CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.

  1. ajc9988

    ajc9988 Death by a thousand paper cuts

    Reputations:
    1,511
    Messages:
    5,642
    Likes Received:
    7,965
    Trophy Points:
    681
    @hmscott did you see the be tool to access PSP on AMD CPUs?
     
    hmscott and Vasudev like this.
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,477
    Messages:
    19,766
    Likes Received:
    24,594
    Trophy Points:
    931
  3. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,477
    Messages:
    19,766
    Likes Received:
    24,594
    Trophy Points:
    931
    ChromeOS 74 had a configurable to enable Hyperthreading if CPU performance is important for your work, otherwise the default is set to disable Hypertheading for Intel CPU's, Chrome OS 75 has added more mitigations for new specific instances of the MDS flaws with new names:

    Chrome OS 75 Adds More Mitigations for Intel MDS Flaws
    By Eduard Kovacs on June 27, 2019

    "Chrome OS version 75, which Google released on Wednesday in the stable channel, adds more mitigations for recently disclosed Microarchitectural Data Sampling (MDS) vulnerabilities affecting most Intel processors made in the last decade.

    The researchers who discovered the security holes have named them ZombieLoad, RIDL (Rogue In-Flight Data Load), Fallout, and Store-to-Leak Forwarding. Intel has assigned them the following names and CVEs: Microarchitectural Store Buffer Data Sampling (MSBDS, CVE-2018-12126), Microarchitectural Fill Buffer Data Sampling (MFBDS, CVE-2018-12130), Microarchitectural Load Port Data Sampling (MLPDS, CVE-2018-12127), and Microarchitectural Data Sampling Uncacheable Memory (MDSUM, CVE-2018-11091).

    When the existence of the flaws came to light, Google informed Chrome OS users that version 74 had disabled Hyper-Threading by default, which should prevent exploitation.Chrome OS 75 includes other, unspecified mitigations for these attacks.

    Google pointed out when the vulnerabilities were disclosed that disabling Hyper-Threading could have a negative impact on performance in some cases.

    “Users concerned about the performance loss, such as those running CPU intensive workloads, may enable Hyper-Threading on a per machine basis. The setting is located at chrome://flags#scheduler-configuration. The ‘performance’ setting chooses the configuration that enables Hyper-Threading. The ‘conservative’ setting chooses the configuration that disables Hyper-Threading,” the company explained.

    The ZombieLoad, RIDL and Fallout attack methods work against both PCs and cloud environments. An attacker can leverage these techniques to get applications, the operating system, virtual machines and trusted execution environments to leak information, including passwords, website content, disk encryption keys and browser history.

    In the case of Chrome OS, impacted devices include several Chromebook, Chromebox and Chromebase devices made by AOpen, ASI, ASUS, Acer, Bobicus, CTL, Dell, Edxis, Google, HP, LG, Lenovo, Samsung, Toshiba and others."
     
    ajc9988 likes this.
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,477
    Messages:
    19,766
    Likes Received:
    24,594
    Trophy Points:
    931
    Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction
    August 6, 2019
    https://labs.bitdefender.com/2019/0...eculative-behavior-of-the-swapgs-instruction/

    "Bitdefender senior researchers Dan Horea Luțaș and Andrei Vlad Luțaș recently uncovered a new speculative-execution vulnerability and demonstrated how it can be exploited via a side-channel style attack, dubbed SWAPGS Attack. The vulnerability has been publicly reported today as CVE-2019-1125
    ...
    In a technical whitepaper published today, Bitdefender researchers describe the SWAPGS Attack. The attack is a novel approach of leaking sensitive information from the kernel since it bypasses all known side-channel attack mitigation techniques. This is achieved by abusing the fact that SWAPGS instruction can be executed speculatively. An attacker can force arbitrary memory dereferences in kernel, which leaves traces within the data caches. These signals can be picked-up by the attacker to infer the value located at the given kernel address.

    Existing mitigations are provided by Bitdefender through the Hypervisor Introspection (HVI). HVI is available for Citrix Hypervisor and is in technology preview for KVM hypervisor."

    Critical SWAPGW Attack
    New Side-Channel Attack Bypasses SPECTRE and MELTDOWN Defences

    https://www.bitdefender.com/business/swapgs-attack.html

    "Bitdefender researchers have identified and demonstrated a new side-channel attack. The attack builds on previous research which led to the Spectre and Meltdown attacks. This newly disclosed attack bypasses all known mitigation mechanisms implemented in response to Spectre and Meltdown. Bitdefender Hypervisor Introspection renders Windows systems impervious to this new attack.

    The SWAPGS Attack affects newer Intel CPUs that use speculative execution..."

    Protecting against SWAPGS Attack via Hypervisor Introspection
    Bitdefender Enterprise
    Published on Aug 6, 2019
    A practical demonstration of HVI detecting and blocking a SWAPGS attack on Citrix Hypervisor.


