{"uuid": "0ab18c5e-59f3-4dc4-afc9-fbf0a69a170c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2018-3646", "type": "seen", "source": "https://t.me/QubesOS/248", "content": "QSB #43: L1 Terminal Fault speculative side channel (XSA-273)\nhttps://www.qubes-os.org/news/2018/09/02/qsb-43/\n\nDear Qubes Community,\n\nWe have just published Qubes Security Bulletin (QSB) #43: L1 Terminal\nFault speculative side channel (XSA-273). The text of this QSB is\nreproduced below. This QSB and its accompanying signatures will always\nbe available in the Qubes Security Pack (qubes-secpack).\n\nView QSB #43 in the qubes-secpack:\n\nhttps://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-043-2018.txt\n\nLearn about the qubes-secpack, including how to obtain, verify, and read\nit:\n\nhttps://www.qubes-os.org/security/pack/\n\nView all past QSBs:\n\nhttps://www.qubes-os.org/security/bulletins/\n\nView XSA-273 in the XSA Tracker:\n\nhttps://www.qubes-os.org/security/xsa/#273\n\n             ---===[ Qubes Security Bulletin #43 ]===---\n\n                             2018-09-02\n\n\n         L1 Terminal Fault speculative side channel (XSA-273)\n\nSummary\n========\n\nOn 2018-08-14, the Xen Security Team published Xen Security Advisory\n273 (CVE-2018-3620,CVE-2018-3646 / XSA-273) [1] with the following\ndescription:\n\n| In x86 nomenclature, a Terminal Fault is a pagetable walk which aborts\n| due to the page being not present (e.g. paged out to disk), or because\n| of reserved bits being set.\n| \n| Architecturally, such a memory access will result in a page fault\n| exception, but some processors will speculatively compute the physical\n| address and issue an L1D lookup.  If data resides in the L1D cache, it\n| may be forwarded to dependent instructions, and may be leaked via a side\n| channel.\n| \n| Furthermore:\n|   * SGX protections are not applied\n|   * EPT guest to host translations are not applied\n|   * SMM protections are not applied\n| \n| This issue is split into multiple CVEs depending on circumstance.  The\n| CVEs which apply to Xen are:\n|   * CVE-2018-3620 - Operating Systems and SMM\n|   * CVE-2018-3646 - Hypervisors\n| \n| For more details, see:\n|   https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html\n| \n| An attacker can potentially read arbitrary host RAM.  This includes data\n| belonging to Xen, data belonging to other guests, and data belonging to\n| different security contexts within the same guest.\n| \n| An attacker could be a guest kernel (which can manipulate the pagetables\n| directly), or could be guest userspace either directly (e.g. with\n| mprotect() or similar system call) or indirectly (by gaming the guest\n| kernel's paging subsystem).\n\nThis is yet another CPU hardware bug related to speculative execution.\n\nOnly Intel processors are affected.\n\nImpact of mitigations on Qubes OS\n==================================\n\nQubes OS 3.2\n-------------\n\nPart of the mitigation is to disable hyper-threading. This halves the\nnumber of CPU cores that the system sees compared to having\nhyper-threading enabled, thus reducing system performance.  This\nmitigation is needed only when running HVM qubes (or PVH, but PVH is not\navailable in Qubes OS 3.2 anyway). However, we believe there is a risk\nthat similar issues will be discovered in the future, and that having\nhyper-threading disabled may mitigate those issues, as it does this one.\nTherefore, we recommend that most users leave hyper-threading disabled\nregardless of whether they use HVM qubes.\n\nIf you decide that you are willing to accept the risks of enabling\nhyper-threading, you can do so by following the instructions below. The\ninstructions differ depending on whether you use EFI or legacy boot.\n\nHow to re-enable hyper-threading with EFI boot:\n1. Change `smt=off` to `smt=on` in `/boot/efi/EFI/qubes/xen.cfg` in dom0.\n2. Save your change to the file.\n3. Reboot dom0.\n\nHow to re-enable hyper-threading with legacy boot:\n1. Change `smt=off` to `smt=on` in `/etc/default/grub` in dom0.\n2. Save your change to the file.\n3. Run `sudo grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.\n4. Reboot dom0.\n\nQubes OS 4.0\n-------------", "creation_timestamp": "2018-09-02T06:22:17.000000Z"}