For the English version of this alert, click here.
Allele Security Alert
ASA-2019-00278
Identificador(es)
ASA-2019-00278, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, XSA-297
Título
Microarchitectural Data Sampling side channel especulativo
Fabricante(s)
Linux Foundation
Produto(s)
Xen
Versão(ões) afetada(s)
Todas as versões suportadas do Xen rodando em processadores x86 baseados na Intel são afetados
Versão(ões) corrigida(s)
Sistemas com os seguintes patches aplicados:
xsa297/xsa297-unstable-*.patch xen-unstable
xsa297/xsa297-4.12-*.patch Xen 4.12.x
xsa297/xsa297-4.11-*.patch Xen 4.11.x
xsa297/xsa297-4.10-*.patch Xen 4.10.x
xsa297/xsa297-4.9-*.patch Xen 4.9.x
xsa297/xsa297-4.8-*.patch Xen 4.8.x
xsa297/xsa297-4.7-*.patch Xen 4.7.x
Prova de conceito
Desconhecido
Descrição
Microarchitectural Data Sampling refere-se a um grupo de vulnerabilidades de side channel especulativos. Eles consistem em:
- CVE-2018-12126 – MSBDS – Microarchitectural Store Buffer Data Sampling
- CVE-2018-12127 – MLPDS – Microarchitectural Load Port Data Sampling
- CVE-2018-12130 – MFBDS – Microarchitectural Fill Buffer Data Sampling
- CVE-2019-11091 – MDSUM – Microarchitectural Data Sampling Uncacheable Memory
Esses problemas relacionam-se ao Load Ports, Store Buffers e Fill Buffers no pipeline. As Load Ports são usadas para atender a todas as leituras de memória. Os Store Buffers atendem a todas as escritas in-flight especulativas (incluindo escritas IO Port), enquanto Fill Buffers atendem a todas as gravações de memória que são de post-retirement e não são mais especulativas.
Sob certas circunstâncias, uma carga posterior que recebe uma falha ou assistência (uma condição interna do processador, por exemplo, definindo um bit Access ou Dirty da tabela de páginas) pode ser encaminhada a dados obsoletos desses buffers durante a execução especulativa, que pode então ser vazada através de um side channel.
MDSUM (Uncacheable Memory) é um caso especial dos outros três. Anteriormente, acreditava-se que o uso de memória não-cacheável era seguro contra side channels especulativos.
Um atacante, que pode incluir um processo mal-intencionado de usuário não confiável em um convidado confiável, ou um convidado não confiável, pode experimentar o conteúdo de operandos de memória usados recentemente e escritas de IO Port.
Isso pode incluir dados de:
- Um contexto de execução anterior (processo, guest ou hypervisor/toolstack) no mesmo nível de privilégio.
- Um contexto de privilégio mais alto (kernel, hypervisor, SMM) que interrompeu a execução do atacante.
Dados vulneráveis são no mesmo núcleo físico do atacante. Isso inclui, quando o hyper-threading está ativado, encadeamentos adjacentes.
Um atacante não pode usar essa vulnerabilidade para direcionar dados específicos. Um ataque provavelmente exigiria amostragem durante um período de tempo e a aplicação de métodos estatísticos para reconstruir dados interessantes.
Detalhes técnicos
Desconhecido
Créditos
Desconhecido
Referência(s)
Microarchitectural Data Sampling speculative side channel
https://xenbits.xen.org/xsa/advisory-297.html
Xen Security Advisory 297 v1 (CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2019-11091) – Microarchitectural Data Sampling speculative side channel
https://seclists.org/oss-sec/2019/q2/111
xsa297-4.7-1.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.7-1.patch
xsa297-4.7-2.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.7-2.patch
xsa297-4.7-3.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.7-3.patch
xsa297-4.7-4.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.7-4.patch
xsa297-4.7-5.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.7-5.patch
xsa297-4.7-6.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.7-6.patch
xsa297-4.7-7.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.7-7.patch
xsa297-4.7-8.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.7-8.patch
xsa297-4.8-1.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.8-1.patch
xsa297-4.8-2.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.8-2.patch
xsa297-4.8-3.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.8-3.patch
xsa297-4.8-4.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.8-4.patch
xsa297-4.8-5.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.8-5.patch
xsa297-4.8-6.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.8-6.patch
xsa297-4.8-7.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.8-7.patch
xsa297-4.8-8.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.8-8.patch
xsa297-4.9-1.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.9-1.patch
xsa297-4.9-2.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.9-2.patch
xsa297-4.9-3.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.9-3.patch
xsa297-4.9-4.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.9-4.patch
xsa297-4.9-5.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.9-5.patch
xsa297-4.9-6.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.9-6.patch
xsa297-4.9-7.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.9-7.patch
xsa297-4.9-8.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.9-8.patch
xsa297-4.10-1.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.10-1.patch
xsa297-4.10-2.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.10-2.patch
xsa297-4.10-3.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.10-3.patch
xsa297-4.10-4.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.10-4.patch
xsa297-4.10-5.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.10-5.patch
xsa297-4.10-6.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.10-6.patch
xsa297-4.10-7.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.10-7.patch
xsa297-4.11-1.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.11-1.patch
xsa297-4.11-2.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.11-2.patch
xsa297-4.11-3.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.11-3.patch
xsa297-4.11-4.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.11-4.patch
xsa297-4.11-5.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.11-5.patch
xsa297-4.11-6.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.11-6.patch
xsa297-4.11-7.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.11-7.patch
xsa297-4.12-1.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.12-1.patch
xsa297-4.12-2.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.12-2.patch
xsa297-4.12-3.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.12-3.patch
xsa297-4.12-4.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.12-4.patch
xsa297-4.12-5.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.12-5.patch
xsa297-4.12-6.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.12-6.patch
xsa297-4.12-7.patch
https://xenbits.xen.org/xsa/xsa297/xsa297-4.12-7.patch
CVE-2018-12126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126
CVE-2018-12126
https://nvd.nist.gov/vuln/detail/CVE-2018-12126
CVE-2018-12127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127
CVE-2018-12127
https://nvd.nist.gov/vuln/detail/CVE-2018-12127
CVE-2018-12130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130
CVE-2018-12130
https://nvd.nist.gov/vuln/detail/CVE-2018-12130
CVE-2019-11091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091
CVE-2019-11091
https://nvd.nist.gov/vuln/detail/CVE-2019-11091
Se encontrou algum erro neste alerta ou deseja uma análise compreensiva, entre em contato.
Última modificação: 17 maio 2019