[security-announce] Security Update: Kernel Side-Channel Attacks - CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Sona Sarmadi sona.sarmadi at enea.com
Mon Jan 8 17:34:31 CET 2018


                          Enea Linux Security Advisory

            Reading privileged memory with a side-channel [1]

An industry-wide issue has been found by Google Project Zero project
in the way many modern microprocessor designs have implemented
speculative execution of instructions  (a commonly used performance
optimization). The CPU data cache timing can be abused to efficiently leak
information out of mis-speculated execution, leading to arbitrary virtual
memory read vulnerabilities across local security boundaries in various
contexts.

The Project Zero research team at Google identified three variants
of the exploits within  the speculative execution research:

Variant 1: bounds check bypass (Spectre, CVE-2017-5753)
Variant 2: branch target injection (Spectre, CVE-2017-5715)
Variant 3: rogue data cache load (Meltdown, CVE-2017-5754)

Spectre
======
There is no easy fix available for these flaws since redesign of processors
are required. A fix may not be available until a new generation of chips
hit the market.

Meltdown
========
Software patches (Kernel address space isolation, “KAISER” ) are available
(most Intel CPUs are affected by this vulnerability). Estimated 5-30%
performance loss depending on the amount of system calls performed
(and interrupts serviced).

 Summary
========================================================
CVEs: CVE-2017-5715,CVE-2017-5753, CVE-2017-5754
Affected software: Linux kernel
Versions affected: All
Severity: High
Affected hardware: Many modern processors, including certain processors
by Intel, AMD and ARM.
Mitigation: Changes to operating system kernel code, including increased
isolation of kernel memory from user-mode processes.
Downside of the mitigation: Estimated 5-30% performance loss
depending on the amount of system calls performed (and interrupts
serviced).
========================================================

Description
=============================================================
CVE-2017-5715 (Spectre hw: cpu: speculative execution branch target
injection)
=============================================================
    Systems with microprocessors utilizing speculative execution and
    indirect branch prediction may allow unauthorized disclosure of
    information to an attacker with local user access via a side-channel
   analysis.

    An unprivileged attacker could use this flaw to cross the syscall
   and guest/host boundaries and read privileged memory by
   conducting targeted cache side-channel attacks.

    Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
=============================================================
CVE-2017-5753 (Spectre hw: cpu: speculative execution bounds-check bypass)
=============================================================
    Systems with microprocessors utilizing speculative execution and
    branch prediction may allow unauthorized disclosure of information
   to an attacker with local user access via a side-channel analysis.

   An unprivileged attacker could use this flaw to cross the syscall
   boundary and read privileged memory by conducting targeted
  cache side-channel attacks.

   Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
============================================================
CVE-2017-5754 (Meltdown) hw: cpu: speculative execution permission
faults handling
================================================================
    Systems with microprocessors utilizing speculative execution and
    indirect branch prediction may allow unauthorized disclosure of
    information to an attacker with local user access via a side-channel
    analysis of the data cache.

    An unprivileged local attacker could use this flaw to read privileged
   (kernel space) memory by conducting targeted cache side-channel attacks.

    Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Mitigation
=========
    Mitigation of this vulnerabilities requires changes to operating
    system kernel code, including increased isolation of kernel
    memory from user-mode processes (KPTI).

    From the Project Zero team at Google:
    “We have some ideas on possible mitigations and provided some of
    those ideas to the processor vendors; however, we believe that the
    processor vendors are in a much better position than we are to
    design and evaluate mitigations, and we expect them to be the
    source of authoritative guidance".

    This information is provided by ARM:
    ===============================
    Variant 1
    Action required:
        Search your code for the code snippets as described in the Cache
        Speculation Side-channels whitepaper.

        Once identified use the compiler support for mitigations as
        described in compiler support for mitigations to modify your
        code, and recompile using an updated compiler.

    Variant 2
    The mitigation will vary by processor micro-architecture:
    For Cortex-A57 and Cortex-A72:
        Apply all kernel patches provided by Arm and available at
       
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/log/?h=kpti

        Apply also all Arm Trusted Firmware patches.

    Variant 3
    For Cortex-A15, Cortex-A57, and Cortex-A72:

        In general, it is not believed that software mitigations for
        this issue are necessary.
        Please download the Cache Speculation Side-channels
        whitepaper for more details.

Downside of the fix
================
    The downside to this separation is that it is relatively expensive,
    time wise, to keep switching between two separate address spaces
    for every system call and for every interrupt from the hardware.
    These context switches do not happen instantly, and they force the
    processor to dump cached data and reload information from memory.
    This increases the kernel's overhead, and slows down the computer
    5% -30 %  depending on the system calls.

Affected Enea Releases
===================
    Enea Linux releases are affected but the problem is only known to
    exist on certain processors from Intel, AMD and ARM which
    implement speculative execution.
    Please refer to your hardware vendor or Enea support team for
detailed info.

Vendor statement
===============
    The following vendor statement were provided to Project Zero
     regarding these vulnerabilities:

    Intel: No current statement provided at this time.
    AMD: AMD provided the following link:
http://www.amd.com/en/corporate/speculative-execution
    ARM: According to ARM the majority of ARM processors are not
    impacted by any variation of the side-channel speculation mechanism.
    A definitive list of the small subset of ARM-designed processors which
    are susceptible can be found here:
    https://developer.arm.com/support/security-update

References
=========
    https://en.wikipedia.org/wiki/Side-channel_attack
   
http://www.techdesignforums.com/practice/guides/side-channel-analysis-attacks
   
https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html
    https://spectreattack.com/spectre.pdf
    https://meltdownattack.com/meltdown.pdf
    https://developer.arm.com/support/security-update
    http://www.amd.com/en/corporate/speculative-execution

    [1] A side-channel attack is any attack based on information gained
    from the physical implementation of cryptosystem rather than brute
    force or theoretical weaknesses in the crypto algorithms. For example,
    timing information, power consumption, electromagnetic leaks or
    even sound can provide an extra source of information, which can
   be exploited to break the system. Some side-channel attacks require
   technical knowledge of the internal operation of the system on which
   the cryptography is implemented, although others such as differential
   power analysis are effective as black-box attacks. Many powerful
   side-channel attacks are based on statistical methods pioneered by
   Paul Kocher (an American cryptographer).

​​Acknowledgements
================
    Thanks to Google Project Zero for reporting these flaws.

If you have any questions regarding this issue please contact
security at enea.com.
For general security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/.
For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/products/security/security-updates
For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20180108/af816178/attachment.sig>


More information about the security-announce mailing list