If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
A few days ago the news was announced that it was detected a vulnerability that affects all processors AMD with Zen1 microarchitecture, as well as all versions of Xen hypervisor (already cataloged under CVE-2023-20588), which causes leakage of data used during operations on the same CPU core when the processor handles the #DE (Divide Error) exception that occurs when trying to divide by zero.
It is mentioned that from a practical point of view, the vulnerability can be used to organize a hidden channel of data transfer between processes, sandbox environments or virtual machines, allowing data exchange without going through system access control mechanisms and without resorting to system calls.
Vulnerability also allows user space to determine the outcome of a previous real or speculative execution of a DIV instruction, which can be used when processing sensitive data at a higher privilege level (for example, splitting can be used when performing cryptographic operations and an attacker can determine the parameters of these operations).
Regarding the problem, it is mentioned that the vulnerability It is because when a #DE exception occurs when dividing by zero, the processor speculatively redirects the result of the previous split operation, since in a CPU with the Zen1 microarchitecture there is only one splitter in process, serving the operations in different threads.
On vulnerable systems, an attacker can determine the result of a previous split operation, including those performed on the same CPU core in other contexts, for example, in the kernel, in other processes, or outside the virtual machine.
It is mentioned that all versions of Xen are vulnerable to this flaw and as well as different Linux distributions, such as Ubuntu, Debian, Amazon Linux 2, Fedora, SUSE, Oracle. In addition, as already mentioned, the vulnerability only appears in AMD processors based on the Zen1 microarchitecture, for example, in the AMD EPYC 7001, AMD Athlon 3000, AMD Ryzen 3000 with Radeon GPU, AMD Athlon PRO 3000 with Radeon Vega GPU and AMD Ryzen PRO 3000 with Radeon Vega series GPUs.
As for the the solution to the problem has already been issued through patches to block the vulnerability for the Linux kernel and the Xen hypervisor. The patches issued for Xen overwrite the buffer on the splitter on the way back to the guest and basically the issue was solved by overwriting the splitter buffer during a context switch. The fix is effective only when Symmetric Multithreading (SMT) is disabled.
However, as with some previous speculative vulnerabilities, the solution is only
effective in combination with SMT deactivation. For the same reasons as before, Xen does not disable SMT by default.
In addition, it is mentioned that system administrators must evaluate the risk of their workload, as they must choose whether to enable or disable SMT. Xen will issue a warning if SMT is active and the user has not provided an explicit choice via smt= command line option.
If you are interested in obtaining more information, you can consult the details in the following link
While for interested in tracking the correction of the vulnerability, you can do so on the pages of the different distributions: Amazon linux, Debian, Ubuntu, RHEL y SUSE/openSUSE.
Finally and as always, although the severity of the vulnerability is classified as "low", the recommendation is made to the users of the affected systems and/or hardware, who carry out the corresponding updates (if applicable). Although in most cases when security gaps are known, manufacturers must fix them as quickly as possible by developing a patch or alternative solution and these are issued through system updates, hence the recommendation to update and always have updates activated.