https://xenbits.xen.org/xsa/advisory-297.html (MDS) and Special Register Buffer speculative side channel - vulnerability database | Vulners.comhttps://xenbits.xen.org/xsa/advisory-297.html (MDS) and https://xenbits.xen.org/xsa/advisory-297.html (MDS) and https://xenbits.xen.org/xsa/advisory-297.html (MDS) and
Lucene search

K
xenXen ProjectXSA-320
HistoryJun 09, 2020 - 4:33 p.m.

Special Register Buffer speculative side channel

2020-06-0916:33:00
Xen Project
xenbits.xen.org
41

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

18.0%

ISSUE DESCRIPTION

This issue is related to the MDS and TAA vulnerabilities. Please see <a href=“https://xenbits.xen.org/xsa/advisory-297.html”>https://xenbits.xen.org/xsa/advisory-297.html</a> (MDS) and <a href=“https://xenbits.xen.org/xsa/advisory-305.html”>https://xenbits.xen.org/xsa/advisory-305.html</a> (TAA) for details.
Certain processor operations microarchitecturally need to read data from outside the physical core (e.g. to communicate with the random number generator). In some implementations, this operation is called a Special Register Read.
In some implementations, data are staged in a single shared buffer, and a full cache line at a time is returned to the core which made the Special Register Read. On parts vulnerable to MFBDS or TAA, an attacker may be able to access stale data requested by other cores in the system.
For more details, see: <a href=“https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html”>https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html</a> <a href=“https://software.intel.com/security-software-guidance/processors-affected-transient-execution-attack-mitigation-product-cpu-model”>https://software.intel.com/security-software-guidance/processors-affected-transient-execution-attack-mitigation-product-cpu-model</a>

IMPACT

An attacker, which could include a malicious untrusted user process on a trusted guest, or an untrusted guest, can sample the contents of certain off-core accesses by other cores in the system.
This can include data whose use may depend on the secrecy of the value, such as data from the Random Number Generator (e.g. RDRAND/RDSEED instructions).

VULNERABLE SYSTEMS

Systems running all versions of Xen are affected.
Only x86 processors are vulnerable. ARM processors are not believed to be vulnerable.
Only Intel based processors are affected. Processors from other manufacturers (e.g. AMD) are not believed to be vulnerable.
Please consult the Intel Security Advisory for details on the affected processors.

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

18.0%