BCBS
|
Size: 1634
Comment: Add link to Ubuntu cve tracker reference
|
← Revision 9 as of 2025-04-17 11:52:10 ⇥
Size: 2230
Comment: Migrated to main website
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| == Lazy FP Save/Restore (CVE-2018-3665) == | #DEPRECATED #REFRESH 10 https://ubuntu.com/security/vulnerabilities/bcbs |
| Line 3: | Line 4: |
| Julian Stecklina, of Amazon, and Thomas Prescher, of Cyberus Technology, discovered that FPU register states (such as MMX, SSE, and AVX registers) which are lazy restored are potentially vulnerable to a side channel attack whereby one process is able to read registers of another process that are being lazy restored ([[https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3665.html | CVE-2018-3665]]). The solution is eager restore of the states which has been the default in the Linux kernel since version 4.5. Ubuntu 17.10 and 18.04 are not affected by this issue. Older kernels running on processors that support the xsaveopt instruction are also not affected. You can verify if your system has support for xsaveopt by locating the "xsaveopt" feature listed in the flags section of the /proc/cpuinfo file. | == Bounds Check Bypass Store (BCBS) (CVE-2018-3693 aka Spectre 1.1, Spectre 1.2) == |
| Line 5: | Line 6: |
| To address the issue for releases which are running on older hardware lacking the "xsaveopt" feature, kernel updates will soon be made available for testing. | Vladimir Kiriansky and Carl Waldspurger discovered that systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side channel analysis. This issue is similar to CVE-2017-5753 with the difference being that CVE-2017-5753 was specific to bypassing the bounds check on a load and this issue pertains to bypassing the bounds check on a store. Intel recommends similar mitigation techniques - utilize lfence as a barrier between bounds check and store to ensure that the bounds check operation completes before the store is executed. Analysis is ongoing to see whether additional code locations require lfence placements. Users should update their systems regularly to ensure that they have the latest security fixes in place. The lfence instruction was added via microcode. Users should ensure that they are utilizing the latest microcode to ensure that side channel remediations are in place. |
| Line 9: | Line 10: |
| * [[ https://software.intel.com/sites/default/files/managed/b9/f9/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf | Intel Analysis of Speculative Execution Side Channels ]] * [[ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html | Intel Security Advisory INTEL-SA-00145]] |
* [[ https://software.intel.com/sites/default/files/managed/b9/f9/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf | Intel Analysis of Speculative Execution Side Channels ]] Revision 4.0, Updated July 2018 * [[ https://software.intel.com/sites/default/files/managed/4e/a1/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf | Intel Analyzing potential bounds check bypass vulnerabilities ]] * [[ https://01.org/security/advisories/intel-oss-10002 | Intel Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method]] * [[ https://people.csail.mit.edu/vlk/spectre11.pdf | Speculative Buffer Overflows: Attacks and Defenses ]] * [[ https://docs.google.com/document/d/1wwcfv3UV9ZnZVcGiGuoITT_61e_Ko3TmoCS3uXLcJR0/edit#heading=h.yz0cr3jlliwx | Speculative Load Hardening ]] |
| Line 14: | Line 18: |
| * 2018 June 13 at 21:00 UTC: the issue is made public ahead of the coordinated release date * 2018 August 14: the original coordinated release date |
* 2018 July 10 at 17:00 UTC: the issue is made public |
Bounds Check Bypass Store (BCBS) (CVE-2018-3693 aka Spectre 1.1, Spectre 1.2)
Vladimir Kiriansky and Carl Waldspurger discovered that systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side channel analysis. This issue is similar to CVE-2017-5753 with the difference being that CVE-2017-5753 was specific to bypassing the bounds check on a load and this issue pertains to bypassing the bounds check on a store. Intel recommends similar mitigation techniques - utilize lfence as a barrier between bounds check and store to ensure that the bounds check operation completes before the store is executed. Analysis is ongoing to see whether additional code locations require lfence placements. Users should update their systems regularly to ensure that they have the latest security fixes in place. The lfence instruction was added via microcode. Users should ensure that they are utilizing the latest microcode to ensure that side channel remediations are in place.
For more information on these issues, please see the following reference documents:
Intel Analysis of Speculative Execution Side Channels Revision 4.0, Updated July 2018
Intel Analyzing potential bounds check bypass vulnerabilities
Intel Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method
Timeline
- 2018 July 10 at 17:00 UTC: the issue is made public
Bounds Check Bypass Store (BCBS) (CVE-2018-3693 aka Spectre 1.1, Spectre 1.2)
Vladimir Kiriansky and Carl Waldspurger discovered that systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side channel analysis. This issue is similar to CVE-2017-5753 with the difference being that CVE-2017-5753 was specific to bypassing the bounds check on a load and this issue pertains to bypassing the bounds check on a store. Intel recommends similar mitigation techniques - utilize lfence as a barrier between bounds check and store to ensure that the bounds check operation completes before the store is executed. Analysis is ongoing to see whether additional code locations require lfence placements. Users should update their systems regularly to ensure that they have the latest security fixes in place. The lfence instruction was added via microcode. Users should ensure that they are utilizing the latest microcode to ensure that side channel remediations are in place.
For more information on these issues, please see the following reference documents:
Intel Analysis of Speculative Execution Side Channels Revision 4.0, Updated July 2018
Intel Analyzing potential bounds check bypass vulnerabilities
Intel Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method
Timeline
- 2018 July 10 at 17:00 UTC: the issue is made public
SecurityTeam/KnowledgeBase/BCBS (last edited 2025-04-17 11:52:10 by lucistanescu)