Variant4

Differences between revisions 4 and 5
Revision 4 as of 2018-05-21 21:00:52
Size: 2218
Editor: emilyr
Comment:
Revision 5 as of 2018-05-21 21:01:59
Size: 3935
Editor: emilyr
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## page was copied from SecurityTeam/KnowledgeBase/Pop_SS
== Kernel Exception Handling Flaws After MOV/POP to SS Instructions (CVE-2018-8897, CVE-2018-1087) ==		 == Speculative Store Bypass (CVE-2018-3639 aka GPZ Variant 4) ==
Line 4: Line 3:
Nick Peterson discovered that the Linux kernel did not properly handle debug exceptions following a MOV/POP to SS instruction. A local attacker could use this to cause a denial of service (system crash). This issue only affected the amd64 architecture. ([[https://people.canonical.com/~ubuntu-security/cve/CVE-2018-8897|CVE-2018-8897]]) Ken Johnson of the Microsoft Security Response Center (MSRC) and Jann Horn of Google Project Zero (GPZ) independently [[ https://bugs.chromium.org/p/project-zero/issues/detail?id=1528 | discovered another variant]] of a cache speculation timing side channel attack, similar to the issues previously disclosed under the names [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | Spectre and Meltdown]].
Line 6: Line 5:
Andy Lutomirski discovered that the KVM subsystem of the Linux kernel did not properly emulate the ICEBP instruction following a MOV/POP to SS instruction. A local attacker in a KVM virtual machine could use this to cause a denial of service (guest VM crash) or possibly escalate privileges inside of the virtual machine. This issue only affected the i386 and amd64 architectures. ([[https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1087|CVE-2018-1087]]) With this variant, currently known as Variant 4, systems with microprocessors utilizing speculative execution and spectulative execution of a memory read, before the addresses of all prior memory writes are known, may allow unauthorized disclosure of information to an attacker with local user access via a side channel analysis. More colloquially, in one example, Variant 4 can reveal the value of stored data when a load following a store speculatively retrieves the earlier value.
Line 8: Line 7:
These issues were fixed in the Linux kernel by commits [[https://git.kernel.org/linus/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9|`x86/entry/64: Don't use IST entry for #BP stack`]] and [[https://git.kernel.org/linus/32d43cd391bacb5f0814c2624399a5dad3501d09|`kvm/x86: fix icebp instruction handling`]]. Ubuntu 17.10, 16.04 LTS, 14.04 LTS, and 12.04 ESM were affected. To address the issues, the majority of users should ensure that linux-image-4.13.0-41-generic 4.13.0-41.46 (Ubuntu 17.10), linux-image-4.4.0-124-generic 4.4.0-124.148 (Ubuntu 16.04 LTS), linux-image-3.13.0-147-generic 3.13.0-147.196 (Ubuntu 14.04 LTS), or linux-image-3.2.0-134-generic 3.2.0-134.180 (Ubuntu 12.04 ESM) is installed. Users of non-generic Ubuntu kernels should consult the published Ubuntu Security Notices for version information. These updates were announced in [[https://usn.ubuntu.com/3641-2/|USN 3641-1]] (Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 17.10) and [[https://usn.ubuntu.com/3641-2/|USN 3641-2]] (Ubuntu 12.04 ESM). Some mitigations for Spectre v2 also help to mitigate some of the effects of this vulnerability, for example, the reduction in timer precision in browsers renders this variant much more difficult to exploit.

The Speculative Store Bypass vulnerability can be mitigated by setting the newly defined Speculative Store Bypass Disable (SSBD) bit in the IA32_SPEC_CTRL Model-Specific Register (MSR) of x86 processors. Support for this mitigation requires updated microcode for Intel processors.

In Ubuntu, SSBD is OFF by default because it is not needed by most programs and carries a notable performance impact. A prctl() has been added (PR_SPEC_STORE_BYPASS) that enables developers to opt into the mitigation on a per process basis. Applications using a seccomp filter will be implicitly opted into the mitigations. This means that strict and devmode snaps, processes inside of LXD containers, sandboxed processes of the Firefox and Chromium browsers, among some other processes running in a default Ubuntu install on x86 processors, will have the SSBD mitigation enabled out of the box.

Users can explicitly opt-in to SSBD mitigations, on a system-wide basis, by booting with the spec_store_bypass_disable=on boot parameter.

Ubuntu users are recommended to update to the latest kernel, qemu, and intel-microcode packages. Ubuntu 18.04 LTS, 17.10, 16.04 LTS, and 14.04 LTS were affected. 12.04 ESM remains affected but updates are in progress.

