Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

rmstock · January 06, 2018, 09:15:17 PM

Security
Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign
Speed hits loom, other OSes need fixes
By John Leyden and Chris Williams 2 Jan 2018 at 19:29 445
https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

"Final update A fundamental design flaw in Intel's processor chips has
forced a significant redesign of the Linux and Windows kernels to
defang the chip-level security bug.

Programmers are scrambling to overhaul the open-source Linux kernel's
virtual memory system. Meanwhile, Microsoft is expected to publicly
introduce the necessary changes to its Windows operating system in an
upcoming Patch Tuesday: these changes were seeded to beta testers
running fast-ring Windows Insider builds in November and December.

Crucially, these updates to both Linux and Windows will incur a
performance hit on Intel products. The effects are still being
benchmarked, however we're looking at a ballpark figure of five to 30
per cent slow down, depending on the task and the processor model. More
recent Intel chips have features – such as PCID – to reduce the
performance hit. Your mileage may vary.
https://twitter.com/TheRegister/status/948342806367518720
Similar operating systems, such as Apple's 64-bit macOS, will also need
to be updated – the flaw is in the Intel x86-64 hardware, and it
appears a microcode update can't address it. It has to be fixed in
software at the OS level, or go buy a new processor without the design
blunder.

Details of the vulnerability within Intel's silicon are under wraps: an
embargo on the specifics is due to lift early this month, perhaps in
time for Microsoft's Patch Tuesday next week. Indeed, patches for the ( http://archive.is/794Pm )
Linux kernel are available for all to see but comments in the source
code have been redacted to obfuscate the issue.

However, some details of the flaw have surfaced, and so this is what we
know.

Impact

It is understood the bug is present in modern Intel processors produced
in the past decade. It allows normal user programs – from database
applications to JavaScript in web browsers – to discern to some extent
the layout or contents of protected kernel memory areas.

The fix is to separate the kernel's memory completely from user
processes using what's called Kernel Page Table Isolation, or KPTI. At
one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines,
aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of
how annoying this has been for the developers.

Whenever a running program needs to do anything useful – such as write
to a file or open a network connection – it has to temporarily hand
control of the processor to the kernel to carry out the job. To make
the transition from user mode to kernel mode and back to user mode as
fast and efficient as possible, the kernel is present in all processes'
virtual memory address spaces, although it is invisible to these
programs. When the kernel is needed, the program makes a system call,
the processor switches to kernel mode and enters the kernel. When it is
done, the CPU is told to switch back to user mode, and reenter the
process. While in user mode, the kernel's code and data remains out of
sight but present in the process's page tables.

Think of the kernel as God sitting on a cloud, looking down on Earth.
It's there, and no normal being can see it, yet they can pray to it.

These KPTI patches move the kernel into a completely separate address
space, so it's not just invisible to a running process, it's not even
there at all. Really, this shouldn't be needed, but clearly there is a
flaw in Intel's silicon that allows kernel access protections to be
bypassed in some way.

The downside to this separation is that it is relatively expensive,
time wise, to keep switching between two separate address spaces for
every system call and for every interrupt from the hardware. These
context switches do not happen instantly, and they force the processor
to dump cached data and reload information from memory. This increases
the kernel's overhead, and slows down the computer.

Your Intel-powered machine will run slower as a result.

How can this security hole be abused?

At best, the vulnerability could be leveraged by malware and hackers to
more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to
read the contents of the kernel's memory. Suffice to say, this is not
great. The kernel's memory space is hidden from user processes and
programs because it may contain all sorts of secrets, such as
passwords, login keys, files cached from disk, and so on. Imagine a
piece of JavaScript running in a browser, or malicious software running
on a shared public cloud server, able to sniff sensitive
kernel-protected data.

Specifically, in terms of the best-case scenario, it is possible the
bug could be abused to defeat KASLR: kernel address space layout
randomization. This is a defense mechanism used by various operating
systems to place components of the kernel in randomized locations in
virtual memory. This mechanism can thwart attempts to abuse other bugs
within the kernel: typically, exploit code – particularly
return-oriented programming exploits – relies on reusing computer
instructions in known locations in memory.

If you randomize the placing of the kernel's code in memory, exploits
can't find the internal gadgets they need to fully compromise a system.
The processor flaw could be potentially exploited to figure out where
in memory the kernel has positioned its data and code, hence the flurry
of software patching.

