ASB-2018.0002.4 - UPDATED ALERT [Win][UNIX/Linux] CPU Microcode: Access privileged data - Existing account 2018-01-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2018.0002.4
       Security Advisory : Speculative Table Lookup Vulnerabilities
                              5 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          CPU Microcode
Operating System: Windows
                  UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Access Privileged Data -- Existing Account
Resolution:       Patch/Upgrade
CVE Names:        CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
Reference:        ESB-2018.0052
                  ESB-2018.0049
                  ESB-2018.0048
                  ESB-2018.0047
                  ESB-2018.0046
                  ESB-2018.0044
                  ESB-2018.0042

Revision History: January 5 2018: Updated information from Intel as well as 
                                  links to industry advisories.
                  January 5 2018: Mozilla confirms that a similar attack is 
                                  possible via web browsing.
                  January 4 2018: Added CVE numbers
                  January 4 2018: Initial Release

OVERVIEW

        A side-channel attack on the Intel CPU chip allows for kernel memory
        to be accessed from user space.
        
        [NEW 2018-01-05] The specifics of the vulnerabilities have been 
        released by Intel [13] listing the affected CPU, as well as providing 
        their assessment of the impact of these vulnerabilities.[14]
        
        Operating systems known to be affected are those relying on the 
        speculative execution feature for its operation. 
        
        OS that are known to be impacted are:
         o Microsoft OS
         o Linux Based OS
         o Mac OS
        
        Mozilla states the following.
        "Our internal experiments confirm that it is possible to use similar 
        techniques from Web content to read private information between 
        different origins."[10].


IMPACT

        Access to privileged kernel data has been Researched [2][3], and proof 
        of concept has been demonstrated [4][5][12].
        
        This includes data that is not meant to be accessible from user space
        such as cached encryption keys, passwords, session keys, and other 
        sensitive information.
        
        Currently an existing user requires to launch a program, as per 
        proof of concept, but this may be perform by tricking users to click
        on code sent via channels such as attachments to emails.
        
        All operating systems that rely on the speculative execution 
        feature on vulnerable Intel Hardware is expected to be affected. 
        
        Cloud Services that are built on top of these affected operating 
        systems are also expected to be affected as patches are rolled out
        as of this Friday for Azure [6] and, Amazon EC2 [7]
        
        [NEW 2018-01-05] Mozilla states the following.
        "Microsoft Vulnerability Research extended this attack to browser 
        JavaScript engines and demonstrated that code on a malicious web 
        page could read data from other web sites (violating the same-origin 
        policy) or private data from the browser itself. "[11]


MITIGATION

        It would be advisable to enact patching procedures and apply the fixes 
        as soon as they have been released for your impacted Operating 
        System.
        
        Applying the patch is expected to reduce performance estimated from
        17%-23%. [1]
        
        Cloud Service Clients
        Cloud service clients will need to reboot their virtual machines 
        after the service provider has patched. The exact timing should be
        communicated to clients by the provider.
        
        Microsoft
        A patch is stipulated to be released in the next Patch Tuesday. [1]
        
        Linux
        Patch code has been made available [8]. Yet, distribution of the 
        kernel patch, as a normal update, is currently being rolled out.
        
        MacOS
        An unofficial word of the "Double Map" patch is said to be 
        available since 10.13.2 [9]
        
        Mozilla has released fixes in Firefox 57.0.4. [11]
        
        [NEW 2018-01-05] Below are links to official information and 
        security advisories published by affected companies.
        Intel 	  Security Advisory          [15]
        Intel 	  Newsroom                   [16]
        ARM 	  Security Update            [17]
        AMD 	  Security Information       [18]
        Microsoft Security Guidance          [19]
        Microsoft Information regarding anti-virus software [20]
        Microsoft Azure Blog                 [21]
        Amazon 	  Security Bulletin          [22]
        Google 	  Project Zero Blog          [23]
        Google 	  Need to know               [24]
        Mozilla   Security Blog              [25]
        Red Hat   Vulnerability Response     [26]
        Debian 	  Security Tracker           [27]
        Ubuntu 	  Knowledge Base             [28]
        SUSE 	  Vulnerability Response     [29]
        LLVM 	  Spectre (Variant #2) Patch [30]
        VMWare 	  Security Advisory          [31]
        Citrix 	  Security Bulletin          [32]


REFERENCES

        [1] Kernel-memory-leaking Intel processor design flaw forces Linux,
            Windows redesign
            http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

