March 2024 Security Update

New security updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

πŸ“”
To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

πŸ“‹ Summary

On the 12th or March, Intel disclosed a microarchitectural vulnerability, as well as an update to their microcode known as the 2024.1 IPU. This microcode update include mitigations for other security vulnerabilities.

On the same day, the GhostRace attack was also published by VUSec and IBM Research Europe.

Following these publications, the Xen Project published two new XSAs with patches to add mitigation code for both of these issues, but both of them are disabled for now.

πŸ”’ Implemented Mitigations

  • XSA-452: CVE-2023-28746 - x86: Register File Data Sampling. This vulnerability affects Atom processors between the Goldmont and Gracemont microarchitectures. As mentioned, the code provided with the XSA publication is disabled by default as there is a microcode update to circumvent it. If for any reason you cannot update the firmware, this can be enabled with the verw= option on Xen command-line (see below).
  • XSA-453: CVE-2024-2193 - GhostRace: Speculative Race Conditions. This is a variation of Spectre-V1, therefore impacting a wide range of systems. Using the GhostRace attack, a malicious user could, in theory, infer memory content, including the resources assigned to other guests. In actual real world, the Xen Security Team analysis haven't seen a way for this to be actually exploited in the context of Xen. Their choice was to integrate the code to mitigate the issue if needed later on, but keep it disabled under the lock-harden option.

πŸ”§ Enabling mitigations

In case you need to enable one of these options, in XCP-ng, the way to do it is through the use of the xen-cmdline tool.

The aforementioned options are for the xen command-line, therefore, you want to use the --set-xen switch.

⚠️
These parameters are not retained when you upgrade an XCP-ng hostΒ using the installation ISO. Remember to re-do this step after the upgrade.
  • To enable the mitigation for Atom processors (CVE-2023-28746):
    • /opt/xensource/libexec/xen-cmdline --set-xen verw=true
  • To enable mitigation for GhostRace attacks (CVE-2024-2193):
    • /opt/xensource/libexec/xen-cmdline --set-xen spec-ctrl=lock-harden

✨ Other changes

microcode_ctl

⚠️
Updated firmware is provided as a convenience to help mitigates hardware vulnerabilities and other bugs.
Updating your hardware's firmware remains the preferred way to update microcode, and any newer microcode found in the firmware will take precedence over the microcode we provide in XCP-ng.