However, it may be that the vulnerability in Intel's chips is worse
than the above mitigation bypass. In an email to the Linux kernel ( http://archive.is/nRUTC )
mailing list over Christmas, AMD said it is not affected. The wording
of that message, though, rather gives the game away as to what the
underlying cockup is:

AMD processors are not subject to the types of attacks that the
kernel page table isolation feature protects against. The AMD
microarchitecture does not allow memory references, including
speculative references, that access higher privileged data when
running in a lesser privileged mode when that access would result
in a page fault.

A key word here is "speculative." Modern processors, like Intel's,
perform speculative execution. In order to keep their internal
pipelines primed with instructions to obey, the CPU cores try their
best to guess what code is going to be run next, fetch it, and execute
it.

It appears, from what AMD software engineer Tom Lendacky was suggesting
above, that Intel's CPUs speculatively execute code potentially without
performing security checks. It seems it may be possible to craft
software in such a way that the processor starts executing an
instruction that would normally be blocked – such as reading kernel
memory from user mode – and completes that instruction before the
privilege level check occurs.

That would allow ring-3-level user code to read ring-0-level kernel
data. And that is not good.

The specifics of the vulnerability have yet to be confirmed, but
consider this: the changes to Linux and Windows are significant and are
being pushed out at high speed. That suggests it's more serious than a
KASLR bypass.

Also, the updates to separate kernel and user address spaces on Linux
are based on a set of fixes dubbed the KAISER patches, which were
created by eggheads at Graz University of Technology in Austria. These
boffins discovered [PDF] it was possible to defeat KASLR by extracting
memory layout information from the kernel in a side-channel attack on
the CPU's virtual memory system. The team proposed splitting kernel and
user spaces to prevent this information leak, and their research
sparked this round of patching.

Their work was reviewed by Anders Fogh, who wrote this interesting blog
post in July. That article described his attempts to read kernel memory
from user mode by abusing speculative execution. Although Fogh was
unable to come up with any working proof-of-concept code, he noted:

My results demonstrate that speculative execution does indeed
continue despite violations of the isolation between kernel mode
and user mode.

It appears the KAISER work is related to Fogh's research, and as well
as developing a practical means to break KASLR by abusing virtual
memory layouts, the team may have somehow proved Fogh right – that
speculative execution on Intel x86 chips can be exploited to access
kernel memory.

Shared systems

The bug will impact big-name cloud computing environments including
Amazon EC2, Microsoft Azure, and Google Compute Engine, said a software
developer blogging as Python Sweetness in this heavily shared and
tweeted article on Monday:

There is presently an embargoed security bug impacting apparently
all contemporary [Intel] CPU architectures that implement virtual
memory, requiring hardware changes to fully resolve. Urgent
development of a software mitigation is being done in the open and
recently landed in the Linux kernel, and a similar mitigation began
appearing in NT kernels in November. In the worst case the software
fix causes huge slowdowns in typical workloads.

There are hints the attack impacts common virtualisation
environments including Amazon EC2 and Google Compute Engine...

Microsoft's Azure cloud – which runs a lot of Linux as well as Windows
– will undergo maintenance and reboots on January 10, presumably to
roll out the above fixes.
https://twitter.com/never_released/status/947935213010718720
Amazon Web Services also warned customers via email to expect a major
security update to land on Friday this week, without going into details.
https://twitter.com/jschauma/status/941447173245370368

There were rumors of a severe hypervisor bug – possibly in Xen – doing
the rounds at the end of 2017. It may be that this hardware flaw is
that rumored bug: that hypervisors can be attacked via this kernel
memory access cockup, and thus need to be patched, forcing a mass
restart of guest virtual machines.

A spokesperson for Intel was not available for comment. ®

Updated to add

The Intel processor flaw is real. A PhD student at the systems and
network security group at Vrije Universiteit Amsterdam has developed a
proof-of-concept program that exploits the Chipzilla flaw to read
kernel memory from user mode:
https://twitter.com/brainsmoke/status/948561799875502080
The Register has also seen proof-of-concept exploit code that leaks a
tiny amount of kernel memory to user processes.

Finally, macOS has been patched to counter the chip design blunder
since version 10.13.3, according to operating system kernel expert Alex
Ionescu. And it appears 64-bit ARM Linux kernels will also get a set of
KAISER patches, completely splitting the kernel and user spaces, to
block attempts to defeat KASLR. We'll be following up this week.