    ValkyrieOneNiner 4 days ago
    "'Protecting against SWAPGS Attacks' Don't buy an Intel CPU."

    RIddler 2 days ago
    "Unfortunately you don't get much option when purchasing a laptop. Sure you can custom build your pc with amd chip but when it comes to laptop, most of them have intel chips which is very annoying"

    More information on SWAPGS and Speculative only Segment Loads

    On August 6, 2019, researchers at BitDefender* published details on two issues they reported to both Intel and Microsoft* as part of coordinated vulnerability disclosure (CVD).
    https://software.intel.com/security...ion-swapgs-and-speculative-only-segment-loads

    "SWAPGS
    Researchers from BitDefender published a paper entitled, "Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction." This information disclosure vulnerability can be used to speculatively access memory, potentially allowing a malicious actor to read privileged data across trust boundaries.

    After assessing this issue with industry partners, we determined that the best mitigation would be at the software layer. Microsoft agreed to coordinate remediation efforts, working with the researchers and other industry partners. Microsoft released their software update to address this issue in July 2019 and today published their security advisory as part of the CVD process.

    Some Linux* OS vendors may elect to release updates for their products. Please check with your Linux OS vendor for details."

    AMD Updates - SWAPGS (CVE-2019-1125) - 8/6/19

    https://www.amd.com/en/corporate/product-security

    "AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1.

    Description + AMD Recommendation

    SWAPGS instruction speculation at CPL3 (Scenario 1)
    AMD believed not impacted

    SWAPGS instruction speculation at CPL0 (Scenario 2, Variant 1)
    AMD believed not impacted

    GS base value speculation (Scenario 2, Variant 2)
    AMD recommends implementing existing mitigations for Spectre variant 1"

    PATCHES => Microsoft Security Update Guide CVE-2019-1125
    Details CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability

    Security Vulnerability Published: 08/06/2019 MITRE CVE-2019-1125
    https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1125

    "On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities (known as Spectre) involving speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. This vulnerability, released on August 6, 2019, is a variant of the Spectre Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.

    Microsoft released a security update on July 9, 2019 that addresses the vulnerability through a software change that mitigates how the CPU speculatively accesses memory. Note that this vulnerability does not require a microcode update from your device OEM."

    PATCHES => Microsoft Security Update Guide CVE-2019-1125

    REDHAT Customer Portal
    CVE-2019-1125: Spectre SWAPGS gadget vulnerability

    https://access.redhat.com/articles/4329821

    "...Resolution
    Red Hat customers running affected versions of the Red Hat products are strongly recommended to update them as soon as errata are available. Customers are urged to apply the appropriate updates immediately and reboot to mitigate this flaw correctly..."

    Red Hat Security Errata
    https://access.redhat.com/security/cve/cve-2019-1125

    Impact: Moderate
    Public Date: 2019-08-06
    CWE:CWE-385->CWE-200
    Bugzilla:1724389: CVE-2019-1125 kernel: hw: Spectre SWAPGS gadget vulnerability

    Platform Errata Release Date
    Red Hat Enterprise Linux 8 (kernel) RHSA-2019:2411 2019-08-07
    Red Hat Enterprise Linux 8 (kernel) RHSA-2019:2411 2019-08-07
    Red Hat Enterprise Linux 8 (kernel-rt) RHSA-2019:2405 2019-08-07
    Red Hat Enterprise Linux 8 (kernel-rt) RHSA-2019:2405 2019-08-07

    Affected Packages State, Platform Package State
    Red Hat Virtualization 4 redhat-virtualization-host, Affected
    Red Hat OpenShift Container Platform 4.1 kernel, Affected
    Red Hat Enterprise MRG 2 kernel-rt, Affected
    Red Hat Enterprise Linux 7 kernel-alt, Not affected
    Red Hat Enterprise Linux 7 kernel, Affected
    Red Hat Enterprise Linux 7 kernel-rt, Affected
    Red Hat Enterprise Linux 6 kernel, Affected
    Red Hat Enterprise Linux 5 kernel, Affected

    Mitigation
    For mitigation related information, please refer to the Red Hat Knowledgebase article [Above]:
    https://access.redhat.com/articles/4329821
    Last Modified Thursday at 4:21 AM"
     
    Last edited: Aug 11, 2019
    joluke, ajc9988, Vasudev and 2 others like this.
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,477
    Messages:
    19,766
    Likes Received:
    24,594
    Trophy Points:
    931
    NetCAT is another side-channel attack against Intel CPU's with DDIO Enabled in server environments...another side-channel attack vulnerability...

