CSIRT-DCP-ALE-2018-001 : Différence entre versions

De Docaposte Cyberdéfense
Aller à : navigation, rechercher
(Chip Manufacturers / HW Vendors)
(CPU microcode)
Ligne 412 : Ligne 412 :
 
   
 
   
 
*Update - Wed 17 Jan 8:30 UTC  
 
*Update - Wed 17 Jan 8:30 UTC  
**Red Hat is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware. Red Hat is no longer providing microcode to address Spectre variant 2, due to instabilities that are causing systems to not boot. More details can be found in [https://access.redhat.com/solutions/3315431 this article](subscription required .
+
 
 +
**Red Hat is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware. Red Hat is no longer providing microcode to address Spectre variant 2, due to instabilities that are causing systems to not boot. More details can be found in [https://access.redhat.com/solutions/3315431 this article](subscription required .
 
   
 
   
 
*Update - Tue 9 Jan 21:50 UTC  
 
*Update - Tue 9 Jan 21:50 UTC  
Ligne 418 : Ligne 419 :
 
**Latest [https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=122139 Intel microcode]update (released 1/8/2018 is 20180108. According to its release notes:
 
**Latest [https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=122139 Intel microcode]update (released 1/8/2018 is 20180108. According to its release notes:
 
   
 
   
```
+
-- Updates upon 20171117 release --  
-- Updates upon 20171117 release --  
+
"IVT C0 (06-3e-04:ed"]428->42a  
"IVT C0 (06-3e-04:ed"]428->42a  
+
"SKL-U/Y D0         (06-4e-03:c0"]ba->c2  
"SKL-U/Y D0 (06-4e-03:c0"]ba->c2  
+
"BDW-U/Y E/F         (06-3d-04:c0"]25->28  
"BDW-U/Y E/F (06-3d-04:c0"]25->28  
+
"HSW-ULT Cx/Dx         (06-45-01:72"]20->21  
"HSW-ULT Cx/Dx (06-45-01:72"]20->21  
+
"Crystalwell Cx (06-46-01:32"]17->18  
"Crystalwell Cx (06-46-01:32"]17->18  
+
"BDW-H E/G         (06-47-01:22"]17->1b  
"BDW-H E/G (06-47-01:22"]17->1b  
+
"HSX-EX E0         (06-3f-04:80"]0f->10  
"HSX-EX E0 (06-3f-04:80"]0f->10  
+
"SKL-H/S R0         (06-5e-03:36"]ba->c2  
"SKL-H/S R0 (06-5e-03:36"]ba->c2  
+
"HSW Cx/Dx         (06-3c-03:32"]22->23  
"HSW Cx/Dx (06-3c-03:32"]22->23  
+
"HSX C0 (06-3f-02:6f"]3a->3b  
"HSX C0 (06-3f-02:6f"]3a->3b  
+
"BDX-DE V0/V1         (06-56-02:10"]0f->14  
"BDX-DE V0/V1 (06-56-02:10"]0f->14  
+
"BDX-DE V2         (06-56-03:10"]700000d->7000011  
"BDX-DE V2 (06-56-03:10"]700000d->7000011  
+
"KBL-U/Y H0         (06-8e-09:c0"]62->80  
"KBL-U/Y H0 (06-8e-09:c0"]62->80  
+
"KBL Y0 / CFL D0 (06-8e-0a:c0"]70->80  
"KBL Y0 / CFL D0 (06-8e-0a:c0"]70->80  
+
"KBL-H/S B0         (06-9e-09:2a"]5e->80  
"KBL-H/S B0 (06-9e-09:2a"]5e->80  
+
"CFL U0 (06-9e-0a:22"]70->80  
"CFL U0 (06-9e-0a:22"]70->80  
+
"CFL B0 (06-9e-0b:02"]72->80  
"CFL B0 (06-9e-0b:02"]72->80  
+
"SKX H0 (06-55-04:b7"]2000035->200003c  
"SKX H0 (06-55-04:b7"]2000035->200003c  
+
"GLK B0 (06-7a-01:01"]1e->22
"GLK B0 (06-7a-01:01"]1e->22  
 
