BCBS
|
Size: 2614
Comment: New unembargoed side channel issue
|
← Revision 9 as of 2025-04-17 11:52:10 ⇥
Size: 2230
Comment: Migrated to main website
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was copied from SecurityTeam/KnowledgeBase/LazyFP == Lazy FP Save/Restore (CVE-2018-3665) == |
#DEPRECATED #REFRESH 10 https://ubuntu.com/security/vulnerabilities/bcbs |
| Line 4: | Line 4: |
| Julian Stecklina, of Amazon, and Thomas Prescher, of Cyberus Technology, discovered that FPU register states (such as MMX, SSE, and AVX registers) which are lazy restored are potentially vulnerable to a side channel attack whereby one process is able to read registers of another process that are being lazy restored ([[https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3665.html | CVE-2018-3665]]). The solution is eager restore of the states which has been the default in the Linux kernel since version 4.5. Ubuntu 17.10 and 18.04 are not affected by this issue. Older kernels running on processors that support the xsaveopt instruction are also not affected. You can verify if your system has support for xsaveopt by locating the "xsaveopt" feature listed in the flags section of the /proc/cpuinfo file. | == Bounds Check Bypass Store (BCBS) (CVE-2018-3693 aka Spectre 1.1, Spectre 1.2) == |
| Line 6: | Line 6: |
| To address the issue for Ubuntu 16.04 LTS and Ubuntu 14.04 LTS systems which are running on older hardware that lacks the "xsaveopt" feature, pre-release kernel updates are available for testing: | Vladimir Kiriansky and Carl Waldspurger discovered that systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side channel analysis. This issue is similar to CVE-2017-5753 with the difference being that CVE-2017-5753 was specific to bypassing the bounds check on a load and this issue pertains to bypassing the bounds check on a store. Intel recommends similar mitigation techniques - utilize lfence as a barrier between bounds check and store to ensure that the bounds check operation completes before the store is executed. Analysis is ongoing to see whether additional code locations require lfence placements. Users should update their systems regularly to ensure that they have the latest security fixes in place. The lfence instruction was added via microcode. Users should ensure that they are utilizing the latest microcode to ensure that side channel remediations are in place. |
| Line 8: | Line 8: |
| || '''Package''' || '''Version''' || || Linux Kernel (18.04 LTS) || Not affected || || Linux Kernel (17.10) || Not affected || || Linux Kernel (16.04 LTS) || [[ https://launchpad.net/ubuntu/+source/linux/4.4.0-130.156 | 4.4.0-130.156 ]], see [[ https://usn.ubuntu.com/3696-1/ | USN-3696-1 ]] || || Linux Kernel (14.04 LTS) || [[ https://launchpad.net/ubuntu/+source/linux/3.13.0-153.203 | 3.13.0-153.203 ]] , see [[ https://usn.ubuntu.com/3698-1/ | USN-3698-1 ]] || <<BR>> |
|
| Line 16: | Line 10: |
| * [[ https://software.intel.com/sites/default/files/managed/b9/f9/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf | Intel Analysis of Speculative Execution Side Channels ]] * [[ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html | Intel Security Advisory INTEL-SA-00145]] * [[https://usn.ubuntu.com/3698-2/|USN-3698-2]] * [[ https://usn.ubuntu.com/3698-1/ | USN-3698-1 ]] * [[ https://usn.ubuntu.com/3696-1/ | USN-3696-1 ]] |
* [[ https://software.intel.com/sites/default/files/managed/b9/f9/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf | Intel Analysis of Speculative Execution Side Channels ]] Revision 4.0, Updated July 2018 * [[ https://software.intel.com/sites/default/files/managed/4e/a1/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf | Intel Analyzing potential bounds check bypass vulnerabilities ]] * [[ https://01.org/security/advisories/intel-oss-10002 | Intel Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method]] * [[ https://people.csail.mit.edu/vlk/spectre11.pdf | Speculative Buffer Overflows: Attacks and Defenses ]] * [[ https://docs.google.com/document/d/1wwcfv3UV9ZnZVcGiGuoITT_61e_Ko3TmoCS3uXLcJR0/edit#heading=h.yz0cr3jlliwx | Speculative Load Hardening ]] |
| Line 24: | Line 18: |
| * 2018 June 13 at 21:00 UTC: the issue is made public ahead of the coordinated release date * 2018 August 14: the original coordinated release date * 2018 July 2: Kernel updates released for 12.04 ESM, 14.04 LTS, and 16.04 LTS, see [[https://usn.ubuntu.com/3698-2/|USN-3698-2]], [[ https://usn.ubuntu.com/3698-1/ | USN-3698-1 ]], and [[ https://usn.ubuntu.com/3696-1/ | USN-3696-1 ]] |
* 2018 July 10 at 17:00 UTC: the issue is made public |
Bounds Check Bypass Store (BCBS) (CVE-2018-3693 aka Spectre 1.1, Spectre 1.2)
Vladimir Kiriansky and Carl Waldspurger discovered that systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side channel analysis. This issue is similar to CVE-2017-5753 with the difference being that CVE-2017-5753 was specific to bypassing the bounds check on a load and this issue pertains to bypassing the bounds check on a store. Intel recommends similar mitigation techniques - utilize lfence as a barrier between bounds check and store to ensure that the bounds check operation completes before the store is executed. Analysis is ongoing to see whether additional code locations require lfence placements. Users should update their systems regularly to ensure that they have the latest security fixes in place. The lfence instruction was added via microcode. Users should ensure that they are utilizing the latest microcode to ensure that side channel remediations are in place.
For more information on these issues, please see the following reference documents:
Intel Analysis of Speculative Execution Side Channels Revision 4.0, Updated July 2018
Intel Analyzing potential bounds check bypass vulnerabilities
Intel Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method
Timeline
- 2018 July 10 at 17:00 UTC: the issue is made public
Bounds Check Bypass Store (BCBS) (CVE-2018-3693 aka Spectre 1.1, Spectre 1.2)
Vladimir Kiriansky and Carl Waldspurger discovered that systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side channel analysis. This issue is similar to CVE-2017-5753 with the difference being that CVE-2017-5753 was specific to bypassing the bounds check on a load and this issue pertains to bypassing the bounds check on a store. Intel recommends similar mitigation techniques - utilize lfence as a barrier between bounds check and store to ensure that the bounds check operation completes before the store is executed. Analysis is ongoing to see whether additional code locations require lfence placements. Users should update their systems regularly to ensure that they have the latest security fixes in place. The lfence instruction was added via microcode. Users should ensure that they are utilizing the latest microcode to ensure that side channel remediations are in place.
For more information on these issues, please see the following reference documents:
Intel Analysis of Speculative Execution Side Channels Revision 4.0, Updated July 2018
Intel Analyzing potential bounds check bypass vulnerabilities
Intel Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method
Timeline
- 2018 July 10 at 17:00 UTC: the issue is made public
SecurityTeam/KnowledgeBase/BCBS (last edited 2025-04-17 11:52:10 by lucistanescu)