[qubes-devel] XSAs released on 2023-07-24

2023-07-24 Thread Andrew David Wong 
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-433](https://xenbits.xen.org/xsa/advisory-433.html)
  - See [QSB-090](https://www.qubes-os.org/news/2023/07/24/qsb-090/) for 
details.

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- (none)

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/07/24/xsas-released-on-2023-07-24/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/e9bc749c-703f-8c92-7e41-52f5e118bfa8%40qubes-os.org.

[qubes-devel] QSB-090: Zenbleed (CVE-2023-20593, XSA-433)

2023-07-24 Thread Andrew David Wong 
Dear Qubes Community,

We have published [Qubes Security Bulletin 090: Zenbleed (CVE-2023-20593, 
XSA-433)](https://github.com/QubesOS/qubes-secpack/blob/main/QSBs/qsb-090-2023.txt).
 The text of this QSB and its accompanying cryptographic signatures are 
reproduced below. For an explanation of this announcement and instructions for 
authenticating this QSB, please see the end of this announcement.

## Qubes Security Bulletin 090

```

 ---===[ Qubes Security Bulletin 090 ]===---

  2023-07-24

 Zenbleed (CVE-2023-20593, XSA-433)

User action required
-

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.1, in dom0:
  - linux-firmware 20230625-146
  - Xen packages 4.14.5-21

  For Qubes 4.2, in dom0:
  - linux-firmware 20230625-147
  - Xen packages 4.17.1-3

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen and initramfs binaries.

Summary


On 2023-07-24, the Xen Project published XSA-433, "x86/AMD: Zenbleed"
[3]:
| Researchers at Google have discovered Zenbleed, a hardware bug causing
| corruption of the vector registers.
|
| When a VZEROUPPER instruction is discarded as part of a bad transient
| execution path, its effect on internal tracking are not unwound
| correctly.  This manifests as the wrong micro-architectural state
| becoming architectural, and corrupting the vector registers.
|
| Note: While this malfunction is related to speculative execution, this
|   is not a speculative sidechannel vulnerability.
|
| The corruption is not random.  It happens to be stale values from the
| physical vector register file, a structure competitively shared between
| sibling threads.  Therefore, an attacker can directly access data from
| the sibling thread, or from a more privileged context.
|
| For more details, see:
|   https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html
|
| 
https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8


Impact
---

As explained in XSA-433, this vulnerability is specific to the AMD Zen 2
microarchitecture, and AMD does not believe that other
microarchitectures are affected. Exploiting this vulnerability would
allow an attacker to read data from different contexts on the same core.
Examples of such data include key material, ciphertext and plaintext
from AES-NI operations, and the contents of REP-MOVS instructions, which
are commonly used to implement `memcpy()`.

In order to exploit this vulnerability, an attacker must be capable of
executing code at any privilege level in any qube, e.g., JavaScript in a
web browser. Moreover, the code to reliably exploit this vulnerability
is publicly available. Accordingly, there is a high risk of this
vulnerability being exploited in practice.

Credits


Tavis Ormandy of Google Project Zero.

References
---

[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-433.html

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

*Source*: 


## [Marek 
Marczykowski-Górecki](https://www.qubes-os.org/team/#marek-marczykowski-górecki)'s
 PGP signature

```
-BEGIN PGP SIGNATURE-

iQIzBAABCAAdFiEELRdx/k12ftx2sIn61lWk8hgw4GoFAmS/KlsACgkQ1lWk8hgw
4GoXhQ//Sz9mT1IPGqmifJnpxz9wbPrhDQQ5vb9gKQZgvPSv4L4PY2MRYb7zmGR5
bI62gFp7hgKFU7T+0pNLDUPsA3fBCJtrdfkQLn2vkkV0gE7NXY48dtYIWPQ0smSv
cd+wfG6yrVnGKc08yWRsA8Zp2zSKaHrERKi5DQZjZexBtt9PVMk3hCkmEHjFCNqs
dFey8WXJsF5nUJqTPd4FWsLRW+ktvGv3RJ8j/XtjwYsYljgX/sGtTgJUW4yrks7f
NaIQ3c+B4nEz33zgR5bAdMLGCX0xxXPyCRwNNg5FUpBOZIlV4W1vl1EMUDVoa/s6
c8KHTI5a127i+RWI9KKY6zINscqYXWEaH2ppojzN8bIZpFuB1BJu63oXpycUPGOS
TfKWaY5T7v3casxaQtf18polAxi9LS2KRYcTPUAaRUrpxfte8mTqEuvtTD7h4bIX
BRLl0TYzC/Q3/2LpSsto55JMgJBF53DyX4Gin0Ix0slTLToqIUk8gNXhjE0PB+U3
QJWuArI4uDTflEj78WregZ7S0pi7oDILO2JV1+fcgl2yGui6+77O63HXBpgvCCag
hFDDIsgxg2PwtXQpziU5GeLbEKDiAMi10ex1aXEprhdcj/VyqXIrcSvqKu4w3S5d
pkNkhKPtWpP+mFh/NuCip8IwjCSsP0IUCXhUXHvtsKdL1hIsrDQ=
=xznI
-END PGP SIGNATURE-
```

*Source*: 


## [Simon Gaiser (aka 
HW42)](https://www.qubes-os.org/team/#simon-gaiser-aka-hw42)'s PGP signature

```
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEE6hjn8EDEHdrv6aoPSsGN4REuFJAFAmS/I5gACgkQSsGN4REu