```
 

Version du 7 février 2018 à 01:22

Bulletin d'alerte de sécurité du CSIRT DOCAPOST
Multiples vulnérabilités de fuite d’informations dans des processeurs
CSIRT-DCP-ALE-2018-001

download this selection of articles as a PDF book

Gestion du document

Date de la première version :

04/01/2018

Date de la dernière version :

06/02/2018

Version :

1.5

Source :

Service de Lutte Contre La Cybercriminalité (SLCC La Poste)
Agence National de la Sécurité des Systèmes d'Information (ANSSI)

Risque(e) / Impact(s)

Score CVSS
Score de base :4.0AV:L / AC:M / Au:S / C:P / I:N / A:N

Score temporel :3.4E:POC / RL:OF / RC:C

Score Environmental :5.1CDP:ND / TD:H / CR:H / IR:ND / AR:ND
Risque(s)
  • Atteinte à la confidentialité des données
Impact(s)

Les vulnérabilités décrites dans cette alerte peuvent impacter tous les systèmes utilisant un processeur vulnérable et donc de façon indépendante du système d'exploitation. Selon les chercheurs à l'origine de la découverte de ces failles, il est ainsi possible d'accéder à l'intégralité de la mémoire physique sur des systèmes Linux et OSX et à une part importante de la mémoire sur un système Windows. On notera que l'impact peut être plus particulièrement important dans des systèmes de ressources partagés de type conteneur (Docker, LXC) où il serait possible depuis un environnement restreint d'accéder à toutes les données présentes sur la machine physique dans lequel s'exécute le conteneur ou encore dans des environnements virtualisés utilisant la para-virtualisation de type Xen.

Résumé de la vulnérabilité ou de la menace

  • CVE-2017-5753 : Contournement des frontières. Un attaquant local pourrait l'exploiter afin de lire des portions arbitraires de 4GB de la mémoire du noyau via une application utilisateur spécialement conçue. Cette vulnérabilité, due à une lecture mémoire hors des limites dans la fonctionnalité d'optimisation processeur "Branch Prediction", est exploitable par l'attaque Spectre. Cette vulnérabilité existe sous condition que l'interpréteur ou moteur eBPF JIT soit activé par le noyau
  • CVE-2017-5715 : "Branch target injection". Un attaquant en tant qu'invité privilégié (root) dans une machine virtuelle pourrait l'exploiter afin de lire des informations provenant de la mémoire de l'hôte via l'exécution d'une application spécialement formée en mode utilisateur l'invité. Cette vulnérabilité, due à des fuites de mémoire possible dans les caches pour la fonctionnalité d'optimisation processeur "Branch Prediction", est exploitable par l'attaque Spectre.
  • CVE-2017-5754 : "Rogue data cache load". Un attaquant local pourrait l'exploiter afin d'obtenir des informations provenant du noyau via une application spécialement formée en mode utilisateur. Cette vulnérabilité, due à une mauvaise gestion des caches par certains CPU Intel, est exploitable par l'attaque MeltDown.


Vecteur(s) d'infection(s) / d'attaque(s)

Système(s) affecté(s)

Résumé

Plusieurs vulnérabilités ont été identifiées dans différents processeurs modernes d'Intel, ARM et AMD. Ces vulnérabilités ont été découvertes et exploitées dans le cadre de plusieurs recherches relatives aux attaques par canaux auxiliaire d'exécution spéculative, ces attaques sont les suivantes :

  • Meltdown : Tous les CPU, trois preuves de concept privé existent (Google Project Zero)
  • Spectre : Intel, ARM et AMD, une preuve de concept privé existe (Google Project Zero).

Contre(s) mesure(s)

Mesure(s) réactive(s)

IoC

Documentations et informations techniques

CERT Announce
Spectre & Meltdown Checkers

(Use at your own risk )

  • Linux: Stéphane Lesimple put together "a simple shell script to tell if your Linux installation is vulnerable against the 3" "speculative execution" "CVEs."]
  • Linux: Red Hat Check Script Get the latest version from the diagnose tab of the main Red Hat vulnerability article.]
  • Linux: Debian Spectre-Meltdown Checker Spectre & Meltdown vulnerability/mitigation checker available in stretch-backports.
  • Microsoft Windows: See the #windows section in this document containing the link to the official Powershell script.
PoCs
  • In a recent tweet Moritz Lipp (Graz University of Technology has announced the release of their PoC implementations for Meltdown.
  • GitHub repository
  • In a recent tweet Jann Horn (Google's Project Zero has announced that the PoC code referenced in their recent blogpost about CPUs is now public.
  • The LSDS group at Imperial College London has published sample code demonstrating a Spectre-like attack against an Intel SGX enclave.
  • Dag-Erling published a Meltdown PoC for FreeBSD.
Linux upstream kernel

Kernel Page Table Isolation is a mitigation in the Linux Kernel, originally named KAISER.

Noteworthy
minipli patches

minipli is an unofficial fork of the former grsecurity patches (original grsecurity is no longer publicly available . minipli is based on the longterm kernel 4.9, which supports KPTI since 4.9.75, yet the patchset isn't ported yet.

  • Bug report with discussion about backporting KPTI
Android
Windows
Update - Tue 9 Jan 09:00 UTC

Microsoft has reports of some customers with AMD devices getting into an unbootable state after installing this KB . To prevent this issue, Microsoft will temporarily pause Windows OS updates to devices with impacted AMD processors (older CPUs, eg. Athlon and Sempron at this time. Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible. If you have experienced an unbootable state or for more information see KB4073707. For AMD specific information please contact AMD.

Update - Sat 27 Jan
Apple

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown.

Update - Mon 8 Jan 18:00 UTC

Apple has released security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715 :

Update - Sun 7 Jan 2018, 9:00 UTC

Based on the Apple's response posted here Meltdown (CVE-2017-5754) is currently only addressed in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Apple cannot say at this time if there will be updates to OS versions prior to the ones listed in their article at this time. The same can be said for Spectre (CVE-2017-5753 and CVE-2017-5715) and any updates for Safari. This means that at this given time there are NO patches for 10.11.x (El Capitan) or 10.12.x (Sierra).

Linux distributions
Update - Wed 10 Jan 2018, 08:00 UTC
  • Fedora has pushed to **testing** new microcode_ctl packages for F26 FEDORA-2018-6b319763ab and F27 FEDORA-2018-7e17849364. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.
  • Ubuntu (tl subsequent patches for *Spectre* are coming in the future before the kernels are pushed to official release branch dr: Patches for Meltdown now available

The first set of updates for 14.04 / 16.04 was broken on some systems, please make sure you update to the very latest kernel packages and avoid the broken ones.

Update - Sun 7 Jan 2018, 22:00 UTC

Release candidate kernels 4.4.x (Trusty HWE / Xenial GA are now publicly available from a and 4.13.x (Xenial HWE-edge / Artful GA / Artful HWE dedicated Launchpad PPA and currently contain patches for CVE-2017-5754 *aka Meltdown*, with support only some architactures. Support for a broader array of architectures and patches for CVE-2017-5715 and CVE-2017-5753 *aka Spectre* are expected in the near future.

After some testing, the patched kernels will be pushed to the main release branch.

Update - Mon 8 Jan 2018, 16:00 UTC

Canonical Ltd. announced that, in order to speed up the patching process for all supported distribution versions and branches, the 4.10.x *Xenial HWE* kernel will be migrated early to version 4.13.x, thus leaving no supported kernel branch exposed to vulnerabilities. The migration will occur concurrently to the push of patched kernels to the main distribution repositories. In addition, Ubuntu 17.04, aka *Zesty Zapus*, will reach End Of Life on Sat 13 Jan 2018 and will not receive any kind kernel patch support.

  • "Details about CVE-2017-5753 (variant 1), aka Spectre
  • "Details about CVE-2017-5715 (variant 2), aka Spectre
  • "Details about CVE-2017-5754 (variant 3), aka Meltdown
  • CoreOS Container Linux: Fixes for Meltdown are available in all release channels now (Alpha 1649.0.0, Beta 1632.1.0, Stable 1576.5.0 Auto-updated systems will receive the releases containing the patch on 2017-01-08. Spectre patches are still WIP.
  • Gentoo:
    • Gentoo Wiki : Project:Security/Vulnerabilities/Meltdown and Spectre
  • Oracle Linux (ELSA Security Advisory :
    • Details about CVE-2017-5753 (variant 1) aka Spectre
    • Details about CVE-2017-5715 (variant 2) aka Spectre
    • Details about CVE-2017-5754 (variant 3) aka Meltdown
  • CloudLinux: Intel CPU Bug - Meltdown and Spectre - KernelCare and CloudLinux
FreeBSD
Virtualization
  • KVM: **Update - Tue 9 Jan 07:50 UTC** - Paolo Bonzini, KVM developer, posted in a tweetthe following status update for CVE-2017-5715 (Spectre) :
    • Already in Linus's tree: clearing registers on vmexit
    • First wave of KVM fixes here: https://marc.info/?l=kvm&m=151543506500957&w=2
    • He is also mentioning that a full solution will require all the Linux parts to be agreed upon, but this will unblock the QEMU updates
Browsers
  • Brave Browser: New desktop release just out 0.19.131 with various security enhancements, including Strict Site Isolation support.
Update Mon 8 Jan 2018, 13:00 UTC

Tencent's Xuanwu Lab has released a web-based tool]that can detect whether your browser is vulnerable to Spectre Attack and can be easily exploited. Official tweet

Cloud Providers
Chip Manufacturers / HW Vendors
  • Intel: INTEL-SA-00088 - Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method] Intel Analysis of Speculative

Execution Side Channels Whitepaper Intel Issues Updates to Protect Systems from Security Exploits Firmware Updates and Initial Performance Data for Data Center Systems Root Cause of Reboot Issue Identified Updated Guidance for Customers and Partners

CPU microcode
  • Update - Wed 17 Jan 8:30 UTC
    • Red Hat is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware. Red Hat is no longer providing microcode to address Spectre variant 2, due to instabilities that are causing systems to not boot. More details can be found in this article(subscription required .
  • Update - Tue 9 Jan 21:50 UTC
    • Latest Intel microcodeupdate (released 1/8/2018 is 20180108. According to its release notes:
-- Updates upon 20171117 release -- 
"IVT C0		(06-3e-04:ed"]428->42a 
"SKL-U/Y D0	        (06-4e-03:c0"]ba->c2 
"BDW-U/Y E/F	        (06-3d-04:c0"]25->28 
"HSW-ULT Cx/Dx	        (06-45-01:72"]20->21 
"Crystalwell Cx	(06-46-01:32"]17->18 
"BDW-H E/G	        (06-47-01:22"]17->1b 
"HSX-EX E0	        (06-3f-04:80"]0f->10 
"SKL-H/S R0	        (06-5e-03:36"]ba->c2 
"HSW Cx/Dx	        (06-3c-03:32"]22->23 
"HSX C0		(06-3f-02:6f"]3a->3b 
"BDX-DE V0/V1	        (06-56-02:10"]0f->14 
"BDX-DE V2	        (06-56-03:10"]700000d->7000011 
"KBL-U/Y H0	        (06-8e-09:c0"]62->80 
"KBL Y0 / CFL D0	(06-8e-0a:c0"]70->80 
"KBL-H/S B0	        (06-9e-09:2a"]5e->80 
"CFL U0		(06-9e-0a:22"]70->80 
"CFL B0		(06-9e-0b:02"]72->80 
"SKX H0		(06-55-04:b7"]2000035->200003c 
"GLK B0		(06-7a-01:01"]1e->22
Récupérée de « https://csirt.docapost.fr/index.php?title=CSIRT-DCP-ALE-2018-001&oldid=286 »