4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:H/Au:S/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
8.2%
It has been discovered that on some AMD CPUs, the RAS (Return Address Stack, also called RAP - Return Address Predictor - in some AMD documentation, and RSB - Return Stack Buffer - in Intel terminology) is dynamically partitioned between non-idle threads. This allows an attacker to control speculative execution on the adjacent thread.
For more details, see: <a href=“https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045”>https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045</a>
An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.
Only AMD CPUs are known to be potentially vulnerable. CPUs from other hardware vendors are not believed to be impacted.
Only the Zen1 and Zen2 microarchitectures are believed to be potentially vulnerable. Other microarchitectures are not believed to be vulnerable.
Only configurations with SMT activate are potentially vulnerable. If SMT is disabled by the firmware, or at runtime with smt=0
on Xen’s command line, then the platform is not vulnerable.
Xen 4.16 and later contains an optimisation, specifically:
c/s afab477fba3b (“x86/spec-ctrl: Skip RSB overwriting when safe to do so”)
which in combination with disabling 32bit PV guests (either at compile time with CONFIG_PV32=n, or at runtime with pv=no-32
on the command line) renders Xen vulnerable to attack from PV guests.
Note: multiple downstreams are known to have backported this optimisation to older versions of Xen. Consult your software vendor documentation.
4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:H/Au:S/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
8.2%