{"uuid": "676ad2dd-efcc-4efc-8663-ab660e680317", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-11135", "type": "published-proof-of-concept", "source": "https://t.me/QubesOS/372", "content": "QSB #053: TSX Asynchronous Abort speculative side channel (XSA-305)\nhttps://www.qubes-os.org/news/2019/11/13/qsb-053/\n\nWe have just published Qubes Security Bulletin (QSB) #053: \nTSX Asynchronous Abort speculative side channel (XSA-305).\nThe text of this QSB is reproduced below. This QSB and its accompanying\nsignatures will always be available in the Qubes Security Pack (qubes-secpack).\n\nView QSB #053 in the qubes-secpack:\n\nhttps://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-053-2019.txt\n\nLearn about the qubes-secpack, including how to obtain, verify, and read it:\n\nhttps://www.qubes-os.org/security/pack/\n\nView all past QSBs:\n\nhttps://www.qubes-os.org/security/bulletins/\n\nNote: Typically, XSAs have a predisclosure period, during which the XSA is\nembargoed, which gives the Qubes Security Team time to analyze it and\nprepare patches and an announcement. However, XSA-305 had no embargo period,\nso the Qubes Security Team had no advance notice of it before it was publicly\nannounced. For this reason, QSB #053 is being initially published without\ndetached signatures from the Qubes Security Team. These signatures will be added\nshortly after publication, as soon as Qubes Security Team members have a chance\nto create them. Readers who wish to verify the authenticity of this QSB can\nstill check the signed tag on the commit that added this QSB to the\nqubes-secpack repo:\n\nhttps://github.com/QubesOS/qubes-secpack/commit/59b39c645015c3d1bfce5d633ab55d8ed88aeb0b\n\n\n\n             ---===[ Qubes Security Bulletin #53 ]===---\n\n                             2019-11-13\n\n\n    TSX Asynchronous Abort speculative side channel (XSA-305)\n\nSummary\n========\n\nOn 2019-11-12, the Xen Security Team published Xen Security Advisory\n305 (CVE-2019-11135 / XSA-305) [1] with the following description:\n\n| This is very closely related to the Microarchitectural Data Sampling\n| vulnerabilities from May 2019.\n| \n| Please see https://xenbits.xen.org/xsa/advisory-297.html for details\n| about MDS.\n| \n| A new way to sample data from microarchitectural structures has been\n| identified.  A TSX Asynchronous Abort is a state which occurs between a\n| transaction definitely aborting (usually for reasons outside of the\n| pipeline's control e.g. receiving an interrupt), and architectural state\n| being rolled back to start of the transaction.\n| \n| During this period, speculative execution may be able to infer the value\n| of data in the microarchitectural structures.\n| \n| For more details, see:\n|   https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort\n| \n| An attacker, which could include a malicious untrusted user process on a\n| trusted guest, or an untrusted guest, can sample the content of\n| recently-used memory operands and IO Port writes.\n| \n| This can include data from:\n| \n|  * A previously executing context (process, or guest, or\n|    hypervisor/toolstack) at the same privilege level.\n|  * A higher privilege context (kernel, hypervisor, SMM) which\n|    interrupted the attacker's execution.\n| \n| Vulnerable data is that on the same physical core as the attacker.  This\n| includes, when hyper-threading is enabled, adjacent threads.\n| \n| An attacker cannot use this vulnerability to target specific data.  An\n| attack would likely require sampling over a period of time and the\n| application of statistical methods to reconstruct interesting data.\n\nThis is yet another CPU hardware bug related to speculative execution.\n\nOnly Intel processors are affected.\n\nNote: There was no embargo period for this XSA.\n\nPatching\n=========\n\nThe Xen Project has provided patches that mitigate this issue. A CPU\nmicrocode update is required to take advantage of them. Note that\nmicrocode updates may not be available for older CPUs. (See the Intel\nadvisory linked above for details.)\n\nThe specific packages that resolve the problems discussed in this\nbulletin are as follows:\n\n  For Qubes 4.0:", "creation_timestamp": "2019-11-14T14:03:02.000000Z"}