We have just published Qubes Security Bulletin (QSB) 083: Retbleed: Arbitrary speculative code execution with return instructions (XSA-407). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-083 in the qubes-secpack:
In addition, you may wish to:
- Get the qubes-secpack: https://www.qubes-os.org/security/pack/
- View all past QSBs: https://www.qubes-os.org/security/qsb/
- View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 083 ]===--- 2022-07-12 Retbleed Arbitrary speculative code execution with return instructions (XSA-407) User action required --------------------- Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0, in dom0: - Xen packages, version 4.8.5-43 For Qubes 4.1, in dom0: - Xen packages, version 4.14.5-6 These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community.  Once available, the packages are to be installed via the Qubes Update tool or its command-line equivalents.  Dom0 must be restarted afterward in order for the updates to take effect. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Summary -------- On 2022-07-12, the Xen Project published XSA-407, "Retbleed - arbitrary speculative code execution with return instructions" : | Researchers at ETH Zurich have discovered Retbleed, allowing for | arbitrary speculative execution in a victim context. | | For more details, see: | https://comsec.ethz.ch/retbleed | | ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for | Intel. | | Despite the similar preconditions, these are very different | microarchitectural behaviours between vendors. | | On AMD CPUs, Retbleed is one specific instance of a more general | microarchitectural behaviour called Branch Type Confusion. AMD have | assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type | Confusion). | | For more details, see: | https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037 | | On Intel CPUs, Retbleed is not a new vulnerability; it is only | applicable to software which did not follow Intel's original | Spectre-v2 guidance. Intel are using the ETH Zurich allocated | CVE-2022-29901. | | For more details, see: | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html | https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html | | ARM have indicated existing guidance on Spectre-v2 is sufficient. Impact ------- This is yet another speculative execution issue, which allows an attacker to infer content of memory they shouldn't have access to. This includes one VM extracting secrets from another. Any VM can perform this attack on an affected hardware. AMD systems based on Zen 1 - Zen 2 microarchitectures are affected. Specifically those are AMD Ryzen processors with model names 1xxx - 4xxx and some 5xxxU . Zen 3 microarchitecture (AMD Ryzen 5xxx or newer) are not affected. Pre-existing Xen mitigations on Intel machines are effective to prevent this issue, so Intel systems are not affected. Credits -------- See the original Xen Security Advisory. References -----------  https://www.qubes-os.org/doc/testing/  https://www.qubes-os.org/doc/how-to-update/  https://xenbits.xen.org/xsa/advisory-407.html  Unlike other 5xxxU models, Ryzen 3 5300U, Ryzen 5 5500U and Ryzen 7 5700U are Zen 2, not Zen 3. See https://en.wikipedia.org/wiki/Zen2 https://en.wikipedia.org/wiki/Zen3 -- The Qubes Security Team https://www.qubes-os.org/security/