{"uuid": "a4bbc4bf-9df2-452f-ae45-7bb165f8563e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2018-12127", "type": "seen", "source": "https://t.me/QubesOS/339", "content": "QSB #49: Microarchitectural Data Sampling speculative side channel (XSA-297)\nhttps://www.qubes-os.org/news/2019/05/15/qsb-49/\n\nWe have just published Qubes Security Bulletin (QSB) #49: Microarchitectural\nData Sampling speculative side channel (XSA-297).\nThe text of this QSB is reproduced below.\nThis QSB and its accompanying signatures will always be available in\nthe Qubes Security Pack (qubes-secpack).\n\nView QSB #49 in the qubes-secpack:\n\nhttps://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-049-2019.txt\n\nLearn about the qubes-secpack, including how to obtain, verify, and read\nit:\n\nhttps://www.qubes-os.org/security/pack/\n\nView all past QSBs:\n\nhttps://www.qubes-os.org/security/bulletins/\n\n\n\n             ---===[ Qubes Security Bulletin #49 ]===---\n\n                             2019-05-15\n\n\n    Microarchitectural Data Sampling speculative side channel (XSA-297)\n\nSummary\n========\n\nOn 2018-05-14, the Xen Security Team published Xen Security Advisory\n297 (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 /\nXSA-297) [1] with the following description:\n\n| Microarchitectural Data Sampling refers to a group of speculative\n| sidechannels vulnerabilities.  They consist of:\n| \n|  * CVE-2018-12126 - MSBDS - Microarchitectural Store Buffer Data Sampling\n|  * CVE-2018-12127 - MLPDS - Microarchitectural Load Port Data Sampling\n|  * CVE-2018-12130 - MFBDS - Microarchitectural Fill Buffer Data Sampling\n|  * CVE-2019-11091 - MDSUM - Microarchitectural Data Sampling Uncacheable Memory\n| \n| These issues pertain to the Load Ports, Store Buffers and Fill Buffers\n| in the pipeline.  The Load Ports are used to service all memory reads.\n| The Store Buffers service all in-flight speculative writes (including\n| IO Port writes), while the Fill Buffers service all memory writes\n| which are post-retirement, and no longer speculative.\n| \n| Under certain circumstances, a later load which takes a fault or\n| assist (an internal condition to processor e.g. setting a pagetable\n| Access or Dirty bit) may be forwarded stale data from these buffers\n| during speculative execution, which may then be leaked via a\n| sidechannel.\n| \n| MDSUM (Uncacheable Memory) is a special case of the other three.\n| Previously, the use of uncacheable memory was believed to be safe\n| against speculative sidechannels.\n| \n| For more details, see:\n|   https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html\n| \n| An attacker, which could include a malicious untrusted user process on\n| a trusted guest, or an untrusted guest, can sample the content of\n| recently-used memory operands and IO Port writes.\n| \n| This can include data from:\n| \n|  * A previously executing context (process, or guest, or\n|    hypervisor/toolstack) at the same privilege level.\n|  * A higher privilege context (kernel, hypervisor, SMM) which\n|    interrupted the attacker's execution.\n| \n| Vulnerable data is that on the same physical core as the attacker.\n| This includes, when hyper-threading is enabled, adjacent threads.\n| \n| An attacker cannot use this vulnerability to target specific data.\n| An attack would likely require sampling over a period of time and the\n| application of statistical methods to reconstruct interesting data.\n\nThis is yet another CPU hardware bug related to speculative execution.\n\nOnly Intel processors are affected.\n\nPatching\n=========\n\nThe Xen Project has provided patches that mitigate this issue. A CPU\nmicrocode update is required to take advantage of them. Note that\nmicrocode updates may not be available for older CPUs. (See the Intel\nadvisory linked above for details.)\n\nThe specific packages that resolve the problems discussed in this\nbulletin are as follows:\n\n  For Qubes 4.0:\n  - Xen packages, version 4.8.5-6\n  - microcode_ctl 2.1-28.qubes1\n  - kernel-qubes-vm package, version 4.19.43-1 (optional)\n\nThe packages are to be installed in dom0 via the Qubes VM Manager or via\nthe qubes-dom0-update command as follows:", "creation_timestamp": "2019-05-16T01:06:01.000000Z"}