    Weakness in Intel chips lets researchers steal encrypted SSH keystrokes
    DDIO makes servers faster. It can also allow rogue servers to covertly steal data.
    DAN GOODIN - 9/10/2019, 11:35 AM
    https://arstechnica.com/information...s-researchers-steal-encrypted-ssh-keystrokes/

    "In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU's last-level cache, rather than following the standard (and significantly longer) path through the server's main memory. By avoiding system memory, Intel's DDIO—short for Data-Direct I/O—increased input/output bandwidth and reduced latency and power consumption.

    Now, researchers are warning that, in certain scenarios, attackers can abuse DDIO to obtain keystrokes and possibly other types of sensitive data that flow through the memory of vulnerable servers. The most serious form of attack can take place in data centers and cloud environments that have both DDIO and remote direct memory access enabled to allow servers to exchange data.

    A server leased by a malicious hacker could abuse the vulnerability to attack other customers. To prove their point, the researchers devised an attack that allows a server to steal keystrokes typed into the protected SSH (or secure shell session) established between another server and an application server.

    Merely scratching the surface
    The researchers have named their attack NetCAT, short for Network Cache ATtack. Their research is prompting an advisory for Intel that effectively recommends turning off either DDIO or RDMA in untrusted networks. The researchers say future attacks may be able to steal other types of data, possibly even when RDMA isn't enabled. They are also advising hardware makers do a better job of securing microarchitectural enhancements before putting them into billions of real-world servers.

    "While NetCAT is powerful even with only minimal assumptions, we believe that we have merely scratched the surface of possibilities for network-based cache attacks, and we expect similar attacks based on NetCAT in the future," the researchers, from the Vrije Universiteit Amsterdam and ETH Zurich, wrote in a paper published on Tuesday. "We hope that our efforts caution processor vendors against exposing microarchitectural elements to peripherals without a thorough security design to prevent abuse."

    The researchers devised NetCAT after reverse-engineering DDIO and finding that last-level caches were sharing data across CPUs and peripherals, even when they received untrusted or potentially malicious input. Among the things this shared resource divulged was the precise arrival times of data packets sent in sensitive connections such as SSH. The information gave the researchers a side channel they could use to deduce the contents of each keystroke.

    NetCAT is based partly on the observation that humans follow largely universal typing patterns that can often reveal clues about the keys they enter into a keyboard. For instance, it's usually faster for most people to type an "s" immediately after an "a" than to type a "g" right after typing an "s." These patterns allowed the researchers to use DDIO to carry out a keystroke timing attack, similar to this one, that uses statistical analysis of the inter-arrival timings of packets. Below is a video demonstrating the attack:

    NetCAT remotely leaking keystrokes from a victim SSH session
    VUSec
    Published on Sep 10, 2019


    bitburner 1 day ago
    "Too bad you didn’t do a simple google search to find out that NetCAT is already the name of an old and extremely popular security tool."

    Continuing article...
    "The researchers used rapid delivery provided by RDMA to simplify the attack, but it's not a strict requirement, and future attacks may not need it at all. In an email, Kaveh Razavi, one of the Vrije Universiteit researchers who wrote the paper NetCAT: Practical Cache Attacks from the Network, wrote:

    "In short, the root cause of the vulnerability boils down to Intel's DDIO feature enabling the (last-level) CPU cache to be shared with arbitrary peripherals such as network cards.

    This dramatically extends the attack surface of traditional cache side-channel attacks, which are normally mounted on a local setting (say from a VM to another in the cloud), exposing servers to cache side-channel disclosure from untrusted clients over the network.

    Using RDMA (for convenience), we have demonstrated the vulnerability can be exploited in real-world settings to leak sensitive information (e.g., keystrokes from an SSH session).
    "

    PRIME+PROBE
    To suss out the timing information from the last-level cache, the researchers used a technique known as PRIME+PROBE. It involves first priming the cache by receiving packets that will be read from certain memory locations. The result: the technique brings the cache to a known state. The attack then waits for the target SSH client to type a letter. That triggers the PROBE stage, which attempts to detect any changes by receiving the same packets from the same memory locations.

    "If the client has typed a key, then these packets will arrive slightly slower, signaling a keystroke," Razavi wrote. "By performing PRIME+PROBE in a loop, NetCAT can find out whenever the victim types something in a network connection."

    The researchers proposed a second attack scenario that uses DDIO as a covert channel to funnel sensitive data off a server. In one variation, the covert channel connects a targeted server to an unnetworked, cooperating sandboxed process on a remote machine. A second variation creates a covert channel between two cooperating network clients running inside two separate networks.

    Covert channels are mechanisms attackers use to transfer data between processes or hardware that are barred by security policies from communicating with one another. By stealthily bypassing this policy, attackers can steal sensitive data in a way that's not detectable by the target.

