CSIRT-DCP-ALE-2018-001 : Différence entre versions

download this selection of articles as a PDF book

Gestion du document

Risque(e) / Impact(s)

Score CVSS

Risque(s)

• Atteinte à la confidentialité des données

Impact(s)

Les vulnérabilités décrites dans cette alerte peuvent impacter tous les systèmes utilisant un processeur vulnérable et donc de façon indépendante du système d'exploitation. Selon les chercheurs à l'origine de la découverte de ces failles, il est ainsi possible d'accéder à l'intégralité de la mémoire physique sur des systèmes Linux et OSX et à une part importante de la mémoire sur un système Windows. On notera que l'impact peut être plus particulièrement important dans des systèmes de ressources partagés de type conteneur (Docker, LXC) où il serait possible depuis un environnement restreint d'accéder à toutes les données présentes sur la machine physique dans lequel s'exécute le conteneur ou encore dans des environnements virtualisés utilisant la para-virtualisation de type Xen.

Résumé de la vulnérabilité ou de la menace

• CVE-2017-5753 : Contournement des frontières. Un attaquant local pourrait l'exploiter afin de lire des portions arbitraires de 4GB de la mémoire du noyau via une application utilisateur spécialement conçue. Cette vulnérabilité, due à une lecture mémoire hors des limites dans la fonctionnalité d'optimisation processeur "Branch Prediction", est exploitable par l'attaque Spectre. Cette vulnérabilité existe sous condition que l'interpréteur ou moteur eBPF JIT soit activé par le noyau

• CVE-2017-5715 : "Branch target injection". Un attaquant en tant qu'invité privilégié (root) dans une machine virtuelle pourrait l'exploiter afin de lire des informations provenant de la mémoire de l'hôte via l'exécution d'une application spécialement formée en mode utilisateur l'invité. Cette vulnérabilité, due à des fuites de mémoire possible dans les caches pour la fonctionnalité d'optimisation processeur "Branch Prediction", est exploitable par l'attaque Spectre.

• CVE-2017-5754 : "Rogue data cache load". Un attaquant local pourrait l'exploiter afin d'obtenir des informations provenant du noyau via une application spécialement formée en mode utilisateur. Cette vulnérabilité, due à une mauvaise gestion des caches par certains CPU Intel, est exploitable par l'attaque MeltDown.

Vecteur(s) d'infection(s) / d'attaque(s)

Système(s) affecté(s)

Résumé

Plusieurs vulnérabilités ont été identifiées dans différents processeurs modernes d'Intel, ARM et AMD. Ces vulnérabilités ont été découvertes et exploitées dans le cadre de plusieurs recherches relatives aux attaques par canaux auxiliaire d'exécution spéculative, ces attaques sont les suivantes :

• Meltdown : Tous les CPU, trois preuves de concept privé existent (Google Project Zero)
• Spectre : Intel, ARM et AMD, une preuve de concept privé existe (Google Project Zero).

Contre(s) mesure(s)

Mesure(s) réactive(s)

IoC

Documentations et informations techniques

CERT Announce

• CERT/CC: Vulnerability Note VU#584653 - CPU hardware vulnerable to side-channel attacks
• US-CERT: TA18-004A - Meltdown and Spectre Side-Channel Vulnerability Guidance
• CERT-EU: Security Advisory 2018-001 - Meltdown and Spectre Critical Vulnerabilities
• NCSC-UK: Meltdown and Spectre guidance
• CERT-FR: CERTFR-2018-ALE-001 - Multiples vulnérabilités de fuite d’informations dans des processeurs
• CERT Nazionale: Moderni processori vulnerabili ad attacchi side-channel(italian only)
• CERT-PA: Meltdown e Spectre, vulnerabiliti sui microprocessori mettono potenzialmente a rischio informazioni sensibili (Italian only)
• CERT-GARR: ALERT GCSA-18001 - Vulnerability Meltdown e Spectre(italian only]
• SingCERT: Alert on Security Flaws Found in Central Processing Units (CPUs) [1]
• CERT.BE: Architectural Design Flaws Central Processor Unit (CPU) [2]
• CERT-IS: Alvarlegur Çôryggisgalli Çð ÇôrgjÇôrvum - Meltdown/Spectre (Icelandic only]
• MyCERT: MA-691.012018: Alert - CPU Hardware Side-Channel Attacks Vulnerability
• CERT-BUND: buerger.de/BSIFB/DE/Service/Aktuell/Informationen/Artikel/Meltdown_Spectre_Sicherheitsluecke_10012018.html Prozessor-Schwachstellen: Spectre und Meltdown (German only)

Spectre & Meltdown Checkers

(Use at your own risk )

• Linux: Stéphane Lesimple put together "a simple shell script to tell if your Linux installation is vulnerable against the 3" "speculative execution" "CVEs."]
• Linux: Red Hat Check Script Get the latest version from the diagnose tab of the main Red Hat vulnerability article.]
• Linux: Debian Spectre-Meltdown Checker Spectre & Meltdown vulnerability/mitigation checker available in stretch-backports.
• Microsoft Windows: See the #windows section in this document containing the link to the official Powershell script.

