzLB/l+ssjP/o4= =Lwt8 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c08f8e11-9f75-8782-f8ad-241e5c54a88a%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