    The research is impressive, and the vulnerability it reveals is serious. Anyone who uses Intel-made processors inside data centers or other untrusted networks should carefully review the research, Intel's advisory, and any advisories by the network provider to ensure DDIO doesn't present a threat.

    People should also be aware that disabling DDIO comes at a significant performance cost.

    So far as the researchers know, chips from AMD and other manufacturers aren't vulnerable because they don't store networking data on shared CPU caches.

    At the same time, people should remember that the research isn't likely to materialize into widespread attacks in the real world any time soon.

    "NetCAT is a complex attack and is likely not the low-hanging fruit for the attackers," Razavi wrote. "In server settings with untrusted clients, where security matters more than performance, however, we recommend DDIO to be disabled."

    Reader Comments

    Twilight Sparkle, SEP 10, 2019 12:09 PM
    "Hunt and peck is now a security technique."

    April King, SEP 10, 2019 11:39 AM
    "NetCAT is just about the worst possible name for a piece of software like this, since it's been used by netcat (aka `nc`) for about 25 years now. Searches are going to be a nightmare."

    IDK, adding DDIO and / or RDMA / SSH, that should help narrow the results.

    ChronoReverse, SEP 10, 2019 11:44 AM
    "Another day another Intel performance enhancement that turns out to be a security flaw."

    John_5mith, SEP 10, 2019 11:56 AM
    "Wickwick wrote:
    Is it just me or is it starting to feel that any sort of cache is just waiting to be abused?"

    "Cache is the root of all evil."

    Intel NetCat Security Flaw: The Last Straw to Break the Camel's back...
    Moore's Law Is Dead
    Premiered 12 hours ago
    Another month, another crippling security flaw.


    Love Thy Neighbor 9 hours ago
    "Doesn't matter. Intel is the BEST at Windows Media Player."

    Jason Gooden 12 hours ago
    "I was making lunch when I heard Intel had anther security flaw, I just kept making lunch without breaking stride. Not surprised at all, that’s pretty sad."

    gamamew 11 hours ago
    "LOL so Intel chips are more of a piece of garbage than ever. If you want SMT and virtualization you have to go red team."

    Sergio Madureira 12 hours ago
    "New security flaw - Intel runs to the closest sand pit to bury their head in"

    Replace Intel CPU's is the only sure way to fix these vulnerabilities... gee, didn't CERT say that at the very start of all of this going on 2 years ago??

    Cybersecurity agency: The only sure defense against huge chip flaw is a new chip

    BY Marcus Gilmer, 2018-01-04 18:54:41 UTC
    https://mashable.com/2018/01/04/chip-flaw-cert-recommendation/

    no more intel servers.jpg

    Xeon and Other Intel CPUs Hit by NetCAT Security Vulnerability, AMD Not Impacted
    by Nathaniel Mott September 11, 2019 at 7:48 AM
    https://www.tomshardware.com/news/intel-xeon-cpu-netcat-security-vulnerability-flaw,40376.html

    NetCAT: Practical Cache Attacks from the Network
    Michael Kurth, Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi
    Department of Computer Science Vrije Universiteit Amsterdam, The Netherlands
    https://www.cs.vu.nl/~herbertb/download/papers/netcat_sp20.pdf
     
    Last edited: Sep 13, 2019
    joluke and Vasudev like this.
  6. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    7,131
    Messages:
    10,313
    Likes Received:
    7,582
    Trophy Points:
    931
    Haha..... But I'm sad that nearly all my laptops must be switched to an new AMD based laptop. :(:(:(:(
     
    hmscott likes this.
  7. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,477
    Messages:
    19,766
    Likes Received:
    24,594
    Trophy Points:
    931
    Last edited: Sep 13, 2019
    joluke likes this.
  8. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    7,131
    Messages:
    10,313
    Likes Received:
    7,582
    Trophy Points:
    931
    I'm done with gaming jokebooks! I'm all in on Business laptops from Lenovo. Thinkpad with Ryzen will have 3years+ support in terms of updates, so it makes sense in enterprise and consumer spaces since you get more out from your laptop.
     
  9. VICKYGAMEBOY

    VICKYGAMEBOY Notebook Deity

    Reputations:
    395
    Messages:
    1,013
    Likes Received:
    742
    Trophy Points:
    131
    good choice, even im waiting for some ryzen laptop, seeing the way 5700XT performs for the price, i think its a win win for AMD...
     
    hmscott likes this.
  10. Ultra Male

    Ultra Male Super Tweaker

    Reputations:
    21,758
    Messages:
    20,853
    Likes Received:
    30,648
    Trophy Points:
    931
    Which laptops sport an AMD CPU now that can rival Intel's offerings?
     
    Vasudev and hmscott like this.
Loading...
Similar Threads - Vulnerabilities Meltdown Spectre
  1. Starlight5
    Replies:
    14
    Views:
    1,056

Share This Page