PoCs

• In a recent tweet Moritz Lipp (Graz University of Technology has announced the release of their PoC implementations for Meltdown.
• GitHub repository
• In a recent tweet Jann Horn (Google's Project Zero has announced that the PoC code referenced in their recent blogpost about CPUs is now public.
• The LSDS group at Imperial College London has published sample code demonstrating a Spectre-like attack against an Intel SGX enclave.
• Dag-Erling published a Meltdown PoC for FreeBSD.

Linux upstream kernel

Kernel Page Table Isolation is a mitigation in the Linux Kernel, originally named KAISER.

• Version 4.14.11 contains KPTI.
• Version 4.15-rc6 contains KPTI.
• Longterm support kernels Version 4.9.75 and 4.4.110 [https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.110 contain KPTI backports.

Noteworthy

• Comment by kernel developer Andrew Lutomirski [https://news.ycombinator.com/item?id=16087736 that pre-4.14 kernels got an earlier version of KPTI and may contain bugs .
• Explanation of PCID which will reduce performance impact of KPTI on newer kernels.

minipli patches

minipli is an unofficial fork of the former grsecurity patches (original grsecurity is no longer publicly available . minipli is based on the longterm kernel 4.9, which supports KPTI since 4.9.75, yet the patchset isn't ported yet.

• Bug report with discussion about backporting KPTI

Android

• Fixed with Android Security Bulletin January 2018.

Windows

• Microsoft Advisory
• Windows Server Guidanceand Windows Client Guidance [https://support.microsoft.com/en-gb/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe . Note: both links include a Powershell tool to query the status of Windows mitigations for CVE-2017-5715 (branch target injection and CVE-2017-5754 (rogue data cache load .
• Protecting guest virtual machines from CVE-2017-5715 (branch target injection [https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms
• Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems
• Spectre mitigations in MSVC

Update - Tue 9 Jan 09:00 UTC

Microsoft has reports of some customers with AMD devices getting into an unbootable state after installing this KB . To prevent this issue, Microsoft will temporarily pause Windows OS updates to devices with impacted AMD processors (older CPUs, eg. Athlon and Sempron at this time. Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible. If you have experienced an unbootable state or for more information see KB4073707. For AMD specific information please contact AMD.

Update - Sat 27 Jan

• Update to Disable Mitigation against Spectre, Variant 2

Apple

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown.

• Official statement

Update - Mon 8 Jan 18:00 UTC

Apple has released security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715 :

• macOS High Sierra 10.13.2 Supplemental Update
• Safari 11.0.2for Mac OS X El Capitan 10.11.6 and macOS Sierra 10.12.6
• iOS 11.2.2 updatefor iPhone and iPad

Update - Sun 7 Jan 2018, 9:00 UTC

Based on the Apple's response posted here Meltdown (CVE-2017-5754) is currently only addressed in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Apple cannot say at this time if there will be updates to OS versions prior to the ones listed in their article at this time. The same can be said for Spectre (CVE-2017-5753 and CVE-2017-5715) and any updates for Safari. This means that at this given time there are NO patches for 10.11.x (El Capitan) or 10.12.x (Sierra).

Linux distributions

• Red Hat Advisory
• Speculative Execution Exploit Performance Impacts - Describing the performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and CVE-2017-5715
• Red Hat Check Script - Get the latest version from the diagnose tab of the main Red Hat vulnerability article.
• CentOS:
  • 7 :
    • CESA-2018:0007 (kernel)
    • CESA-2018:0012 (microcode_ctl)
    • CESA-2018:0014 (linux-firmware)
    • CESA-2018:0023 (qemu-kvm)
    • CESA-2018:0029 (libvirt)

• • 6 :
    • CESA-2018:0008(kernel)
    • CESA-2018:0013 (microcode_ctl)
    • CESA-2018:0024 (qemu-kvm)
    • CESA-2018:0030 (libvirt)

• • Fedora - Fixed in :
    • FEDORA-2018-8ed5eff2c0 (Fedora 26)
    • FEDORA-2018-22d5fa8a90 (Fedora 27)

Update - Wed 10 Jan 2018, 08:00 UTC

• Fedora has pushed to **testing** new microcode_ctl packages for F26 FEDORA-2018-6b319763ab and F27 FEDORA-2018-7e17849364. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.
• Ubuntu (tl subsequent patches for *Spectre* are coming in the future before the kernels are pushed to official release branch dr: Patches for Meltdown now available

The first set of updates for 14.04 / 16.04 was broken on some systems, please make sure you update to the very latest kernel packages and avoid the broken ones.

Update - Sun 7 Jan 2018, 22:00 UTC

Release candidate kernels 4.4.x (Trusty HWE / Xenial GA are now publicly available from a and 4.13.x (Xenial HWE-edge / Artful GA / Artful HWE dedicated Launchpad PPA and currently contain patches for CVE-2017-5754 *aka Meltdown*, with support only some architactures. Support for a broader array of architectures and patches for CVE-2017-5715 and CVE-2017-5753 *aka Spectre* are expected in the near future.

After some testing, the patched kernels will be pushed to the main release branch.

Update - Mon 8 Jan 2018, 16:00 UTC

Canonical Ltd. announced that, in order to speed up the patching process for all supported distribution versions and branches, the 4.10.x *Xenial HWE* kernel will be migrated early to version 4.13.x, thus leaving no supported kernel branch exposed to vulnerabilities. The migration will occur concurrently to the push of patched kernels to the main distribution repositories. In addition, Ubuntu 17.04, aka *Zesty Zapus*, will reach End Of Life on Sat 13 Jan 2018 and will not receive any kind kernel patch support.

• Ubuntu Wiki SecurityTeam KnowledgeBase
• Ubuntu Insights blog : Ubuntu Updates for the Meltdown / Spectre Vulnerabilities
• 17.10: USN-3523-1
• 16.04: USN-3522-1
• 14.04: USN-3522-2
• 16.04/regression: USN-3522-3
• 14.04/regression: USN-3522-4
• "Details about CVE-2017-5753 (variant 1, aka ""Spectre""" CVE-2017-5753
• "Details about CVE-2017-5715 (variant 2, aka ""Spectre""" CVE-2017-5715
• "Details about CVE-2017-5754 (variant 3, aka ""Meltdown""" CVE-2017-5754
• Debian: Meltdown fixed in :
  • Stretch 4.9.65-3+deb9u2 : DSA-4078-1
  • Jessie 3.16.51-3+deb8u1 : DSA-4082-1
  • Wheezy 3.2.96-3 : DLA-1232-1

• "Details about CVE-2017-5753 (variant 1, aka ""Spectre""" CVE-2017-5753
• "Details about CVE-2017-5715 (variant 2, aka ""Spectre""" CVE-2017-5715
• "Details about CVE-2017-5754 (variant 3, aka ""Meltdown""" CVE-2017-5754

• Suse Linux : SUSE Advisory

• Scientific Linux:
  • 7 :
    • SLSA-2018:0007-1 (kernel)
    • SLSA-2018:0012-1 (microcode_ctl)
    • SLSA-2018:0014-1 (linux-firmware

• • 6 :
    • SLSA-2018:0008-1 (kernel)
    • [https://www.scientificlinux.org/category/sl-errata/slsa-20180013-1/ SLSA-2018:0013-1) (microcode_ctl)

• CoreOS Container Linux: Fixes for Meltdown are available in all release channels now (Alpha 1649.0.0, Beta 1632.1.0, Stable 1576.5.0 Auto-updated systems will receive the releases containing the patch on 2017-01-08. Spectre patches are still WIP.

• NixOS: According to #33414 KPTI is in nixpkgs since 1e129a3 [https://github.com/NixOS/nixpkgs/commit/1e129a3f9934ae62b77475909f6812f2ac3ab51f .
• Arch Linux Advisory

• Gentoo:
  • Gentoo Wiki : Project:Security/Vulnerabilities/Meltdown and Spectre
    • Bugtracker - Bug#643228 - Security Tracking Bug

• Oracle Linux (ELSA Security Advisory :
  • Details about CVE-2017-5753 (variant 1) aka Spectre
  • Details about CVE-2017-5715 (variant 2) aka Spectre
  • Details about CVE-2017-5754 (variant 3) aka Meltdown

• CloudLinux: Intel CPU Bug - Meltdown and Spectre - KernelCare and CloudLinux

• Parrot Security OS: [https://blog.parrotsec.org/meltdown-spectre-security-patches/ meltdown/spectre security patches

• Tails: Tails 3.4 has been released . It contains the fix for Meltdown and partial mitigation for Spectre.
• Manjaro: Detail about Kernel Page-Table Isolation patched with stable update 2018-01-05