Final update

Check out our summary of the processor bug, here, now that full details
are known. Bear in mind there are two flaws at play here: one called
Meltdown that mostly affects Intel, and what the above article is all
about, and another one called Spectre that affects Intel, AMD, and Arm
cores.

See our analysis of Intel's response here.

Tips and corrections 445 Comments "

rmstock · January 06, 2018, 09:36:12 PM

[$] Notes from the Intelpocalypse
[Security] Posted Jan 4, 2018 0:42 UTC (Thu) by corbet

Rumors of an undisclosed CPU security issue have
been circulating since before LWN first covered the i
kernel page-table isolation patch set in November i
2017. Now, finally, the information is out — and the
problem is even worse than had been expected. Read
on for a summary of these issues and what has to be i
done to respond to them in the kernel.

Full Story (comments: 111)

This article needs a subscription. The funny thing is that next week
anyone can read it and when havink a free account can comment.
Then again how fast and severe is the impact this time ?

rmstock · January 06, 2018, 09:53:03 PM

As Intel cocked up in hardware, a patch in hardware is the correct answer.
To disable KPTI at boottime is hence the best resolution for now.
Sorry about that Mr KAISER and LKML .

rmstock · January 06, 2018, 10:08:05 PM

https://googleprojectzero.blogspot.nl/2018/01/reading-privileged-memory-with-side.html

[ ... ]
Vendor statements
The following statement were provided to us regarding this issue from the vendors to whom Project Zero
disclosed this vulnerability:

Intel
No current statement provided at this time.

AMD
AMD provided the following link: http://www.amd.com/en/corporate/speculative-execution

ARM
Arm recognises that the speculation functionality of many modern high-performance processors, despite
working as intended, can be used in conjunction with the timing of cache operations to leak some information
as described in this blog. Correspondingly, Arm has developed software mitigations that we recommend be
deployed.

Specific details regarding the affected processors and mitigations can be found at this website:
https://developer.arm.com/support/security-update

Arm has included a detailed technical whitepaper as well as links to information from some of Arm's
architecture partners regarding their specific implementations and mitigations.

Literature
[ ... ]"

yankeedoodle · January 07, 2018, 11:12:12 AM

Linus Torvalds Is Not Happy About Intel's Meltdown and]
Spectre Mess
https://gizmodo.com/linus-torvalds-is-not-happy-about-intels-meltdown-and-s-1821845198

Famed Linux developer Linus Torvalds has some pretty harsh words https://www.itwire.com/security/81327-linus-torvalds-says-intel-needs-to-admit-it-has-issues-with-cpus.html
for Intel on the fiasco over Meltdown and Spectre, the massive security flaws in modern processors that predominantly affect Intel products.

Meltdown and Spectre exploit an architectural flaw with the way processors handle speculative execution, a technique that most modern CPUs use to increase speed. Both classes of vulnerability could expose protected kernel memory, potentially allowing hackers to gain access to the inner workings of any unpatched system or penetrate security measures. The flaw can't be fixed with a microcode update, meaning that developers for major OSes and platforms have had to devise workarounds that could seriously hurt performance.

In an email to a Linux list this week https://lkml.org/lkml/2018/1/3/797 , Torvalds questioned the competence of Intel engineers and suggested that they were knowingly selling flawed products to the public. He also seemed particularly irritated that users could expect a five to 30 percent projected performance hit from the fixes.

"I think somebody inside of Intel needs to really take a long hard look at their CPU's, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed," Torvalds wrote. ".. and that really means that all these mitigation patches should be written with 'not all CPU's are crap' in mind."

"Or is Intel basically saying 'we are committed to selling you shit forever and ever, and never fixing anything'?" he added. "Because if that's the case, maybe we should start looking towards the ARM64 people more."

"Please talk to management," Torvalds concluded. "Because I really see exactly two possibibilities:—Intel never intends to fix anything OR—these workarounds should have a way to disable them. Which of the two is it?"

As Business Insider noted, as the person in charge of the open-source Linux kernel, Torvalds may be freer to share his opinion on Intel's explanation for the issue than engineers working for the company's business partners. Intel is currently being hit by a series of class action lawsuits citing the flaws and its handling of the security disclosure.

While workaround fixes for affected systems—or at the very least, those that are still supported by developers—have begun rolling out, per Wired, they're far from an ideal solution. Meltdown patches are available for Microsoft, Apple, Google and Linux systems, though Spectre is a far more difficult to resolve vulnerability and it may in fact be impossible to guard against it entirely without replacing hardware. While consumer systems are impacted, enterprise systems like cloud service providers may suffer the biggest performance hits, take the longest to patch, and are the likeliest targets of any malware targeting the exploits.

"One of the most confusing parts of this whole thing is that there are two vulnerabilities that affect similar things, so it's been challenging just to keep the two separate," TrustedSec security researcher Alex Hamerstone told Wired. "But it's important to patch these because of the type of deep access they give. When people are developing technology or applications they're not even thinking about this type of access as being a possibility so it's not something they're working around—it just wasn't in anybody's mind."

rmstock · January 07, 2018, 04:20:07 PM

Date: Sun, 7 Jan 2018 19:49:46 +0100 (CET)
From: Robert M. Stockmann <stock@stokkie.net>
To: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH] KAISER: Kernel Address Isolation
Message-ID: <Pine.LNX.4.44.1801071923020.14762-100000@hubble.stokkie.net>

Hi,

Your KAISER patch is released for the linux 4.10 kernel series.

https://github.com/IAIK/KAISER/tree/master/dist
https://github.com/IAIK/KAISER

Distro Maintainers using older kernels like 3.10 and 4.4 seem
to have obtained solid results as well, most proably using the
merged code approved by Linus, but was actually only for 4.16.:

The current state of kernel page-table isolation
https://lwn.net/Articles/741878/

Re: [PATCH 00/24] x86/mm: Add KAISER support
https://lwn.net/Articles/741882/

"[ ... ]
On Mon, Nov 27, 2017 at 2:48 AM, Ingo Molnar <mingo@kernel.org> wrote:
> Sending this out for another round of review.

Ok, I have tried to go through the patches, and I don't see anything
horrible, but honestly, at this point I'd rather leave it for 4.16.

We're presumably going to have to back-port these things anyway for
the LTS releases, and they're still getting comments and small fixes
after the merge window is over. I'd rather have people feel like they
can take the time to just get it all clean and finished (and as much
testing as possible) than start merging things aggressively.
[ ... ]"

At Redhat things seem to have solved properly, but older CentOS is having
trouble :

Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
Public Date: Wednesday at 12:00 AM
Updated 4 hours ago - English
https://access.redhat.com/security/vulnerabilities/speculativeexecution

Guru 6097 points
6 January 2018 8:57 PM
PixelDrift.NET Support Community Leader
Is this issue with Xen + el6 kernel-2.6.32-696.18.7.el6.x86_64 also
being tracked by Red Hat?
https://bugs.centos.org/view.php?id=14336

CentOS forum thread here:
https://www.centos.org/forums/viewtopic.php?f=13&t=65602&start=10

The patch you made, obviously for 4.10 looks solid and implementable.
Did you create seperate KAISER patches for the 4.4, 3.10 and
2.6.32 kernel ? The kernel stack in 2.6.3x looks entirely different,
i.e. entry_64.S and entry_32.S . The normal linux layman is having
severe troubles migrating KAISER to 2.6.3x when implementing the
assembly part of the KAISER patch, which is also mentioned inside
the comments of :

Kernel page-table isolation merged
https://lwn.net/Articles/742404/

Best Regards,

Robert
--
Robert M. Stockmann - RHCE
Network Engineer - UNIX/Linux Specialist
crashrecovery.org stock@stokkie.net

rmstock · January 07, 2018, 11:57:48 PM

Home > News > Security > List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates
List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates
By Lawrence Abrams January 3, 2018 09:52 PM 6
https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/

Two new vulnerabilities called Meltdown and Spectre, or speculative
execution side-channel vulnerabilities, have been discovered in modern
processors that allow malicious programs to steal information from the
memory of other programs. This means that the malicious program can
steal passwords, account information, encryption keys, or theoretically
anything stored in the memory of a process.

Vendors have started to release information on how customers can
protect themselves from Spectre or Meltdown and the status of their
services. To make it easier to find this information, I will be adding
links to various advisories as they are released. The related CVEs are
CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.

It is important to note, though, that a software update will not be
able to completely resolve these vulnerabilities. It is also important
to make sure you have the latest bios/firmware updates for your laptop
or computer installed as well.

For those who want to monitor these updates, I suggest you check this
page throughout the coming days to see if new information is available.

For more detailed information about the Spectre and Meltdown
vulnerabilities, you can read our coverage in the articles below:

* How to Check and Update Windows Systems for the Meltdown and Spectre
CPU Flaws
* Mozilla Confirms Web-Based Execution Vector for Meltdown and Spectre
Attacks
* Microsoft Releases Emergency Updates to Fix Meltdown and Spectre CPU
Flaws
* Google: Almost All CPUs Since 1995 Vulnerable To "Meltdown" And
"Spectre" Flaws
* Intel Denies Reports of Huge Performance Dip Due to Patches for CPU
Security Bug
* OS Makers Preparing Patches for Secret Intel CPU Security Bug

It is also strongly recommended that you read the security advisory by
Google as it contains a very detailed description of these
vulnerabilities.

If you are a vendor with a advisory or notice, please contact us to
have your information added.

Last Updated: 01/05/18 19:18 EST

Official Advisories, Notices, Patches, or Updates:

Amazon

Amazon has released a security bulletin that provides information on
how Amazon AWS services are affected by Meltdown and Spectre. In
summary, this bulletin states:

This is a vulnerability that has existed for more than 20 years in
modern processor architectures like Intel, AMD, and ARM across
servers, desktops, and mobile devices. All but a small single-digit
percentage of instances across the Amazon EC2 fleet are already
protected. The remaining ones will be completed in the next several
hours, with associated instance maintenance notifications.

While the updates AWS performs protect underlying infrastructure,
in order to be fully protected against these issues, customers must
also patch their instance operating systems. Updates for Amazon
Linux have been made available, and instructions for updating
existing instances are provided further below along with any other
AWS-related guidance relevant to this bulletin.

You can read the full security bulletin here:
https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

AMD

AMD has released an advisory where they essentially say that their CPUs
are not vulnerable to the speculative execution vulnerabilities. Below
is the table from this press release:

------------------------------------------------------------------------
     Google Project Zero
(GPZ) Research Title     Details
------------------------------------------------------------------------
Variant One   Bounds Check Bypass   Resolved by software / OS updates
to be made available by system
vendors and manufacturers.
Negligible performance impact
expected.
------------------------------------------------------------------------
Variant Two   Branch Target Injection   Differences in AMD architecture
mean there is a near zero risk of
exploitation of this variant.
Vulnerability to Variant 2 has
not been demonstrated on AMD
processors to date.
------------------------------------------------------------------------
Variant Three   Rogue Data Cache Load   Zero AMD vulnerability due to
AMD architecture differences.
------------------------------------------------------------------------

The full advisory can be found here:
https://www.amd.com/en/corporate/speculative-execution

As the security landscape continues to evolve, a collaborative effort
of information sharing in the industry represents the strongest defe

Furthermroe, Tom Lendacky, a software engineer at AMD, had posted a
email to the Linux Kernel Mailing List stating:

AMD processors are not subject to the types of attacks that the
kernel page table isolation feature protects against. The AMD
microarchitecture does not allow memory references, including
speculative references, that access higher privileged data when
running in a lesser privileged mode when that access would result
in a page fault.

Disable page table isolation by default on AMD processors by not
setting the X86_BUG_CPU_INSECURE feature, which controls whether
X86_FEATURE_PTI is set.

You can read the full post here: https://lkml.org/lkml/2017/12/27/2 ( http://archive.is/nRUTC )

Windows internals expert, Alex Ionescu also had this to say:
https://twitter.com/aionescu/status/948679003799367680
Android

The Android team has updated their January 2018 bulletin with the
following note:

CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754, a set of
vulnerabilities related to speculative execution in processors,
have been publicly disclosed. Android is unaware of any successful
reproduction of these vulnerabilities that would allow unauthorized
information disclosure on any ARM-based Android device.

To provide additional protection, the update for CVE-2017-13218
included in this bulletin reduces access to high-precision timers,
which helps limits side channel attacks (such as CVE-2017-5715,
CVE-2017-5753, and CVE-2017-5754) of all known variants of ARM
processors.

We encourage Android users to accept available security updates to
their devices. See the Google security blog for more details.

The full bulletin can be found here:
https://source.android.com/security/bulletin/2018-01-01

Antivirus Vendors

Microsoft will only distribute the emergency update to users if a
particular registry key has been made by an installed antivirus vendor.
Kevin Beaumont has created a spreadsheet that keeps tracks of antivirus
vendors and whether they make this key:
https://docs.google.com/spreadsheets/u/2/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview

Below are links to various antivirus vendors who have released
advisories:

* Emsisoft:
https://blog.emsisoft.com/2018/01/04/chip-vulnerabilities-and-emsisoft-what-you-need-to-know/
* eScan:
http://blog.escanav.com/2018/01/meltdown-spectre-cpu-vulnerabilities/
* ESET:
https://www.eset.com/us/about/newsroom/corporate-blog-list/corporate-blog/meltdown-spectre-how-to-protect-yourself-from-these-cpu-security-flaws
/
* Sophos: https://community.sophos.com/kb/en-us/128053
* Trend Micro: https://success.trendmicro.com/solution/1119183
* Webroot:
https://community.webroot.com/t5/Announcements/Microsoft-Patch-Release-Wednesday-January-3-2018/m-p/310146

Apple

Apple has released an official advisory that states:

Security researchers have recently uncovered security issues known
by two names, Meltdown and Spectre. These issues apply to all
modern processors and affect nearly all computing devices and
operating systems. All Mac systems and iOS devices are affected,
but there are no known exploits impacting customers at this time.
Since exploiting many of these issues requires a malicious app to
be loaded on your Mac or iOS device, we recommend downloading
software only from trusted sources such as the App Store. Apple has
already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS
11.2 to help defend against Meltdown. Apple Watch is not affected
by either Meltdown or Spectre. In the coming days we plan to
release mitigations in Safari to help defend against Spectre. We
continue to develop and test further mitigations for these issues
and will release them in upcoming updates of iOS, macOS, and tvOS.

The full advisor can be read here:
https://support.apple.com/en-us/HT208394

Windows internals expert, Alex Ionescu had this to say:
https://twitter.com/aionescu/status/948609809540046849
ARM

ARM has released a security bulletin that lists the ARM processors that
are susceptible to the Meltdown and Spectre attacks.

Based on the recent research findings from Google on the potential
new cache timing side-channels exploiting processor speculation,
here is the latest information on possible Arm processors impacted
and their potential mitigations. We will post any new research
findings here as needed.

The full ARM security bulletin can be found here:
https://developer.arm.com/support/security-update

Chromium Project

The Chromium Project has issued an advisory where they provide best
practices for web developers and recommend that Chromium users enable
Site Isolation.

The full advisory is here:
https://www.chromium.org/Home/chromium-security/ssca

Computer Emergency Response Team (CERT)

CERT has issued an advisory regarding thee Meltdown and Spectre CPU
vulnerabilities. This advisory can be found here:
http://www.kb.cert.org/vuls/id/584653

Cisco

Cisco released an advisory here:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel

Google

As Google was one of three teams that discovered this bug, they have
some of the most detailed information regarding Spectre and Meltdown. A
detailed bulletin regarding what Google products are affected by these
vulnerabilities and how they are being mitigated can be found here:
https://support.google.com/faqs/answer/7622138

I strongly suggest that everyone read the following articles for
detailed technical information:

* https://meltdownattack.com/
* https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html

Google has also issued a bulletin for users of Google Cloud, G Suite,
and Chrome. To summarize, this bulletin states that Google Cloud & G
Suite have been updated to mitigate these vulnerabilities. If a
customer uses their own operating system then they will need to install
any related OS updates. Finally, Chrome & ChromeOS users can turn on
Site Isolation to provide further protection.

The full bulletin can be found here:
https://blog.google/topics/google-cloud/what-google-cloud-g-suite-and-chrome-customers-need-know-about-industry-wide-cpu-vulnerability/

Intel

Intel has released a press release regarding these vulnerabilities. A
portion of this press release states:

Intel and other technology companies have been made aware of new
security research describing software analysis methods that, when
used for malicious purposes, have the potential to improperly
gather sensitive data from computing devices that are operating as
designed. Intel believes these exploits do not have the potential
to corrupt, modify or delete data.

Recent reports that these exploits are caused by a "bug" or a
"flaw" and are unique to Intel products are incorrect. Based on the
analysis to date, many types of computing devices — with many
different vendors' processors and operating systems — are
susceptible to these exploits.

The full press release can be found here:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

Windows internals expert, Alex Ionescu also had this to say:
https://twitter.com/aionescu/status/949731633984192512
Linux Foundation

Thomas Gleixner, a Linux kernel developer, posted in December to the
Linux Kernel Mailing List about new KAISER isolation patches. These are
suspected to have been introduced to resolve the Meltdown and Spectre
bugs in Linux. If anyone has more information, I would appreciate you
letting me know.

The mailing list post can be found here:
https://lkml.org/lkml/2017/12/4/709 ( http://archive.is/794Pm )

Microsoft

Windows Information:

On January 3rd 2018, Microsoft released emergency out-of-band updates
for Windows 7 SP1, Windows 8.1, Windows 10, and various Windows Server
versions. Though these updates help to mitigate the Spectre and
Meltdown speculative execution side-channel vulnerabilities, but to be
fully protected you will also need to install the latest firmware &
bios updates for your computer.

Advisories for these updates can be found here:

* Windows Server Guidance to protect against the speculative execution
side-channel vulnerabilities
* Windows Client Guidance for IT Pros to protect against speculative
execution side-channel vulnerabilities

Microsoft Edge Information:

Microsoft has released an advisory specifically related to Microsoft
Edge. This advisory states:

Initially, we are removing support for SharedArrayBuffer from
Microsoft Edge (originally introduced in the Windows 10 Fall
Creators Update), and reducing the resolution of performance.now()
in Microsoft Edge and Internet Explorer from 5 microseconds to 20
microseconds, with variable jitter of up to an additional 20
microseconds. These two changes substantially increase the
difficulty of successfully inferring the content of the CPU cache
from a browser process.

We will continue to evaluate the impact of the CPU vulnerabilities
published today, and introduce additional mitigations accordingly
in future servicing releases. We will re-evaluate
SharedArrayBuffer for a future release once we are confident it
cannot be used as part of a successful attack.

The full advisory can be found here:
https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/

Azure Information:

Microsoft also released a compatibility note that you should read in
order to understand why you may not see these updates being offered:
https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

For Azure users, Microsoft has released an advisory that states:

The majority of Azure infrastructure has already been updated to
address this vulnerability. Some aspects of Azure are still being
updated and require a reboot of customer VMs for the security
update to take effect. Many of you have received notification in
recent weeks of a planned maintenance on Azure and have already
rebooted your VMs to apply the fix, and no further action by you is
required.

The full Azure advisory can be found here:
https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

Mozilla

Mozilla has released an advisory stating that older versions of Firefox
are susceptible to these attacks. To mitigate these attacks, starting
in Firefox 57, Mozilla has reduced the precision of Firefox's internal
timer functions. Therefore, all Firefox users should upgrade to Firefox
57 for the extra protection.

The advisory can be found here:
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

Nvidia

Nvidia has released an advisory that states they currently believe
their GPUs are not affected by this bug, but will continue
investigating:

NVIDIA's core business is GPU computing. We believe our GPU
hardware is immune to the reported security issue and are updating
our GPU drivers to help mitigate the CPU security issue. As for our
SoCs with ARM CPUs, we have analyzed them to determine which are
affected and are preparing appropriate mitigations.

The full bulletin can be found here:
https://forums.geforce.com/default/topic/1033210/nvidias-response-to-speculative-side-channels-cve-2017-5753-cve-2017-5715-and-cve-2017-5754/

Redhat

Redhat has released an advisory that provides a list of affected
products and their status. This advisory states:

Red Hat customers running affected versions of the Red Hat products
are strongly recommended to update them as soon as errata are
available. Customers are urged to apply the appropriate updates
immediately. All impacted products should apply fixes to mitigate
CVE-2017-5753 (variant 1) and CVE-2017-5754 (variant 3).
CVE-2017-5715 (variant 2) can be exploited both locally and through
the virtualization guest boundary.

The full advisory can be found here:
https://access.redhat.com/security/vulnerabilities/speculativeexecution?sc_cid=701f2000000tsLNAAY&

SUSE

SUSE has posted an advisory related to these attacks that states:

SUSE engineers have been collaborating with our partners and the
Linux community on upstream Linux kernel patches. As a result of
that collaboration, we are now able to release patches for most
recent SUSE Linux Enterprise (SLE) versions. Additional patches for
other SLE versions and environments will follow shortly.

The full advisory can be found here:
https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/

Ubuntu

Ubuntu has released an advisory that states new kernels will be
available on the original disclosure date of January 9th. The full
advisory can be read here:
https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/

VMware

VMware has released an advisory that contains information about what
products are affected and available patches. This advisory can be found
here: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

Xen

The Xen Project has released an highly detailed advisory regarding how
the Spectre and Meltdown vulnerabilities affect Xen hypervisors:

Xen guests may be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.

