Mailing List Archive

Re: [oss-security] Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions
On 12/07/2022 20:34, Salvatore Bonaccorso wrote:
> Hi,
>
> On Tue, Jul 12, 2022 at 09:27:07PM +0200, Salvatore Bonaccorso wrote:
>> Hi,
>>
>> On Tue, Jul 12, 2022 at 04:36:10PM +0000, Xen.org security team wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 / XSA-407
>>>
>>> Retbleed - arbitrary speculative code execution with return instructions
>>>
>>> ISSUE DESCRIPTION
>>> =================
>>>
>>> Researchers at ETH Zurich have discovered Retbleed, allowing for
>>> arbitrary speculative execution in a victim context.
>>>
>>> For more details, see:
>>> https://comsec.ethz.ch/retbleed
>>>
>>> ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for
>>> Intel.
>>>
>>> Despite the similar preconditions, these are very different
>>> microarchitectural behaviours between vendors.
>>>
>>> On AMD CPUs, Retbleed is one specific instance of a more general
>>> microarchitectural behaviour called Branch Type Confusion. AMD have
>>> assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type
>>> Confusion).
>>>
>>> For more details, see:
>>> https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037
>> Is it confirmed that AMD is not using CVE-2022-29900? The above
>> amd-sb-1037 references as well both CVE-2022-23825 (Branch Type
>> Confusion) and CVE-2022-29900 (RETbleed), so I assume they agreed to
>> use CVE-2022-29900 for retbleed?
>>
>> So should the Xen advisory as well use CVE-2022-23825,CVE-2022-29900
>> and CVE-2022-29901?
> Nevermind, I missunderstood the wording and the advisory just mentions
> all the related CVEs correctly and made a thinko. It might turn out
> that CVE-2022-23816 will not be used, but then the title would read
> only as
>
> Xen Security Advisory CVE-2022-23825,CVE-2022-29900 / XSA-407
>
> So please disregard the question above.

/sigh

AMD changed the CVE in the bulletin between the final draft, and what
went public.

CVE-2022-23816 has been referenced by multiple other vendors too, so is
definitely out in the world.  Hopefully MITRE will close out one of
CVE-2022-23816 and CVE-2022-29900 as a dup of the other.

For now, I think the least confusing option is to keep both referenced.

~Andrew
Re: [oss-security] Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed - arbitrary speculative code execution with return instructions [ In reply to ]
Hi,

On Tue, Jul 12, 2022 at 04:36:10PM +0000, Xen.org security team wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 / XSA-407
>
> Retbleed - arbitrary speculative code execution with return instructions
>
> ISSUE DESCRIPTION
> =================
>
> Researchers at ETH Zurich have discovered Retbleed, allowing for
> arbitrary speculative execution in a victim context.
>
> For more details, see:
> https://comsec.ethz.ch/retbleed
>
> ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for
> Intel.
>
> Despite the similar preconditions, these are very different
> microarchitectural behaviours between vendors.
>
> On AMD CPUs, Retbleed is one specific instance of a more general
> microarchitectural behaviour called Branch Type Confusion. AMD have
> assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type
> Confusion).
>
> For more details, see:
> https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037

Is it confirmed that AMD is not using CVE-2022-29900? The above
amd-sb-1037 references as well both CVE-2022-23825 (Branch Type
Confusion) and CVE-2022-29900 (RETbleed), so I assume they agreed to
use CVE-2022-29900 for retbleed?

So should the Xen advisory as well use CVE-2022-23825,CVE-2022-29900
and CVE-2022-29901?

Regards,
Salvatore