Dear Qubes Community, We have just published [Qubes Security Bulletin (QSB) 086: Speculative security issues on AMD CPUs (XSA-422)](https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-086-2022.txt). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the [Qubes Security Pack (qubes-secpack)](https://www.qubes-os.org/security/pack/). More information about QSBs, including a complete historical list, is available [here](https://www.qubes-os.org/security/qsb/).
``` ---===[ Qubes Security Bulletin 086 ]===--- 2022-11-08 Speculative security issues on AMD CPUs (XSA-422) User action required --------------------- Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.1, in dom0: - Xen packages, version 4.14.5-13 These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. [1] Once available, the packages are to be installed via the Qubes Update tool or its command-line equivalents. [2] Dom0 must be restarted afterward in order for the updates to take effect. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Summary -------- On 2022-11-08, the Xen Project published XSA-422, "x86: Multiple speculative security issues" [3]: | Researchers have discovered that on some AMD CPUs, the | implementation of IBPB (Indirect Branch Prediction Barrier) does not | behave according to the specification. | | Specifically, IBPB fails to properly flush the RAS (Return Address | Stack, also RSB - Return Stack Buffer - in Intel terminology; one of | the hardware prediction structures), allowing attacker controlled | values to survive across a deliberate attempt to purge said values. | | AMD have allocated CVE-2022-23824. XSA-422 also describes a second AMD vulnerability. However, since it is believed not to affect Xen, and therefore not to affect Qubes OS, it is omitted here. Impact ------- On Qubes OS installations with affected CPUs, a VM running in PV mode may be capable of inferring the memory contents of other running VMs, including dom0. In the default Qubes OS configuration, only the stubdomains for HVMs are in a position to exploit this vulnerability in order to attack other VMs. (Dom0 also runs in PV mode, but it is fully trusted.) Only certain AMD CPUs are affected. Please see AMD-SB-1040 [4] for the official list of affected models. (Note: XSA-422 states that Xen versions prior to 4.16 are not affected by this vulnerability. While Qubes OS uses a Xen version prior to 4.16, we have backported a Xen performance optimization [5] that assumes that IBPB works as previously specified. Therefore, the version of Xen used in Qubes is affected by this vulnerability even though its version numbers is lower than 4.16.) Credits -------- See the original Xen Security Advisory. References ----------- [1] https://www.qubes-os.org/doc/testing/ [2] https://www.qubes-os.org/doc/how-to-update/ [3] https://xenbits.xen.org/xsa/advisory-422.html [4] https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1040 [5] https://github.com/QubesOS/qubes-vmm-xen/blob/v4.14.5-12/patch-0001-x86-spec-ctrl-Skip-RSB-overwriting-when-safe-to-do-s.patch -- The Qubes Security Team https://www.qubes-os.org/security/ ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2022/11/08/qsb-086/ -- You received this message because you are subscribed to the Google Groups "qubes-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-announce+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-announce/5e3d5454-cdfc-b576-6233-899e94d95f64%40qubes-os.org.