[XSA-456] x86: Native Branch History Injection
ISSUE DESCRIPTION
In August 2022, researchers at VU Amsterdam disclosed Spectre-BHB.
Spectre-BHB was discussed in XSA-398. At the time, the susceptibility
of Xen to Spectre-BHB was uncertain so no specific action was taken in
XSA-398. However, various changes were made thereafter in upstream Xen
as a consequence; more on these later.
VU Amsterdam have subsequently adjusted the attack to be pulled off
entirely from userspace, without the aid of a managed runtime in the
victim context.
For more details, see:
https://vusec.net/projects/native-bhi
https://vusec.net/projects/bhi-spectre-bhb
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html
https://xenbits.xen.org/xsa/advisory-398.html
IMPACT
An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.
VULNERABLE SYSTEMS
Systems running all versions of Xen are affected.
Only Intel x86 CPUs are potentially affected. CPUs from other
manufacturers are not known to be affected.
A wide range of Intel CPUs employ Branch History prediction techniques.
However for older CPUs existing Spectre-v2 mitigations (XSA-254) are
believed to be sufficient to mitigate Native-BHI.
Therefore, the rest of the discussion will be limited in scope to the
CPUs for which a change in behaviour is expected. These are believed to
be all CPUs with eIBRS (Enhanced IBRS, a.k.a. IBRS_ALL or IBRS_ATT).
eIBRS signifies a hardware adjustment (mode-tagged indirect predictions)
designed to combat Spectre-v2, available in CPUs from 2019 onwards.
To determine if a system has eIBRS, run xen-cpuid -v in dom0, looking for
the string "eibrs" in the Dynamic Raw block of information. e.g.
# xen-cpuid -v
...
Dynamic sets:
Raw ...
...
[16] MSR_ARCH_CAPS.lo ... eibrs ...
...
...
Be aware that the Static sets are compile time information so will include the
string "eibrs" irrespective of hardware support. If there is no row for "[16]
MSR_ARCH_CAPS.lo" then the fixes for XSA-435 are missing.
- ID
- XSA-456
- URL
- http://xenbits.xen.org/xsa/advisory-456.html
- Published
-
2024-04-09T17:00:00
(5 months ago) - Modified
-
2024-04-09T17:00:00
(5 months ago) - Rights
- Xen Project
- Other Advisories
-
-
ALPINE:CVE-2024-2201
-
ALSA-2024:5101
-
DSA-5658-1
-
ELSA-2024-12271
-
ELSA-2024-12272
-
ELSA-2024-12274
-
ELSA-2024-12275
-
ELSA-2024-12377
-
ELSA-2024-12380
-
ELSA-2024-12385
-
ELSA-2024-5101
-
FEDORA-2024-169a1cc589
-
FEDORA-2024-4357ec611d
-
FEDORA-2024-58c950d8d8
-
FEDORA-2024-a46df5ba2f
-
FEDORA-2024-a676697123
-
RHSA-2024:5101
-
RHSA-2024:5102
-
RLSA-2024:5101
-
SUSE-SU-2024:1259-1
-
SUSE-SU-2024:1295-1
-
SUSE-SU-2024:1322-1
-
SUSE-SU-2024:1466-1
-
SUSE-SU-2024:1480-1
-
SUSE-SU-2024:1490-1
-
SUSE-SU-2024:1540-1
-
SUSE-SU-2024:1541-1
-
SUSE-SU-2024:1643-1
-
SUSE-SU-2024:1644-1
-
SUSE-SU-2024:1646-1
-
SUSE-SU-2024:1648-1
-
SUSE-SU-2024:1870-1
-
SUSE-SU-2024:2008-1
-
SUSE-SU-2024:2190-1
-
SUSE-SU-2024:2533-1
-
SUSE-SU-2024:2534-1
-
SUSE-SU-2024:2535-1
-
USN-6765-1
-
USN-6766-1
-
USN-6766-2
-
USN-6766-3
-
USN-6774-1
-
USN-6795-1
-
USN-6828-1
-
USN-6865-1
-
USN-6866-1
-
USN-6866-2
-
USN-6866-3
-
USN-6868-1
-
USN-6868-2
-
VU:155143
-
| Source | # ID | Name | URL |
|---|---|---|---|
| Xen Project | XSA-456 | Security Advisory |
|
| Xen Project | XSA-456 | Signed Security Advisory |
|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |