[security-announce] Security Update: Kernel Side-Channel Attacks - CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Sona Sarmadi sona.sarmadi at enea.com
Mon Jan 8 10:06:58 CET 2018


                *            Enea Linux Security Advisory*


                  Reading privileged memory with a side-channel [1]

An industry-wide issue has been found by Google Project Zeroproject in
the way many
modern microprocessor designs have implemented speculative execution of
instructions
(a commonly used performance optimization). The CPU data cache timing
can be abused
to efficiently leak information out of mis-speculated execution, leading
to arbitrary virtual
memory read vulnerabilities across local security boundaries in various
contexts.

**

The Project Zero research team at Google identified three variants of
the exploits within 
the speculative execution research:

  * Variant 1: bounds check bypass (Spectre
    <https://spectreattack.com/spectre.pdf>, CVE-2017-5753)
  * Variant 2: branch target injection (Spectre
    <https://spectreattack.com/spectre.pdf>, CVE-2017-5715)
  * Variant 3: rogue data cache load (Meltdown
    <https://meltdownattack.com/meltdown.pdf>, CVE-2017-5754)

// *Spectre*:
There is no easy fix available for these flaws since redesign of
processors are required. 
A fix may not be available until a new generation of chips hit the market.

*Meltdown*:
Software patches (Kernel address space isolation, “KAISER
<https://lwn.net/Articles/738975/>” ) are available (most Intel
CPUs are affected by this vulnerability). Estimated 5-30% performance
loss depending
on the amount of system calls performed (and interrupts serviced).
//

/ /*Summary*

*CVEs: *CVE-2017-5715,CVE-2017-5753, CVE-2017-5754**
*Affected software: *Linux kernel **
*Versions affected: *All**
*Severity: *High**
*Affected hardware: *Many modern processors, including certain
processors by Intel, AMD
and ARM.
*Mitigation: *Changes to operating system kernel code, including
increased isolation of
kernel memory from user-mode processes.
*Downside of the mitigation: *Estimated 5-30% performance loss depending
on the
amount of system calls performed (and interrupts serviced). **
*Reference: *
**https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html**
*Acknowledgments*: Google Project Zero


      *Description*


      **


    **


=============================================================
*CVE-2017-5715 (Spectre* *hw: cpu: speculative execution branch target
injection)
*=============================================================

    Systems with microprocessors utilizing speculative execution and
    indirect branch
    prediction may allow unauthorized disclosure of information to an
    attacker with
    local user access via a side-channel analysis.

    An unprivileged attacker could use this flaw to cross the syscall
    and guest/host boundaries
    and read privileged memory by conducting targeted cache side-channel
    attacks.

    Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
    <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5715>

=============================================================

***CVE-2017-5753 (Spectre hw: cpu: speculative execution bounds-check
bypass)
*=============================================================
**

    Systems with microprocessors utilizing speculative execution and
    branch prediction
    may allow unauthorized disclosure of information to an attacker with
    local user access
    via a side-channel analysis.

    An unprivileged attacker could use this flaw to cross the syscall
    boundary and read 
    privileged memory by conducting targeted cache side-channel attacks.

     Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
    <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5753>

============================================================

CVE-2017-5754 (Meltdown) hw: cpu: speculative execution permission
faults handling
================================================================

    Systems with microprocessors utilizing speculative execution and
    indirect branch prediction
    may allow unauthorized disclosure of information to an attacker with
    local user access via a
    side-channel analysis of the data cache.

    An unprivileged local attacker could use this flaw to read
    privileged (kernel space)
    memory by conducting targeted cache side-channel attacks.

    Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754


      *Mitigation*


    Mitigation of this vulnerabilities requires changes to operating
    system kernel code,
    including increased isolation of kernel memory from user-mode
    processes (KPTI).

    From the Project Zero team at Google:

    “/We have some ideas on possible mitigations and provided some of
    those ideas to the processor
    vendors; however, we believe that the processor vendors are in a
    much better position than we are
    to design and evaluate mitigations, and we expect them to be the
    source of authoritative guidance.
    /

    *This information is provided by ARM:*/
    /

    *Variant 1*
    Action required:

      * Search your code for the code snippets as described in the Cache
        Speculation Side-channels whitepaper.
        <https://developer.arm.com/support/security-update/download-the-whitepaper>

      * Once identified use the compiler support for mitigations as
        described in
        Compiler support for
        mitigations<https://developer.arm.com/support/security-update/compiler-support-for-mitigations>
        to modify your code, and recompile using
        an updated compiler.

    *Variant 2*
    The mitigation will vary by processor micro-architecture:
    For Cortex-A57 and Cortex-A72:

      * Apply all kernel patches provided by Arm and available at 
        https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/log/?h=kpti

      * Apply also all Arm Trusted
        Firmware<https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Security-Advisory-TFV-6>
        patches.

    *Variant 3*
    For Cortex-A15, Cortex-A57, and Cortex-A72:

      * In general, it is not believed that software mitigations for
        this issue are necessary.
        Please download the Cache Speculation Side-channels whitepaper
        <https://developer.arm.com/support/security-update/download-the-whitepaper> for
        more details.


      *Downside of the fix*

    The downside to this separation is that it is relatively expensive,
    time wise, to keep
    switching between two separate address spaces for every system call
    and for every
    interrupt from the hardware. These context switches do not happen
    instantly, and they
    force the processor to dump cached data and reload information from
    memory.
    This increases the kernel's overhead, and slows down the computer 5%
    -30 % 
    depending on the system calls.


      *Affected Enea Releases
      *

    Enea Linux releases are affected but the problem is only known to
    exist on certain
    processors from Intel, AMD and ARM which implement speculative
    execution.
    Please refer to your hardware vendor or Enea support team for
    detailed info.


      *Vendor statement
      *

    The following vendor statement were provided to Project Zero
    regarding this issue:

    *Intel*: No current statement provided at this time.
    *AMD*: AMD provided the following link:
    http://www.amd.com/en/corporate/speculative-execution
    <http://www.amd.com/en/corporate/speculative-execution> 
    *ARM*:According to ARM the majority of ARM processors are *not
    impacted* by any
    variation of the side-channel speculation mechanism. A definitive
    list of the small subset
    of ARM-designed processors which are susceptible can be found here:
    https://developer.arm.com/support/security-update*
    *


      *References*

    https://en.wikipedia.org/wiki/Side-channel_attack
    http://www.techdesignforums.com/practice/guides/side-channel-analysis-attacks
    <https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html>
    https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html
    https://spectreattack.com/spectre.pdf
    <https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html>
    https://meltdownattack.com/meltdown.pdf
    <https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html><https://meltdownattack.com/>
    <https://meltdownattack.com/><https://meltdownattack.com/>https://developer.arm.com/support/security-update
    http://www.amd.com/en/corporate/speculative-execution
    <http://www.amd.com/en/corporate/speculative-execution>

    [1] A*side-channel attack* is any attack based on information gained
    from the physical
    implementation of cryptosystem rather than brute force or
    theoretical weaknesses in the
    crypto algorithms. For example, timing information, power
    consumption, electromagnetic
    leaks or even sound can provide an extra source of information,
    which can be exploited
    to break the system. Some side-channel attacks require technical
    knowledge of the internal
    operation of the system on which the cryptography is implemented,
    although others such
    as differential power analysis are effective as black-box attacks.
    Many powerful
    side-channel attacks are based on statistical methods pioneered by
    Paul Kocher (an
     American cryptographer).


      ​​*Acknowledgements*

    Thanks to Google Project Zero for reporting these flaws.

If you have any questions regarding this issue please contact
security at enea.com.
For general security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/.
For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/products/security/security-updates
For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20180108/8d276b83/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20180108/8d276b83/attachment-0001.sig>


More information about the security-announce mailing list