https://xenbits.xen.org/xsa/advisory-297.html (MDS) and 5.5 Medium CVSS3 Attack Vector LOCAL Attack Complexity LOW Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact NONE Availability Impact NONE CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.1 Low CVSS2 Access Vector LOCAL Access Complexity LOW Authentication NONE Confidentiality Impact PARTIAL Integrity Impact NONE Availability Impact NONE AV:L/AC:L/Au:N/C:P/I:N/A:N 0.001 Low EPSS Percentile 17.9% This issue is related to the MDS and TAA vulnerabilities. Please see <a href=“https://xenbits.xen.org/xsa/advisory-297.html”>https://xenbits.xen.org/xsa/advisory-297.html</a> (MDS) and <a href=“https://xenbits.xen.org/xsa/advisory-305.html”>https://xenbits.xen.org/xsa/advisory-305.html</a> (TAA) for details. An attacker, which could include a malicious untrusted user process on a trusted guest, or an untrusted guest, can sample the contents of certain off-core accesses by other cores in the system. Systems running all versions of Xen are affected. 5.5 Medium CVSS3 Attack Vector LOCAL Attack Complexity LOW Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact NONE Availability Impact NONE CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.1 Low CVSS2 Access Vector LOCAL Access Complexity LOW Authentication NONE Confidentiality Impact PARTIAL Integrity Impact NONE Availability Impact NONE AV:L/AC:L/Au:N/C:P/I:N/A:N 0.001 Low EPSS Percentile 17.9%Special Register Buffer speculative side channel
ISSUE DESCRIPTION
Certain processor operations microarchitecturally need to read data from outside the physical core (e.g. to communicate with the random number generator). In some implementations, this operation is called a Special Register Read.
In some implementations, data are staged in a single shared buffer, and a full cache line at a time is returned to the core which made the Special Register Read. On parts vulnerable to MFBDS or TAA, an attacker may be able to access stale data requested by other cores in the system.
For more details, see: <a href=“https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html”>https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html</a> <a href=“https://software.intel.com/security-software-guidance/processors-affected-transient-execution-attack-mitigation-product-cpu-model”>https://software.intel.com/security-software-guidance/processors-affected-transient-execution-attack-mitigation-product-cpu-model</a>IMPACT
This can include data whose use may depend on the secrecy of the value, such as data from the Random Number Generator (e.g. RDRAND/RDSEED instructions).VULNERABLE SYSTEMS
Only x86 processors are vulnerable. ARM processors are not believed to be vulnerable.
Only Intel based processors are affected. Processors from other manufacturers (e.g. AMD) are not believed to be vulnerable.
Please consult the Intel Security Advisory for details on the affected processors.