We have just published Qubes Security Bulletin (QSB) 069: Multiple Xen and Intel issues. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-069 in the qubes-secpack:
Learn about the qubes-secpack, including how to obtain, verify, and read it:
View all past QSBs:
---===[ Qubes Security Bulletin 069 ]===--- 2021-06-08 Multiple Xen and Intel issues (XSA-373, XSA-374, XSA-375, XSA-377, INTEL-SA-00442) User action required ===================== Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0, in dom0: - Xen packages, version 4.8.5-34 - Linux kernel packages, versions 5.12.9-1 (for users of the "latest" kernel flavor) - microcode_ctl package, version 2.1-33.qubes1 (for Intel CPU users) For Qubes 4.1, in dom0: - Xen packages, version 4.14.1-5 - Linux kernel packages, versions 5.10.42-1, 5.12.9-1 (for users of the "latest" kernel flavor) - microcode_ctl package, version 2.1-33.qubes1 (for Intel CPU users) These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community.  Once available, the packages are to be installed via the Qubes Update Tool or its command-line equivalents.  Dom0 must be restarted afterward in order for the updates to take effect. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Summary ======== The following security advisories were published on 2021-06-08: XSA-373  "Inappropriate x86 IOMMU timeout detection / handling": | IOMMUs process commands issued to them in parallel with the operation | of the CPU(s) issuing such commands. In the current implementation in | Xen, asynchronous notification of the completion of such commands is | not used. Instead, the issuing CPU spin-waits for the completion of | the most recently issued command(s). Some of these waiting loops try | to apply a timeout to fail overly-slow commands. The course of action | upon a perceived timeout actually being detected is inappropriate: | - on Intel hardware guests which did not originally cause the timeout | may be marked as crashed, | - on AMD hardware higher layer callers would not be notified of the | issue, making them continue as if the IOMMU operation succeeded. XSA-374  "Guest triggered use-after-free in Linux xen-netback": | A malicious or buggy network PV frontend can force Linux netback to | disable the interface and terminate the receive kernel thread | associated with queue 0 in response to the frontend sending a | malformed packet. | | Such kernel thread termination will lead to a use-after-free in Linux | netback when the backend is destroyed, as the kernel thread associated | with queue 0 will have already exited and thus the call to | kthread_stop will be performed against a stale pointer. XSA-375  "Speculative Code Store Bypass": | Modern superscalar processors may employ sophisticated decoding and | caching of the instruction stream to improve performance. However, a | consequence is that self-modifying code updates may not take effect | instantly. | | Whatever the architectural guarantees, some CPUs have | microarchitectural behaviour whereby the stale instruction stream may | be speculatively decoded and executed. | | Speculation of this form can suffer from type confusion in registers, | and potentially leak data. XSA-377  "x86: TSX Async Abort protections not restored after S3": | This issue relates to the TSX Async Abort speculative security | vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html | for details. | | Mitigating TAA by disabling TSX (the default and preferred option) | requires selecting a non-default setting in MSR_TSX_CTRL. This | setting isn't restored after S3 suspend. INTEL-SA-00442  "Intel® VT-d Advisory": | A potential security vulnerability in some Intel® Virtualization | Technology for Directed I/0 (VT-d) products may allow escalation of | privilege. Intel is releasing firmware updates to mitigate this | potential vulnerability. Impact ======= XSA-373: As the Xen Security Team explains, "A malicious guest may be able to elevate its privileges to that of the host, cause host or guest Denial of Service (DoS), or cause information leaks." Only a guest with a PCI device can leverage this vulnerability, such as `sys-net` or `sys-usb` in a default Qubes OS configuration. XSA-374: A malicious or buggy VM can trigger its network-providing VM to crash. In a typical installation, the affected network-providing VM would be `sys-firewall` or `sys-whonix`. Privilege escalation (to the network-providing VM) and information leaks cannot be ruled out. The issue affects only Linux kernel version 5.5 and newer. By default, Qubes OS R4.0 uses Linux 5.4.x and is therefore not affected. However, if the user has manually installed a newer, affected kernel version (e.g., using the `kernel-latest-qubes-vm` package), then that installation is affected. XSA-375: As explained by the Xen Security Team, "An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests." XSA-377: The impact is the same as XSA-305, which we explained in QSB-053 : | An attacker, which could include a malicious untrusted user process on | a trusted guest, or an untrusted guest, can sample the content of | recently-used memory operands and IO Port writes. | | This can include data from: | | * A previously executing context (process, or guest, or | hypervisor/toolstack) at the same privilege level. | * A higher privilege context (kernel, hypervisor, SMM) which | interrupted the attacker's execution. | | Vulnerable data is that on the same physical core as the attacker. | This includes, when hyper-threading is enabled, adjacent threads. | | An attacker cannot use this vulnerability to target specific data. | An attack would likely require sampling over a period of time and the | application of statistical methods to reconstruct interesting data. INTEL-SA-00442: As explained by Intel, "Incomplete cleanup in some Intel(R) VT-d products may allow an authenticated user to potentially enable escalation of privilege via local access." Only Intel CPUs are affected. Credits ======== See the original Security Advisories. References ===========  https://www.qubes-os.org/doc/testing/  https://www.qubes-os.org/doc/updating-qubes-os/  https://xenbits.xen.org/xsa/advisory-373.html  https://xenbits.xen.org/xsa/advisory-374.html  https://xenbits.xen.org/xsa/advisory-375.html  https://xenbits.xen.org/xsa/advisory-377.html  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00442.html  https://www.qubes-os.org/news/2019/11/13/qsb-053/ -- The Qubes Security Team https://www.qubes-os.org/security/
This is a companion discussion topic for the original entry at https://www.qubes-os.org/news/2021/06/08/qsb-069/