[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [oss-security] Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions
- To: Salvatore Bonaccorso <carnil@xxxxxxxxxx>, "oss-security@xxxxxxxxxxxxxxxxxx" <oss-security@xxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Wed, 13 Jul 2022 09:27:34 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jag+bhiISty7hZB+fsK/uxdv1w8qJWzpYO6bz+oiOVs=; b=bOQFThAP+WMP3VOqSF4kNRarSdiLT3Tv2fbc9MABMJpcyOiLomrPBtC/yIW33Cnpg3akK0PlVcHC+wd1BwbSVLRC9Scfg3VCsLplbwjTCZbwQ8g4lbIT7xXrzy57LTEyEVz/YhhKhBbBjIFb4+0rOV8GhQGkwAvuuB714oe0DHunr3E48HpNeNlgkAIGaNOMsB7Cep5xbzPFJqlw8Lr8m/TE/1tbZ8U0gGZNL7JUrGc9CCSmlM/Ce+G7LosswmXb5rzJLyw73cqIF8bK2qhs3EKZIhxrZ1yrorT5sH9kLDliToNotpDRDFwoXy4aYM9gqTSfVE+P5qnDKSpQliEimw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l7LNRhgFB5N1TXF80HahWsaOthkts1eNt8asdSl7wjZZD+mKCUG6IpaLlJ2ZohSGW8PZ9G9pCBddoeOIkIWrumHUXJtRWkRw5Ogr1GXuLqAesnqIWAlRJkNSL3PnkFWwJdaiuHF5dSCnGTGNjVvOPh7Fkgco2qPiB6OnB17+YE5ym67jYZCu3gr5NTJhEGK+Fe8x7W8mqHhYrijTPsWu/yGSkptuCSoZDSGJJXQaWnkyn1C/1dNd5P8LD+hyezwaAXiMlg7k4BtL1OHKEctlGhuepUi5ESt/vIO6oaE39I3TJHWQrV4MAxBmrq5njt0RcB+WnxY23b8a1vhtOeMUtQ==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: "xen-announce@xxxxxxxxxxxxx" <xen-announce@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, "xen-users@xxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxx>, Xen.org security team <security-team-members@xxxxxxx>
- Delivery-date: Wed, 13 Jul 2022 09:28:35 +0000
- Ironport-data: A9a23:yBfeTa7mFnqANrvdqNwE4wxRtOXGchMFZxGqfqrLsTDasY5as4F+v jAdWW2BaPbYZDGjf91/bdm+pBxX7JOGn4dhSVNuqCowHi5G8cbLO4+Ufxz6V8+wwmwvb67FA +E2MISowBUcFyeEzvuVGuG96yE6j8lkf5KkYAL+EnkZqTRMFWFw03qPp8Zj2tQy2YfgWFvU0 T/Pi5a31GGNimYc3l08s8pvmDs31BglkGpF1rCWTakjUG72zxH5PrpGTU2CByKQrr1vNvy7X 47+IISRpQs1yfuP5uSNyd4XemVSKlLb0JPnZnB+A8BOiTAazsA+PzpS2FPxpi67hh3Q9+2dx umhurTzY1l2B6bvm90yVilAUBN6L4pjpOLYdC3XXcy7lyUqclPK6tA3VAQcG9Jd/ex6R2ZT6 fYfNTYBKAiZgP67y666Te8qgdk/KM7sP8UUvXQIITPxVK56B8ycBfqSo4YAjF/chegXdRraT +MfZSBic1LrZBpXN01MIJk/gP2plj/0dDgwRFe9+vdouzmClVAZPL7FDd7ZI9yqaNRuj22qo VjgoXneIkwVHYnKodaC2jf27gPVpgvwUZgUFbmQ+vNggVSVgGsJB3U+UkCg5OK0gVOkWs5OA 0gV4TY1668q+Uq0R935GRa/pRasrhMaHtNWFeon7gqA4q7V+BqCQHgJSHhGctNOnN87Q3km2 0GEm/vtBCdzq/uFRHTb8a2bxRuiNC5QMHQPfzQsSQoe/8KlsIw1yBXVQb5LC6O+k8f0BSC13 z2DqW07irAZgNQQ/7W2+xbAmT3Em3TSZgs85wGSVGT66Ap8Pdahf9bxsQid6utcJoGESFXHp GIDh8WV8OEJC9eKiTCJR+IOWrqu4p5pLQHhvLKmJLF5nxzFxpJpVdo4DO1WTKuxDvs5RA==
