Bug 1092631

Summary: VUL-0: CVE-2018-3639: xen: V4 – Speculative Store Bypass aka "Memory Disambiguation" (XSA-263)
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Charles Arnold <carnold>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bpetkov, brogers, duwe, jbeulich, jkosina, mbenes, meissner, mhocko, mlatimer, nstange, ptesarik
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1094912    
Bug Blocks: 1087078, 1087082    
Attachments: xsa263.tar.bz2

Comment 4 Marcus Meissner 2018-05-21 21:28:28 UTC 
is public
Comment 5 Marcus Meissner 2018-05-22 06:20:08 UTC 
            Xen Security Advisory CVE-2018-3639 / XSA-263

                       Speculative Store Bypass

ISSUE DESCRIPTION
=================

Contemporary high performance processors may use a technique commonly
known as Memory Disambiguation, whereby speculative execution may
proceed past unresolved stores.  This opens a speculative sidechannel in
which loads from an address which have had a recent store can observe
and operate on the older, stale, value.

For more details, see:
  https://bugs.chromium.org/p/project-zero/issues/detail?id=1528
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
  https://www.amd.com/securityupdates

IMPACT
======

An attacker who can locate or create a suitable code gadget in a
different privilege context may be able to infer the content of
arbitrary memory accessible to that other privilege context.

At the time of writing, there are no known vulnerable gadgets in the
compiled hypervisor code.  Xen has no interfaces which allow JIT code
to be provided.  Therefore we believe that the hypervisor itself is
not vulnerable.  Additionally, we do not think there is a viable
information leak by one Xen guest against another non-cooperating
guest.

However, in most configurations, within-guest information leak is
possible.  Mitigation for this generally depends on guest changes (for
which you must consult your OS vendor) *and* on hypervisor support,
provided in this advisory.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Processors from all vendors are affected to different extents.

Further communication will be made for Arm. See
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
for more details.

MITIGATION
==========

This issue can be mitigated with a combination of software and firmware
changes.

RESOLUTION
==========

This is a hardware bug.  The primary mitigation in Xen context is
modification of guests, especially JITs in guests, to avoid generating
vulnerable code.  Such modifications do not require support from Xen.

Alternatively, the following patches provide some workarounds:

On AMD hardware, for Fam15h processors and later, the patches offer a
host-wide global control for whether Memory Disambiguation is enabled
(default) or disabled.  Controls are not virtualised for guests.  When
the global control is set to disabled (`spec-ctrl=ssbd' on the
hypervisor command line), the vulnerability is eliminated without the
need for other guest or hypervisor changes.

On Intel hardware, a microcode update is required in order to work
around the problem by disabling memory disambiguation.  Consult your
hardware vendor or your dom0 OS distributor for the firmware/microcode
update.  With the microcode update in place, the patches offer a
host-wide control (which would eliminate the vulnerability on the
whole system without guest changes), and virtualised controls for
guests to use (which addresses the issue in a guest-specific manner).
Consult your guest operating system vendors, for further information
and advice.

(Additionally, host firmware may be vulnerable and may require updates
for that reason.  Consult your hardware vendor.)

xsa263-unstable/*.patch  xen-unstable
xsa263-4.10/*.patch      Xen 4.10.x
xsa263-4.9/*.patch       Xen 4.9.x
xsa263-4.8/*.patch       Xen 4.8.x
xsa263-4.7/*.patch       Xen 4.7.x
xsa263-4.6/*.patch       Xen 4.6.x

NOTE REGARDING LACK OF EMBARGO
==============================

We understand that despite an attempt to organise predisclosure, the
discoverers ultimately did not authorise a predisclosure.
Comment 6 Marcus Meissner 2018-05-22 06:20:55 UTC 
Created attachment 770934 [details]
xsa263.tar.bz2

patches as tarball
Comment 7 Swamp Workflow Management 2018-05-29 10:12:37 UTC 
SUSE-SU-2018:1456-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1074562,1090296,1090822,1090823,1092631
CVE References: CVE-2018-10981,CVE-2018-10982,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.2_06-3.32.1
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.2_06-3.32.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.2_06-3.32.1
SUSE CaaS Platform ALL (src):    xen-4.9.2_06-3.32.1
Comment 8 Swamp Workflow Management 2018-06-01 13:09:26 UTC 
openSUSE-SU-2018:1487-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1074562,1090296,1090822,1090823,1092631
CVE References: CVE-2018-10981,CVE-2018-10982,CVE-2018-3639
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.2_06-22.1
Comment 9 Swamp Workflow Management 2018-06-05 15:11:39 UTC 
This is an autogenerated message for OBS integration:
This bug (1092631) was mentioned in
https://build.opensuse.org/request/show/614322 15.0 / xen
Comment 10 Swamp Workflow Management 2018-06-07 19:11:30 UTC 
SUSE-SU-2018:1582-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1027519,1092631
CVE References: CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_24-22.49.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_24-22.49.1
Comment 11 Swamp Workflow Management 2018-06-08 16:08:59 UTC 
SUSE-SU-2018:1603-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1074562,1092631
CVE References: CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_32-61.29.2
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_32-61.29.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_32-61.29.2
Comment 12 Swamp Workflow Management 2018-06-09 13:09:42 UTC 
openSUSE-SU-2018:1623-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1074562,1079730,1092631
CVE References: CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-3639
Sources used:
openSUSE Leap 15.0 (src):    xen-4.10.1_04-lp150.2.3.1
Comment 13 Swamp Workflow Management 2018-06-12 19:11:26 UTC 
SUSE-SU-2018:1658-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1074562,1092631
CVE References: CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_32-22.68.1
Comment 14 Swamp Workflow Management 2018-06-15 16:10:09 UTC 
SUSE-SU-2018:1699-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1074562,1086039,1092631
CVE References: CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-3639
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.5_04-43.33.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.5_04-43.33.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.5_04-43.33.1
SUSE Enterprise Storage 4 (src):    xen-4.7.5_04-43.33.1
Comment 16 Marcus Meissner 2018-08-15 12:08:44 UTC 
released
Comment 19 Swamp Workflow Management 2018-08-22 19:11:26 UTC 
SUSE-SU-2018:2482-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (important)
Bug References: 1027519,1091107,1092631,1101684,1102116
CVE References: CVE-2018-3646
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_36-61.37.2
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_36-61.37.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_36-61.37.2
Comment 20 Swamp Workflow Management 2018-08-27 13:10:03 UTC 
SUSE-SU-2018:2528-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1074562,1079730,1090822,1090823,1091107,1092631,1095242,1096224,1097206,1097521,1097522,1098744
CVE References: CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-10981,CVE-2018-10982,CVE-2018-11806,CVE-2018-12617,CVE-2018-12891,CVE-2018-12893,CVE-2018-3639,CVE-2018-3646,CVE-2018-3665
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.25.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.25.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.25.1
Comment 21 Swamp Workflow Management 2018-10-18 17:23:00 UTC 
SUSE-SU-2018:1699-2: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1074562,1086039,1092631
CVE References: CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-3639
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.5_04-43.33.1