Bug 2239097 (CVE-2023-23583)

Summary: CVE-2023-23583 hw: Intel: execution of MOVSB instructions with redundant REX prefix leads to unintended system behavior
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dbohanno, esyr, gsierohu, jmario, jshortt, jwest, klaas, nmurray, rfreire, rvr, security-response-team, tobias.urdin, wmealing, ymittal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A security vulnerability was found in some Intel processors. Execution of REP MOVSB instructions with a redundant REX prefix may result in execution continuing at an incorrect EIP address after a micro-architectural event occurs, potentially allowing privilege escalation, information disclosure and/or a denial of service via local access.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2249669    
Bug Blocks: 2239094    

Description Rohit Keshri 2023-09-15 07:43:31 UTC
A potential security vulnerability in some Intel processor may allow escalation of privilege and/or information disclosure and/or denial of service via local access.

Refer:
https://github.com/otcshare/Intel-Restricted-2023-4-IPU-OOB

Comment 3 Mauro Matteo Cascella 2023-11-14 17:49:04 UTC
Created microcode_ctl tracking bugs for this issue:

Affects: fedora-all [bug 2249669]

Comment 4 Rodrigo A B Freire 2023-11-14 22:25:19 UTC
For information about microcode availability, check the Red Hat article https://access.redhat.com/articles/7044453

Comment 5 Klaas Demter 2023-11-15 08:39:18 UTC
https://access.redhat.com/security/cve/cve-2023-23583 states that the microcode_ctl packages by red hat are not affected, but they are affected until the microcode gets from microcode-20230808 to microcode-20231114, right?

Comment 6 Mauro Matteo Cascella 2023-11-15 16:47:05 UTC
In reply to comment #5:
> https://access.redhat.com/security/cve/cve-2023-23583 states that the
> microcode_ctl packages by red hat are not affected, but they are affected
> until the microcode gets from microcode-20230808 to microcode-20231114,
> right?

Right, thanks for spotting this. We are updating the CVE page to list microcode_ctl packages as "Affected".

Comment 9 Rodrigo A B Freire 2023-11-16 15:46:14 UTC
In reply to comment #5:
> https://access.redhat.com/security/cve/cve-2023-23583 states that the
> microcode_ctl packages by red hat are not affected, but they are affected
> until the microcode gets from microcode-20230808 to microcode-20231114,
> right?

Hi Klaas,
We have reverted back to the original state - which states that RHEL is *not affected* by this CVE.
Correctly speaking, the Intel processors are the affected part, and there are no kernel countermeasures or defects for this issue.

That said, the RHEL products and components are *not affected*.
The microcode_ctl package is a Red Hat courtesy to our customers to get updates for the Intel microcode that addresses this vulnerability.

We have a KB article which is also visible at the CVE page - https://access.redhat.com/articles/7044453 where you can track the microcode availability for the eligible RHEL versions.

Comment 10 Klaas Demter 2023-11-17 06:52:50 UTC
(In reply to Rodrigo A B Freire from comment #9)
> In reply to comment #5:
> > https://access.redhat.com/security/cve/cve-2023-23583 states that the
> > microcode_ctl packages by red hat are not affected, but they are affected
> > until the microcode gets from microcode-20230808 to microcode-20231114,
> > right?
> 
> Hi Klaas,
> We have reverted back to the original state - which states that RHEL is *not
> affected* by this CVE.
> Correctly speaking, the Intel processors are the affected part, and there
> are no kernel countermeasures or defects for this issue.
> 
> That said, the RHEL products and components are *not affected*.
> The microcode_ctl package is a Red Hat courtesy to our customers to get
> updates for the Intel microcode that addresses this vulnerability.
> 
> We have a KB article which is also visible at the CVE page -
> https://access.redhat.com/articles/7044453 where you can track the microcode
> availability for the eligible RHEL versions.

I'll be honest, as a customer I do not understand that rationality. You have a package that is created by Red Hat, that comes from Red Hat repositories, is part of RHEL, that contains affected microcode instead of fixed microcode. Stating that this is "Not affected" is objectively wrong...

Comment 11 Joe Mario 2023-11-17 12:57:38 UTC
(In reply to Klaas Demter from comment #10)
> (In reply to Rodrigo A B Freire from comment #9)
> > In reply to comment #5:
> > > https://access.redhat.com/security/cve/cve-2023-23583 states that the
> > > microcode_ctl packages by red hat are not affected, but they are affected
> > > until the microcode gets from microcode-20230808 to microcode-20231114,
> > > right?
> > 
> > Hi Klaas,
> > We have reverted back to the original state - which states that RHEL is *not
> > affected* by this CVE.
> [SNIP]
> 
> I'll be honest, as a customer I do not understand that rationality. You have
> a package that is created by Red Hat, that comes from Red Hat repositories,
> is part of RHEL, that contains affected microcode instead of fixed
> microcode. Stating that this is "Not affected" is objectively wrong...

I fully agree with Klass about the confusion this will cause customers.  I was very confused when I first read the article the other day and saw "Not Affected".

I understand we're trying to say that nothing in RHEL is affected, but we need to find better words to say it.

Instead of "Not affected", would we state: "Only microde is affected"?

Joe

Comment 12 Klaas Demter 2023-11-17 14:25:33 UTC
> I understand we're trying to say that nothing in RHEL is affected, but we need to find better words to say it.

but it is in RHEL, it's even something Red Hat can 'fix', I mean I would understand if Red Hat said "we can't fix it there is no new microcode", but there is new microcode, Red Hat just needs to ship it in it's package.

> Instead of "Not affected", would we state: "Only microde is affected"?

Would Red Hat also state "only binary blobs affected" if something is wrong in linux-firmware? :) https://access.redhat.com/security/cve/CVE-2023-20569 https://access.redhat.com/security/cve/CVE-2022-27635

Also if you finally upgrade microcode_ctl will you say "this does not fix CVE-2023-23583 because microcode_ctl was not affected" :)

I guess you see where I am heading with my arguments :)

Comment 13 Klaas Demter 2023-11-21 09:46:35 UTC
There is a new microcode_ctl release, and well changelog states: "Update Intel CPU microcode to microcode-20231009 release, addresses CVE-2023-23583 (RHEL-3684)" ... :) I am guessing because you did not properly link those issues it doesn't show up as an errata on https://access.redhat.com/security/cve/cve-2023-23583

Comment 14 Rodrigo A B Freire 2023-11-21 14:01:46 UTC
RHEL is not affected.

The affected product is the Intel silicon.

As a courtesy, Red Hat ships an Intel microcode update that mitigates the silicon problem.

Comment 15 Klaas Demter 2023-11-21 14:15:07 UTC
(In reply to Rodrigo A B Freire from comment #14)
> RHEL is not affected.
> 
> The affected product is the Intel silicon.
> 
> As a courtesy, Red Hat ships an Intel microcode update that mitigates the
> silicon problem.

By the same (flawed) logic https://access.redhat.com/security/cve/CVE-2023-20569 should not list your linux-firmware packages as affected.. it's a problem in the amd microcode..

Comment 16 Tobias Urdin 2023-12-18 20:17:44 UTC
I don't understand the reasoning here, feels very weird. One would think RedHat wants to ship the new Intel microcode in microcode_ctl as done for other microcode-related security issues, like was done for [1].

[1] https://gitlab.com/redhat/centos-stream/rpms/microcode_ctl/-/commit/8092411193d09c3cf443c8db6de66b4b79136965