https://comsec.ethz.ch/retbleedETH Zurich hav...">
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
31.1%
Researchers at ETH Zurich have discovered Retbleed, allowing for arbitrary speculative execution in a victim context.
For more details, see: <a href=“https://comsec.ethz.ch/retbleed”>https://comsec.ethz.ch/retbleed</a>
ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for Intel.
Despite the similar preconditions, these are very different microarchitectural behaviours between vendors.
On AMD CPUs, Retbleed is one specific instance of a more general microarchitectural behaviour called Branch Type Confusion. AMD have assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type Confusion).
For more details, see: <a href=“https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037”>https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037</a>
On Intel CPUs, Retbleed is not a new vulnerability; it is only applicable to software which did not follow Intel’s original Spectre-v2 guidance. Intel are using the ETH Zurich allocated CVE-2022-29901.
For more details, see: <a href=“https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html”>https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html</a> <a href=“https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html”>https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html</a>
ARM have indicated existing guidance on Spectre-v2 is sufficient.
An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.
Systems running all versions of Xen are affected.
Whether a CPU is potentially vulnerable depends on its microarchitecture. Consult your hardware vendor.
For ARM and Intel CPUs, Xen implemented the vendor-recommended defaults in XSA-254 and follow-on fixes. Therefore, the Xen Security Team believes there are no further changes necessary on these CPUs. Administrators who deviated from the default mitigations are potentially affected and should re-evaluate their threat model.
For AMD, CPUs from the Zen2 microarchitecture and earlier are potentially vulnerable. Zen3 and later CPUs are not believed to be vulnerable.
The patches for Xen implement the IBPB-at-entry mitigation. This depends on the IBPB microcode distributed by AMD in 2018 as part of the original Spectre/Meltdown work. Consult your dom0 OS vendor.
In addition to IBPB, “cross thread” safety is necessary. On Zen2 CPUs, Xen uses STIBP by default. On Zen1 CPUs, SMT needs disabling either in the firmware, or by passing smt=0
on Xen’s command line. On Fam15h CPUs, Cluster Multi-Threading needs disabling in firmware.
Due to performance concerns, dom0 is excluded from IBPB-on-entry protections by default. This is because PV dom0 is trusted in most deployments. If your threat model model doesn’t allow for dom0 to be treated specially, boot with spec-ctrl=ibpb-entry
which will cause IBPB-on-entry protections to be applied to dom0 too.
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
31.1%