[XSA-453] GhostRace: Speculative Race Conditions
ISSUE DESCRIPTION
Researchers at VU Amsterdam and IBM Research have discovered GhostRace;
an analysis of the behaviour of synchronisation primitives under
speculative execution.
Synchronisation primitives are typically formed as an unbounded loop
which waits until a resource is available to be accessed. This means
there is a conditional branch which can be microarchitecturally bypassed
using Spectre-v1 techniques, allowing an attacker to speculatively
execute critical regions.
Therefore, while a critical region might be safe architecturally, it can
still suffer from data races under speculation with unsafe consequences.
The GhostRace paper focuses on Speculative Concurrent Use-After-Free
issues, but notes that there are many other types of speculative data
hazard to be explored.
For more details, see:
https://vusec.net/projects/ghostrace
IMPACT
An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.
VULNERABLE SYSTEMS
Systems running all versions of Xen are affected.
GhostRace is a variation of Spectre-v1, and Spectre-v1 is known to
affect a wide range of CPU architectures and designs. Consult your
hardware vendor.
However, Xen does not have any known gadgets vulnerable to GhostRace at
the time of writing.
Furthermore, even with the vulnerable instance found in Linux, the
researchers had to insert an artificial syscall to make the instance
more accessible to a userspace attacker.
Therefore, The Xen Security Team does not believe that immediate action
is required.
Package | Affected Version |
---|---|
pkg:generic/xen | = 4.15.x |
pkg:generic/xen | = 4.16.x |
pkg:generic/xen | = 4.17.x |
pkg:generic/xen | = 4.18.x |
- ID
- XSA-453
- URL
- http://xenbits.xen.org/xsa/advisory-453.html
- Published
-
2024-03-12T16:44:00
(6 months ago) - Modified
-
2024-03-12T16:44:00
(6 months ago) - Rights
- Xen Project
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Xen Project | XSA-453 | Security Advisory | http://xenbits.xen.org/xsa/advisory-453.html |
Xen Project | XSA-453 | Signed Security Advisory | http://xenbits.xen.org/xsa/advisory-453.txt |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:generic/xen | xen | = 4.15.x | ||||
Affected | pkg:generic/xen | xen | = 4.16.x | ||||
Affected | pkg:generic/xen | xen | = 4.17.x | ||||
Affected | pkg:generic/xen | xen | = 4.18.x |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |