Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
xenXen ProjectXSA-289
HistoryJan 21, 2019 - 12:00 p.m.

Cache-load gadgets exploitable with L1TF

2019-01-2112:00:00
Xen Project
xenbits.xen.org
247
JSON

ISSUE DESCRIPTION

Previously reported vulnerabilities CVE-2017-5753 / XSA-254 (Spectre V1) and CVE-2018-3646 / XSA-273 (L1TF) can, when combined, be leveraged to more easily gather leaked information.
A Spectre v1 gadget is a speculation sequence which starts with a conditional branch, contains a memory load who’s address is attacker-influenced, and a second action dependent on the content of the first memory load, which opens a sidechannel with the attacker.
These gadgets are rare in code, and so far, none have been discovered in Xen. However, the first half of this gadget (i.e. to the first memory load) is a very common sequence to find in compiled C, and forms an arbitrary cache-load gadget.
An attacker can combine cache-load gadgets like this to bring data into the cache on on hyperthread of a given CPU core, while L1TF is used on another hyperthread to read the cached data.
A number of specific exploitable gadgets have been identified.
There are no new vulnerabilities. There is only new information about existing vulnerabilities: specifically, confirmation that existing, previously disclosed, vulnerabilities, can be exploited in specific ways. (Previously, it was merely expected, and stated in XSA-254 and XSA-273, that such the vulnerabilities would be exploitable.)

IMPACT

An attacker can potentially read arbitrary host RAM. This includes data belonging to Xen, data belonging to other guests, and data belonging to different security contexts within the same guest.
An attacker could be a guest kernel (which can manipulate the pagetables directly), or could be guest userspace either directly (e.g. with mprotect() or similar system call) or indirectly (by gaming the guest kernel’s paging subsystem).
See XSA-254 and XSA-273 for more general information about the underlying vulnerabilities.

VULNERABLE SYSTEMS

Systems running all versions of Xen are affected.
Only x86 processors are vulnerable. ARM processors are not known to be affected.
Only systems with Symmetric Multi Threading (SMT, aka hyperthreading) available and enabled are vulnerable.
Only Intel Core based processors (from at least Merom onwards) are potentially affected. Other processor designs (Intel Atom/Knights range), and other manufacturers (AMD) are not known to be affected.
Only x86 HVM or PVH guests can exploit the vulnerability. x86 PV guests cannot exploit the vulnerability.

Related

nessus 84
prion 2
ubuntucve 3
ubuntu 7
canvas 2
debiancve 2
redhatcve 4
suse 5
cve 2
vmware 3
openvas 20
ibm 10
alpinelinux 1
thn 3
osv 4
slackware 1
f5 1
veracode 1
apple 6
oraclelinux 3
msrc 1
fedora 4
intel 1
mageia 3
freebsd 1
redhat 11
debian 4
freebsd_advisory 1
packetstorm 1
photon 1
zdt 1
threatpost 1
kaspersky 1
xen 1
huawei 1
seebug 1
nvidia 1
nessus
nessus
SUSE SLED15 / SLES15 Security Update : spectre-meltdown-checker (SUSE-SU-2021:2861-1)
2021-08-28 00:00:00
Slackware 14.2 : Slackware 14.2 kernel (SSA:2018-057-01) (Spectre)
2018-02-27 00:00:00
openSUSE 15 Security Update : spectre-meltdown-checker (openSUSE-SU-2021:2861-1)
2021-08-28 00:00:00
prion
prion
Information disclosure
2018-01-04 13:29:00
Information disclosure
2018-08-14 19:29:00
ubuntucve
ubuntucve
CVE-2017-5753
2018-01-03 00:00:00
CVE-2018-3646
2018-08-14 00:00:00
CVE-2018-3693
2018-07-10 00:00:00
ubuntu
ubuntu
NVIDIA graphics drivers vulnerability
2018-01-09 00:00:00
Linux kernel (Trusty HWE) vulnerabilities
2018-01-23 00:00:00
Linux kernel (KVM) vulnerabilities
2018-01-29 00:00:00
canvas
canvas
Immunity Canvas: SPECTRE_SAM_LEAK
2018-01-04 13:29:00
Immunity Canvas: SPECTRE_FILE_LEAK
2018-01-04 13:29:00
debiancve
debiancve
CVE-2017-5753
2018-01-04 13:29:00
CVE-2018-3646
2018-08-14 19:29:00
redhatcve
redhatcve
CVE-2017-5753
2018-01-03 22:49:52
CVE-2018-3639
2021-07-25 10:27:21
CVE-2018-3646
2021-01-24 22:39:20
suse
suse
Security update for spectre-meltdown-checker (moderate)
2021-08-27 00:00:00
Security update for xen (important)
2018-08-19 15:10:45
Security update for spectre-meltdown-checker (moderate)
2021-08-31 00:00:00
cve
cve
CVE-2017-5753
2018-01-04 13:29:00
CVE-2018-3646
2018-08-14 19:29:00
vmware
vmware
VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability.
2018-08-14 00:00:00
VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.
2018-01-03 00:00:00
VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.
2018-01-03 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for kvm (EulerOS-SA-2018-1350)
2020-01-23 00:00:00
Ubuntu Update for nvidia-graphics-drivers-384 USN-3521-1
2018-01-10 00:00:00
openSUSE: Security Advisory for xen (openSUSE-SU-2018:2436-1)
2018-10-26 00:00:00
ibm
ibm
Security Bulletin: IBM Db2 Warehouse has released a fix in response to the vulnerability known as Spectre (CVE-2017-5753)
2018-06-16 14:18:55
Security Bulletin: IBM DataPower Gateway has released a fixpack in response to the vulnerability known as Spectre.
2021-06-08 22:18:27
Security Bulletin: IBM Data Risk Manager has released VM v2.0.1 in response to the vulnerability known as Spectre.
2018-06-16 22:05:23
alpinelinux
alpinelinux
CVE-2017-5753
2018-01-04 13:29:00
thn
thn
NetSpectre — New Remote Spectre Attack Steals Data Over the Network
2018-07-27 08:31:00
New SpookJS Attack Bypasses Google Chrome's Site Isolation Protection
2021-09-13 07:54:00
GhostRace – New Data Leak Vulnerability Affects Modern CPUs
2024-03-15 17:46:00
osv
osv
CVE-2017-5753
2018-01-04 13:29:00
CVE-2018-3646
2018-08-14 19:29:00
linux-4.9 - security update
2018-08-28 00:00:00
slackware
slackware
[slackware-security] Slackware 14.2 kernel
2018-02-26 23:17:47
f5
f5
Virtual Machine Manager L1 Terminal Fault vulnerability CVE-2018-3646
2018-10-04 15:26:00
veracode
veracode
Information Disclosure
2019-05-16 03:11:25
apple
apple
About the security content of macOS High Sierra 10.13.2 Supplemental Update
2018-01-08 00:00:00
About the security content of Safari 11.0.2 - Apple Support
2018-01-08 10:29:34
About the security content of iOS 11.2.2
2018-01-08 00:00:00
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2018-01-18 00:00:00
Unbreakable Enterprise kernel security update
2018-01-05 00:00:00
kernel security update
2018-02-23 00:00:00
msrc
msrc
Speculative Execution Bounty Launch
2018-03-15 00:00:04
fedora
fedora
[SECURITY] Fedora 27 Update: webkitgtk4-2.18.5-1.fc27
2018-01-12 14:44:12
[SECURITY] Fedora 28 Update: kernel-headers-4.17.14-3.fc28
2018-08-16 08:08:45
[SECURITY] Fedora 26 Update: webkitgtk4-2.18.5-1.fc26
2018-01-18 21:11:25
intel
intel
Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
2021-05-11 00:00:00
mageia
mageia
Updated kernel packages fix security vulnerabilities
2018-02-11 21:42:57
Updated webkit2 packages fix security vulnerabilities
2018-01-14 19:54:13
Updated nvidia-current packages mitigates security issues
2018-01-13 17:28:36
freebsd
freebsd
FreeBSD -- L1 Terminal Fault (L1TF) Kernel Information Disclosure
2018-08-14 00:00:00
redhat
redhat
(RHSA-2018:2404) Important: rhev-hypervisor7 security update
2018-08-15 15:14:04
(RHSA-2018:2602) Important: kernel security update
2018-08-29 18:04:28
(RHSA-2018:2389) Important: kernel security update
2018-08-14 18:50:42
debian
debian
[SECURITY] [DSA 4274-1] xen security update
2018-08-16 20:47:43
[SECURITY] [DSA 4279-1] linux security update
2018-08-20 11:44:32
[SECURITY] [DLA 1481-1] linux-4.9 security update
2018-08-28 17:10:51
freebsd_advisory
freebsd_advisory
FreeBSD-SA-18:09.l1tf
2018-08-14 00:00:00
packetstorm
packetstorm
Spectre Information Disclosure Proof Of Concept
2018-01-04 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-1.0-0098
2018-01-11 00:00:00
zdt
zdt
Multiple CPUs - Spectre Information Disclosure (PoC) Exploit
2018-01-04 00:00:00
threatpost
threatpost
Apple Releases Spectre Patches for Safari, macOS and iOS
2018-01-08 16:57:57
kaspersky
kaspersky
KLA11173 OSI vulnerability in VMware Products
2018-01-09 00:00:00
xen
xen
L1 Terminal Fault speculative side channel
2018-08-14 17:15:00
huawei
huawei
Security Advisory - CPU Vulnerabilities Meltdown and Spectre
2018-06-06 00:00:00
seebug
seebug
Reading privileged memory with a side-channel (Meltdown & Spectre)
2018-01-04 00:00:00
nvidia
nvidia
Security Bulletin: NVIDIA Jetson TX1, Jetson TK1, and Tegra K1 L4T Security Updates for CPU Speculative Side Channel Vulnerabilities
2018-01-05 00:00:00
JSON
Related for XSA-289
nessus84prion2ubuntucve3ubuntu7canvas2debiancve2redhatcve4suse5cve2vmware3openvas20ibm10alpinelinux1thn3osv4slackware1f51veracode1apple6oraclelinux3msrc1fedora4intel1mageia3freebsd1redhat11debian4freebsd_advisory1packetstorm1photon1zdt1threatpost1kaspersky1xen1huawei1seebug1nvidia1