CVE-2021-28689 Information

Description

x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x86 PV guest kernels run in ring 1. At the time when Xen was developed this area of the i386 architecture was rarely used which is why Xen was able to use it to implement paravirtualisation Xen’s novel approach to virtualization. In AMD64 Xen had to use a different implementation approach so Xen does not use ring 1 to support 64-bit guests. With the focus now being on 64-bit systems and the availability of explicit hardware support for virtualization fixing speculation issues in ring 1 is not a priority for processor companies. Indirect Branch Restricted Speculation (IBRS) is an architectural x86 extension put together to combat speculative execution sidechannel attacks including Spectre v2. It was retrofitted in microcode to existing CPUs. For more details on Spectre v2 see: http://xenbits.xen.org/xsa/advisory-254.html However IBRS does not architecturally protect ring 0 from predictions learnt in ring 1. For more details see: https://software.intel.com/security-software-guidance/deep-dives/deep-dive-indirect-branch-restricted-speculation Similar situations may exist with other mitigations for other kinds of speculative execution attacks. The situation is quite likely to be similar for speculative execution attacks which have yet to be discovered disclosed or mitigated.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://xenbits.xenproject.org/xsa/advisory-370.txt

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.5