- Ironport-hdrordr: A9a23:dGauAKs7/PrtNSiL/4QBbpEx7skC1YMji2hC6mlwRA09TyXGra 2TdaUgvyMc1gx7ZJh5o6H6BEGBKUmslqKceeEqTPqftXrdyRGVxeZZnMffKlzbamfDH4tmuZ uIHJIOb+EYYWIasS++2njBLz9C+qjJzEnLv5a5854Fd2gDBM9dBkVCe3+m+yZNNWt77O8CZf 6hD7181l+dkBosDviTNz0gZazuttfLnJXpbVotHBg88jSDijuu9frTDwWY9g12aUIP/Z4StU z+1yDp7KSqtP+2jjXG0XXI0phQkNz9jvNeGc23jNQPIDmEsHfpWG0hYczAgNkGmpDr1L8Yqq iJn/7mBbU115rlRBD2nfIq4Xin7N9h0Q669bbSuwqfnSWwfkNHNyMGv/MWTvKR0TtfgDk3up g7oF6xpt5ZCwjNkz/64MWNXxZ2llCsqX5niuILiWdDOLFuIYO5gLZvi3+9Kq1wah7S+cQiCq 1jHcvc7PFZfReTaG3YpHBmxJipUm4oFhmLT0AesojNugIm10xR3g8d3ogSj30A/JUyR91N4P nFKL1hkPVLQtUNZaxwCe8dSY+8C3DLQxjLLGWOSG6XXJ0vKjbIsdr68b817OaldNgBy4Yzgo 3IVBdCuWs7ayvVeLmzNV1wg2XwqUmGLETQI5tllulEU5XHNcnWGDzGTkwymM29pPhaCtHHWp +ISeBrP8M=
- List-id: Xen user discussion <xen-users.lists.xenproject.org>
- Thread-index: AQHYlg2ccsX8+KDnKEKtDRtooLJ01a17HqSAgAACEACAAOjBAA==
- Thread-topic: [oss-security] Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions
On 12/07/2022 20:34, Salvatore Bonaccorso wrote:
> Hi,
>
> On Tue, Jul 12, 2022 at 09:27:07PM +0200, Salvatore Bonaccorso wrote:
>> Hi,
>>
>> On Tue, Jul 12, 2022 at 04:36:10PM +0000, Xen.org security team wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 /
>>> XSA-407
>>>
>>> Retbleed - arbitrary speculative code execution with return instructions
>>>
>>> ISSUE DESCRIPTION
>>> =================
>>>
>>> Researchers at ETH Zurich have discovered Retbleed, allowing for
>>> arbitrary speculative execution in a victim context.
>>>
>>> For more details, see:
>>> https://comsec.ethz.ch/retbleed
>>>
>>> ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for
>>> Intel.
>>>
>>> Despite the similar preconditions, these are very different
>>> microarchitectural behaviours between vendors.
>>>
>>> On AMD CPUs, Retbleed is one specific instance of a more general
>>> microarchitectural behaviour called Branch Type Confusion. AMD have
>>> assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type
>>> Confusion).
>>>
>>> For more details, see:
>>> https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037
>> Is it confirmed that AMD is not using CVE-2022-29900? The above
>> amd-sb-1037 references as well both CVE-2022-23825 (Branch Type
>> Confusion) and CVE-2022-29900 (RETbleed), so I assume they agreed to
>> use CVE-2022-29900 for retbleed?
>>
>> So should the Xen advisory as well use CVE-2022-23825,CVE-2022-29900
>> and CVE-2022-29901?
> Nevermind, I missunderstood the wording and the advisory just mentions
> all the related CVEs correctly and made a thinko. It might turn out
> that CVE-2022-23816 will not be used, but then the title would read
> only as
>
> Xen Security Advisory CVE-2022-23825,CVE-2022-29900 / XSA-407
>
> So please disregard the question above.
/sigh
AMD changed the CVE in the bulletin between the final draft, and what
went public.
CVE-2022-23816 has been referenced by multiple other vendors too, so is
definitely out in the world. Hopefully MITRE will close out one of
CVE-2022-23816 and CVE-2022-29900 as a dup of the other.
For now, I think the least confusing option is to keep both referenced.
~Andrew
|