To address the issues, the majority of users should ensure that linux-image-4.15.0-22-generic 4.15.0-22.24 and qemu 1:2.11+dfsg-1ubuntu7.2 (Ubuntu 18.04 LTS), linux-image-4.13.0-43-generic 4.13.0-43.48 and qemu 1:2.10+dfsg-0ubuntu3.7 (Ubuntu 17.10), linux-image-4.4.0-127-generic 4.4.0-127.153 and 1:2.5+dfsg-5ubuntu10.29 (Ubuntu 16.04 LTS), or linux-image-3.13.0-149-generic 3.13.0-149.199 and qemu 2.0.0+dfsg-2ubuntu1.42 (Ubuntu 14.04 LTS) are installed. Users of non-generic Ubuntu kernels should consult the published Ubuntu Security Notices for version information.

The required intel-microcode updates are not available at this time. They'll be published after Intel releases them to the public.

For more information on these issues, please see the following reference documents:

 * [[ https://bugs.chromium.org/p/project-zero/issues/detail?id=1528 | Google Project Zero bug describing the issue ]]
 * [[ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html | Intel's Security Advisory]]
 * [[ https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf | Speculative Execution Side Channel Mitigations ]]
 * [[ https://software.intel.com/sites/default/files/managed/b9/f9/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf | Intel Analysis of Speculative Execution Side Channels ]]
Line 12: Line 30:
 * 2018 May 08: the issue is made public on the agreed upon coordinated release date
 * 2018 May 08: USNS [[https://usn.ubuntu.com/3641-1/|3641-1]] and [[https://usn.ubuntu.com/3641-2/|3641-2]] are published		  * 2018 May 21 at 21:00 UTC: the issue is made public

Speculative Store Bypass (CVE-2018-3639 aka GPZ Variant 4)

Ken Johnson of the Microsoft Security Response Center (MSRC) and Jann Horn of Google Project Zero (GPZ) independently discovered another variant of a cache speculation timing side channel attack, similar to the issues previously disclosed under the names Spectre and Meltdown.

With this variant, currently known as Variant 4, systems with microprocessors utilizing speculative execution and spectulative execution of a memory read, before the addresses of all prior memory writes are known, may allow unauthorized disclosure of information to an attacker with local user access via a side channel analysis. More colloquially, in one example, Variant 4 can reveal the value of stored data when a load following a store speculatively retrieves the earlier value.

Some mitigations for Spectre v2 also help to mitigate some of the effects of this vulnerability, for example, the reduction in timer precision in browsers renders this variant much more difficult to exploit.

The Speculative Store Bypass vulnerability can be mitigated by setting the newly defined Speculative Store Bypass Disable (SSBD) bit in the IA32_SPEC_CTRL Model-Specific Register (MSR) of x86 processors. Support for this mitigation requires updated microcode for Intel processors.

In Ubuntu, SSBD is OFF by default because it is not needed by most programs and carries a notable performance impact. A prctl() has been added (PR_SPEC_STORE_BYPASS) that enables developers to opt into the mitigation on a per process basis. Applications using a seccomp filter will be implicitly opted into the mitigations. This means that strict and devmode snaps, processes inside of LXD containers, sandboxed processes of the Firefox and Chromium browsers, among some other processes running in a default Ubuntu install on x86 processors, will have the SSBD mitigation enabled out of the box.

Users can explicitly opt-in to SSBD mitigations, on a system-wide basis, by booting with the spec_store_bypass_disable=on boot parameter.

Ubuntu users are recommended to update to the latest kernel, qemu, and intel-microcode packages. Ubuntu 18.04 LTS, 17.10, 16.04 LTS, and 14.04 LTS were affected. 12.04 ESM remains affected but updates are in progress.

To address the issues, the majority of users should ensure that linux-image-4.15.0-22-generic 4.15.0-22.24 and qemu 1:2.11+dfsg-1ubuntu7.2 (Ubuntu 18.04 LTS), linux-image-4.13.0-43-generic 4.13.0-43.48 and qemu 1:2.10+dfsg-0ubuntu3.7 (Ubuntu 17.10), linux-image-4.4.0-127-generic 4.4.0-127.153 and 1:2.5+dfsg-5ubuntu10.29 (Ubuntu 16.04 LTS), or linux-image-3.13.0-149-generic 3.13.0-149.199 and qemu 2.0.0+dfsg-2ubuntu1.42 (Ubuntu 14.04 LTS) are installed. Users of non-generic Ubuntu kernels should consult the published Ubuntu Security Notices for version information.

The required intel-microcode updates are not available at this time. They'll be published after Intel releases them to the public.

For more information on these issues, please see the following reference documents:

Timeline

  • 2018 May 21 at 21:00 UTC: the issue is made public

SecurityTeam/KnowledgeBase/Variant4 (last edited 2025-04-17 11:51:20 by lucistanescu)