Xen ProjectXSA-320Special Register Buffer speculative side channel
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
19.4%
ISSUE DESCRIPTION
This issue is related to the MDS and TAA vulnerabilities. Please see <a href=“https://xenbits.xen.org/xsa/advisory-297.html”>https://xenbits.xen.org/xsa/advisory-297.html</a> (MDS) and <a href=“https://xenbits.xen.org/xsa/advisory-305.html”>https://xenbits.xen.org/xsa/advisory-305.html</a> (TAA) for details.
Certain processor operations microarchitecturally need to read data from outside the physical core (e.g. to communicate with the random number generator). In some implementations, this operation is called a Special Register Read.
In some implementations, data are staged in a single shared buffer, and a full cache line at a time is returned to the core which made the Special Register Read. On parts vulnerable to MFBDS or TAA, an attacker may be able to access stale data requested by other cores in the system.
For more details, see: <a href=“https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html”>https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html</a> <a href=“https://software.intel.com/security-software-guidance/processors-affected-transient-execution-attack-mitigation-product-cpu-model”>https://software.intel.com/security-software-guidance/processors-affected-transient-execution-attack-mitigation-product-cpu-model</a>
IMPACT
An attacker, which could include a malicious untrusted user process on a trusted guest, or an untrusted guest, can sample the contents of certain off-core accesses by other cores in the system.
This can include data whose use may depend on the secrecy of the value, such as data from the Random Number Generator (e.g. RDRAND/RDSEED instructions).
VULNERABLE SYSTEMS
Systems running all versions of Xen are affected.
Only x86 processors are vulnerable. ARM processors are not believed to be vulnerable.
Only Intel based processors are affected. Processors from other manufacturers (e.g. AMD) are not believed to be vulnerable.
Please consult the Intel Security Advisory for details on the affected processors.
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
19.4%