Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0002.4 Security Advisory : Speculative Table Lookup Vulnerabilities 5 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CPU Microcode Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 Reference: ESB-2018.0052 ESB-2018.0049 ESB-2018.0048 ESB-2018.0047 ESB-2018.0046 ESB-2018.0044 ESB-2018.0042 Revision History: January 5 2018: Updated information from Intel as well as links to industry advisories. January 5 2018: Mozilla confirms that a similar attack is possible via web browsing. January 4 2018: Added CVE numbers January 4 2018: Initial Release OVERVIEW A side-channel attack on the Intel CPU chip allows for kernel memory to be accessed from user space. [NEW 2018-01-05] The specifics of the vulnerabilities have been released by Intel [13] listing the affected CPU, as well as providing their assessment of the impact of these vulnerabilities.[14] Operating systems known to be affected are those relying on the speculative execution feature for its operation. OS that are known to be impacted are: o Microsoft OS o Linux Based OS o Mac OS Mozilla states the following. "Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins."[10]. IMPACT Access to privileged kernel data has been Researched [2][3], and proof of concept has been demonstrated [4][5][12]. This includes data that is not meant to be accessible from user space such as cached encryption keys, passwords, session keys, and other sensitive information. Currently an existing user requires to launch a program, as per proof of concept, but this may be perform by tricking users to click on code sent via channels such as attachments to emails. All operating systems that rely on the speculative execution feature on vulnerable Intel Hardware is expected to be affected. Cloud Services that are built on top of these affected operating systems are also expected to be affected as patches are rolled out as of this Friday for Azure [6] and, Amazon EC2 [7] [NEW 2018-01-05] Mozilla states the following. "Microsoft Vulnerability Research extended this attack to browser JavaScript engines and demonstrated that code on a malicious web page could read data from other web sites (violating the same-origin policy) or private data from the browser itself. "[11] MITIGATION It would be advisable to enact patching procedures and apply the fixes as soon as they have been released for your impacted Operating System. Applying the patch is expected to reduce performance estimated from 17%-23%. [1] Cloud Service Clients Cloud service clients will need to reboot their virtual machines after the service provider has patched. The exact timing should be communicated to clients by the provider. Microsoft A patch is stipulated to be released in the next Patch Tuesday. [1] Linux Patch code has been made available [8]. Yet, distribution of the kernel patch, as a normal update, is currently being rolled out. MacOS An unofficial word of the "Double Map" patch is said to be available since 10.13.2 [9] Mozilla has released fixes in Firefox 57.0.4. [11] [NEW 2018-01-05] Below are links to official information and security advisories published by affected companies. Intel Security Advisory [15] Intel Newsroom [16] ARM Security Update [17] AMD Security Information [18] Microsoft Security Guidance [19] Microsoft Information regarding anti-virus software [20] Microsoft Azure Blog [21] Amazon Security Bulletin [22] Google Project Zero Blog [23] Google Need to know [24] Mozilla Security Blog [25] Red Hat Vulnerability Response [26] Debian Security Tracker [27] Ubuntu Knowledge Base [28] SUSE Vulnerability Response [29] LLVM Spectre (Variant #2) Patch [30] VMWare Security Advisory [31] Citrix Security Bulletin [32] REFERENCES [1] Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ [2] KASLR is Dead: Long Live KASLR https://gruss.cc/files/kaiser.pdf [3] Negative Result: Reading Kernel Memory From User Mode https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/ [4] [Twitter] brainsmoke https://twitter.com/brainsmoke/status/948561799875502080/photo/1 [5] [YouTube] Meltdown attack https://youtu.be/bReA1dvGJ6Y [6] [Twitter] Longhorn https://twitter.com/never_released/status/947935213010718720 [7] [Twitter] Jan Schauma https://twitter.com/jschauma/status/941447173245370368 [8] [patch 00/60] x86/kpti: Kernel Page Table Isolation (was KAISER) https://lkml.org/lkml/2017/12/4/709 [9] [Twitter] Alex Ionescu https://twitter.com/aionescu/status/948609809540046849 [10] Mozilla Security Blog : Mitigations landing for new class of timing attack https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ [11] Mozilla Foundation Security Advisory 2018-01 https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ [12] [YouTube] Meltdown Demo - Spying on passwords https://youtu.be/RbHbFkh6eeE [13] [INTEL-SA-00088] Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr [14] Facts about Side-Channel Analysis and Intel Products https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html [15] Intel Security Advisory https://security-center.intel.com/advisories.aspx [16] Intel Newsroom https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ [17] ARM Security Update https://developer.arm.com/support/security-update [18] AMD Security Information https://www.amd.com/en/corporate/speculative-execution [19] Microsoft Security Guidance https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 [20] Microsoft Information regarding anti-virus software https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released [21] Microsoft Azure Blog https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/ [22] Amazon Security Bulletin https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/ [23] Google Project Zero Blog https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html [24] Google Need to know https://blog.google/topics/google-cloud/what-google-cloud-g-suite-and-chrome-customers-need-know-about-industry-wide-cpu-vulnerability/ [25] Mozilla Security Blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ [26] Red Hat Vulnerability Response https://access.redhat.com/security/vulnerabilities/speculativeexecution [27] Debian Security Tracker https://security-tracker.debian.org/tracker/CVE-2017-5754 [28] Ubuntu Knowledge Base https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown [29] SUSE Vulnerability Response https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/ [30] LLVM Spectre (Variant #2) Patch http://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20180101/513630.html [31] VMWare Security Advisory https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html [32] Citrix Security Bulletin https://support.citrix.com/article/CTX231399 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWk8gW4x+lLeg9Ub1AQgxKw/+KJeIMmmx8TBFPdpmREKeikt4qUz9JEfj rf4dcHrQC5dQfDa18+n+u4nbL+uA/ZNkNXnXCdvvbALeg8oMHgyK9TNU9zvnuJ/u 9JPATFZtrnbE5Uqv+auHrck5mVWDmx7+Gf1ZOuce/OTuWi/vft+bEz9ulZl8J6k5 rOJx+aA5+d61+XdnC0SlfgrVZyoZAiVrNO/TrEheAX815RjcWlZFfK0OWqk7gmL9 5e4ohv7uE34xBniCVhUv1u7pzSmOTxqJJ0mFNE6MjfVWZvU4WiUI/aJs/6GCA60e BXIEekM2dE2IzHhE2sQyt9n8Fut6vgWBppAJRK26PULoMR24JOD8qZo/16EFZxRq S6rMwownsdOKZZuq2ZyyEbaphHlPYGxTXyxNOzij5V4tq2FHU9AV1c5aCiLtNO9q CCtKwMqHEcp7AdxE4259+E39YjO7HfuMJAgg68L1e97Z/s8ABkjCdaiMranxnQ1F h5h1zPggFbXf/ktoX9LU1FRdRMvAmG3m6heBi2Pt0K3sZaacR2B7El1xbBhPMKlW DkF3dn756FUXtPkCUrDfm9tlzLOuvtnvHkORJeJMPVAAqI8maTwClnZu6w6wb0qk fK+2qjMXusJRweiRBFIu/sPq9TNIxXe9YLR0+g1ARUHCyA3t9MZvwB8+hX6eXltQ YYifrGMHlxU= =KNnA -----END PGP SIGNATURE-----