        [2] KASLR is Dead: Long Live KASLR
            https://gruss.cc/files/kaiser.pdf

        [3] Negative Result: Reading Kernel Memory From User Mode
            https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/

        [4] [Twitter] brainsmoke
            https://twitter.com/brainsmoke/status/948561799875502080/photo/1

        [5] [YouTube] Meltdown attack
            https://youtu.be/bReA1dvGJ6Y

        [6] [Twitter] Longhorn
            https://twitter.com/never_released/status/947935213010718720

        [7] [Twitter] Jan Schauma
            https://twitter.com/jschauma/status/941447173245370368

        [8] [patch 00/60] x86/kpti: Kernel Page Table Isolation (was KAISER)
            https://lkml.org/lkml/2017/12/4/709

        [9] [Twitter] Alex Ionescu
            https://twitter.com/aionescu/status/948609809540046849

        [10] Mozilla Security Blog : Mitigations landing for new class of
             timing attack
             https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

        [11] Mozilla Foundation Security Advisory 2018-01
             https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/

        [12] [YouTube] Meltdown Demo - Spying on passwords
             https://youtu.be/RbHbFkh6eeE

        [13] [INTEL-SA-00088] Speculative Execution and Indirect Branch
             Prediction Side Channel Analysis Method
             https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

        [14] Facts about Side-Channel Analysis and Intel Products
             https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

        [15] Intel Security Advisory
             https://security-center.intel.com/advisories.aspx

        [16] Intel Newsroom
             https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

        [17] ARM Security Update
             https://developer.arm.com/support/security-update

        [18] AMD Security Information
             https://www.amd.com/en/corporate/speculative-execution

        [19] Microsoft Security Guidance
             https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

        [20] Microsoft Information regarding anti-virus software
             https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

        [21] Microsoft Azure Blog
             https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

        [22] Amazon Security Bulletin
             https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

        [23] Google Project Zero Blog
             https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html

        [24] Google Need to know
             https://blog.google/topics/google-cloud/what-google-cloud-g-suite-and-chrome-customers-need-know-about-industry-wide-cpu-vulnerability/

        [25] Mozilla  Security Blog
             https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

        [26] Red Hat Vulnerability Response
             https://access.redhat.com/security/vulnerabilities/speculativeexecution

        [27] Debian Security Tracker
             https://security-tracker.debian.org/tracker/CVE-2017-5754

        [28] Ubuntu Knowledge Base
             https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

        [29] SUSE Vulnerability Response
             https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/

        [30] LLVM Spectre (Variant #2) Patch
             http://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20180101/513630.html

        [31] VMWare Security Advisory
             https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

        [32] Citrix Security Bulletin
             https://support.citrix.com/article/CTX231399

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWk8gW4x+lLeg9Ub1AQgxKw/+KJeIMmmx8TBFPdpmREKeikt4qUz9JEfj
rf4dcHrQC5dQfDa18+n+u4nbL+uA/ZNkNXnXCdvvbALeg8oMHgyK9TNU9zvnuJ/u
9JPATFZtrnbE5Uqv+auHrck5mVWDmx7+Gf1ZOuce/OTuWi/vft+bEz9ulZl8J6k5
rOJx+aA5+d61+XdnC0SlfgrVZyoZAiVrNO/TrEheAX815RjcWlZFfK0OWqk7gmL9
5e4ohv7uE34xBniCVhUv1u7pzSmOTxqJJ0mFNE6MjfVWZvU4WiUI/aJs/6GCA60e
BXIEekM2dE2IzHhE2sQyt9n8Fut6vgWBppAJRK26PULoMR24JOD8qZo/16EFZxRq
S6rMwownsdOKZZuq2ZyyEbaphHlPYGxTXyxNOzij5V4tq2FHU9AV1c5aCiLtNO9q
CCtKwMqHEcp7AdxE4259+E39YjO7HfuMJAgg68L1e97Z/s8ABkjCdaiMranxnQ1F
h5h1zPggFbXf/ktoX9LU1FRdRMvAmG3m6heBi2Pt0K3sZaacR2B7El1xbBhPMKlW
DkF3dn756FUXtPkCUrDfm9tlzLOuvtnvHkORJeJMPVAAqI8maTwClnZu6w6wb0qk
fK+2qjMXusJRweiRBFIu/sPq9TNIxXe9YLR0+g1ARUHCyA3t9MZvwB8+hX6eXltQ
YYifrGMHlxU=
=KNnA
-----END PGP SIGNATURE-----

« Back to bulletins