The Qubes Security Bulletin (QSB) 108, released on July 8, 2025, addresses a new class of speculative side-channel vulnerabilities known as Transitive Scheduler Attacks (XSA-471). These attacks, identified by researchers from Microsoft and ETH Zurich, exploit timing information from instruction execution to potentially compromise the contents of system memory from a qube.
Key details from the bulletin include:
- Nature of the Vulnerabilities: The vulnerabilities are categorized under two specific CVEs: CVE-2024-36350 (TSA-SQ in Store Queues) and CVE-2024-36357 (TSA-L1 in the L1 data cache). These attacks can allow an adversary who compromises a qube to infer the contents of memory allocated to other qubes.
- Affected Hardware: The vulnerabilities primarily affect AMD CPUs based on the Zen 3 or Zen 4 architectures (identified by CPUID family 0x19). Specific microcode updates have been released for non-server CPUs, while server CPUs are awaiting updates from motherboard vendors.
- Patching and User Actions: Users are advised to continue their regular update routines to receive critical security updates. For those using Qubes 4.2, specific Xen and firmware packages are set to be updated and will migrate to stable repositories after community testing. Additionally, a restart of the dom0 is required post-installation for changes to take effect.
- Security Implications: While the bulletin emphasizes the critical nature of these vulnerabilities, it also clarifies that other related attacks (CVE-2024-36348 and CVE-2045-36349) are not expected to impact Qubes OS security.
Extending this information, users should be proactive in monitoring announcements from AMD and the Qubes Security Team regarding further updates, especially for server CPUs. Users utilizing the Anti Evil Maid feature should also be prepared to reseal their passphrases due to modifications in the Xen binaries. Furthermore, the Qubes Security Team encourages users to familiarize themselves with the technical guidance provided by AMD to understand mitigation steps for transient scheduler attacks. This vigilance is essential in maintaining robust security for systems running on affected hardware.
For ongoing protection, users are urged to stay informed about best practices in system security, including regular updates and monitoring for emerging threats or vulnerabilities that may arise in the rapidly evolving landscape of speculative execution attacks
Key details from the bulletin include:
- Nature of the Vulnerabilities: The vulnerabilities are categorized under two specific CVEs: CVE-2024-36350 (TSA-SQ in Store Queues) and CVE-2024-36357 (TSA-L1 in the L1 data cache). These attacks can allow an adversary who compromises a qube to infer the contents of memory allocated to other qubes.
- Affected Hardware: The vulnerabilities primarily affect AMD CPUs based on the Zen 3 or Zen 4 architectures (identified by CPUID family 0x19). Specific microcode updates have been released for non-server CPUs, while server CPUs are awaiting updates from motherboard vendors.
- Patching and User Actions: Users are advised to continue their regular update routines to receive critical security updates. For those using Qubes 4.2, specific Xen and firmware packages are set to be updated and will migrate to stable repositories after community testing. Additionally, a restart of the dom0 is required post-installation for changes to take effect.
- Security Implications: While the bulletin emphasizes the critical nature of these vulnerabilities, it also clarifies that other related attacks (CVE-2024-36348 and CVE-2045-36349) are not expected to impact Qubes OS security.
Extending this information, users should be proactive in monitoring announcements from AMD and the Qubes Security Team regarding further updates, especially for server CPUs. Users utilizing the Anti Evil Maid feature should also be prepared to reseal their passphrases due to modifications in the Xen binaries. Furthermore, the Qubes Security Team encourages users to familiarize themselves with the technical guidance provided by AMD to understand mitigation steps for transient scheduler attacks. This vigilance is essential in maintaining robust security for systems running on affected hardware.
For ongoing protection, users are urged to stay informed about best practices in system security, including regular updates and monitoring for emerging threats or vulnerabilities that may arise in the rapidly evolving landscape of speculative execution attacks
QSB-108: Transitive Scheduler Attacks (XSA-471)
The release of Qubes Security Bulletin (QSB) 108 talks about Transitive Scheduler Attacks (XSA-471), a new type of speculative side-channel attack found by Microsoft and ETH Zurich. The attacks leverage timing information derived from instruction execution, enabling attackers to breach a qube and deduce the contents of any system memory.
QSB-108: Transitive Scheduler Attacks (XSA-471)QSB-108: Transitive Scheduler Attacks (XSA-471) @ Linux Compatible
