{"uuid": "80268916-8230-4cf6-bbcd-6c060b4c166a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2018-3639", "type": "seen", "source": "https://t.me/QubesOS/206", "content": "QSB #40: Information leaks due to processor speculative store bypass (XSA-263)\nhttps://www.qubes-os.org/news/2018/05/24/qsb-40/\n\nDear Qubes Community,\n\nWe have just published Qubes Security Bulletin (QSB) #40: Information\nleaks due to processor speculative store bypass (XSA-263). The text of\nthis QSB is reproduced below. This QSB and its accompanying signatures\nwill always be available in the Qubes Security Pack (qubes-secpack).\n\nView QSB #40 in the qubes-secpack:\n\nhttps://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-040-2018.txt\n\nLearn about the qubes-secpack, including how to obtain, verify, and\nread it:\n\nhttps://www.qubes-os.org/security/pack/\n\nView all past QSBs:\n\nhttps://www.qubes-os.org/security/bulletins/\n\nView XSA-263 in the XSA Tracker:\n\nhttps://www.qubes-os.org/security/xsa/#263\n\n\n\n             ---===[ Qubes Security Bulletin #40 ]===---\n\n                             2018-05-24\n\n\n  Information leaks due to processor speculative store bypass (XSA-263)\n\nSummary\n========\n\nOn 2018-05-21, the Xen Security Team published Xen Security Advisory\n263 (CVE-2018-3639 / XSA-263) [1] with the following description:\n\n| Contemporary high performance processors may use a technique commonly\n| known as Memory Disambiguation, whereby speculative execution may\n| proceed past unresolved stores.  This opens a speculative sidechannel\n| in which loads from an address which have had a recent store can\n| observe and operate on the older, stale, value.\n\nPlease note that this issue was neither predisclosed nor embargoed.\nConsequently, the Qubes Security Team has not had time to analyze it in\nadvance of issuing this bulletin.\n\nImpact\n=======\n\nAccording to XSA-263, the impact of this issue is as follows:\n\n| An attacker who can locate or create a suitable code gadget in a\n| different privilege context may be able to infer the content of\n| arbitrary memory accessible to that other privilege context.\n| \n| At the time of writing, there are no known vulnerable gadgets in the\n| compiled hypervisor code.  Xen has no interfaces which allow JIT code\n| to be provided.  Therefore we believe that the hypervisor itself is\n| not vulnerable.  Additionally, we do not think there is a viable\n| information leak by one Xen guest against another non-cooperating\n| guest.\n| \n| However, in most configurations, within-guest information leak is\n| possible.  Mitigation for this generally depends on guest changes\n| (for which you must consult your OS vendor) *and* on hypervisor\n| support, provided in this advisory.\n\nIn light of this, XSA-263 appears to be less severe than the related\nSpectre and Meltdown vulnerabilities we discussed in QSB #37 [2].\n\nPatching\n=========\n\nThe specific packages that resolve the problems discussed in this\nbulletin are as follows:\n\n  For Qubes 3.2:\n  - Xen packages, version 4.6.6-41\n\n  For Qubes 4.0:\n  - Xen packages, version 4.8.3-8\n\nThe packages are to be installed in dom0 via the Qubes VM Manager or via\nthe qubes-dom0-update command as follows:\n\n  For updates from the stable repository (not immediately available):\n  $ sudo qubes-dom0-update\n\n  For updates from the security-testing repository:\n  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing\n\nA system restart will be required afterwards.\n\nThese packages will migrate from the security-testing repository to the\ncurrent (stable) repository over the next two weeks after being tested\nby the community.\n\nIf you use Anti Evil Maid, you will need to reseal your secret\npassphrase to new PCR values, as PCR18+19 will change due to the new\nXen binaries.\n\nIn addition, Intel Corporation has announced that microcode updates\nwill be available soon [3]:\n\n| Variant 3a is mitigated in the same processor microcode updates as\n| Variant 4, and Intel has released these updates in beta form to OEM\n| system manufacturers and system software vendors. They are being\n| readied for production release, and will be delivered to consumers\n| and IT Professionals in the coming weeks.", "creation_timestamp": "2018-05-25T02:15:16.000000Z"}