An attacker's choice of code to speculatively execute (and thus the
ease of extracting useful information) goes up with the numbers.
For SP1, or SP2 on systems where SMEP (supervisor mode execute
protection) is enabled: an attacker is limited to windows of code
after bound checks of user-supplied indexes. For SP2 without SMEP,
or SP3, an attacker can write arbitrary code to speculatively
execute.

The full post can be found here:
https://xenbits.xen.org/xsa/advisory-254.html

---
LAWRENCE ABRAMS
Lawrence Abrams is the creator and owner of BleepingComputer.com.
Lawrence's area of expertise includes malware removal and computer
forensics. Lawrence Abrams is a co-author of the Winternals
Defragmentation, Recovery, and Administration Field Guide and the
technical editor for Rootkits for Dummies. "

rmstock · January 08, 2018, 01:31:43 AM

Linus Torvalds Is Not Happy About Intel's Meltdown and]
Spectre Mess
https://gizmodo.com/linus-torvalds-is-not-happy-about-intels-meltdown-and-s-1821845198

Famed Linux developer Linus Torvalds has some pretty harsh words https://www.itwire.com/security/81327-linus-torvalds-says-intel-needs-to-admit-it-has-issues-with-cpus.html
for Intel on the fiasco over Meltdown and Spectre, the massive security flaws in modern processors that predominantly affect Intel products.
[ ... ]
In an email to a Linux list this week https://lkml.org/lkml/2018/1/3/797 ( http://archive.is/50grG ) , Torvalds questioned the competence of Intel engineers and suggested that they were knowingly selling flawed products to the public. He also seemed particularly irritated that users could expect a five to 30 percent projected performance hit from the fixes.
[ ... ]

rmstock · January 08, 2018, 03:36:59 PM

Windows Meltdown-Spectre update: Some AMD PC owners post crash reports
A number of AMD PC users say they can't boot after installing Microsoft's Windows 10 Meltdown-Spectre patch.
By Liam Tung | January 8, 2018 -- 17:07 GMT (17:07 GMT) | Topic: Security
http://www.zdnet.com/article/windows-meltdown-spectre-update-now-some-amd-pc-owners-post-crash-reports/

The issues are appearing on older AMD Athlon systems that received the update for the Windows 10 Fall Creators Update.
Image: ZDNet

"Microsoft's Windows patch for the Meltdown and Spectre attack methods
is reportedly causing problems for users with AMD Athlon CPUs.

According to a number of complaints on Microsoft's community forum, the
problems are appearing on Athlon systems that received the update for
the Windows 10 Fall Creators Update, labelled KB4056892.

The initial reporter said after installing the update the PC only
displayed the Windows logo and otherwise failed to boot. The update was
delivered through Windows Update.

TechRepublic: How the Meltdown and Spectre chip flaws will impact cloud
computing

After several failed boots [it does] a rollback and [then] it shows
error 0x800f0845. Unfortunately, it seems it's not easy to disable the
automatic updates without gpedit tweaks, so it tries installing and
rolling back the update over and over," wrote the reporter.

It's not clear how widespread this issue is, but the reporter noted
that the CPU involved is "quite pre-historic", specifically the AMD
Athlon X2 6000+, which was released a decade ago. Others who report the
same issue are also using older AMD chips.

It's also not certain that Microsoft's patches for the Meltdown and
Spectre attacks are the actual cause of the problems, given KB4056892
contains much more than these specific security fixes.

Microsoft hasn't responded specifically to the reports yet, instead
issuing a general statement relating to the Meltdown and Spectre
problem.

Download now: Hardware decommissioning policy

AMD chips aren't vulnerable to the Meltdown attack, but operating
system updates could address one of the Spectre attacks it was
vulnerable to.

AMD said there was a "near zero risk" its chips could be exploited by
the second Spectre attack, which required firmware updates from OEMs
containing CPU fixes such as Intel's IBRS microcode fix or Google's
Retpoline software fix.

PREVIOUS AND RELATED COVERAGE

Windows Meltdown-Spectre fix: How to check if your AV is blocking
Microsoft patch
Antivirus firms are playing patch catch-up, as Microsoft releases
Meltdown firmware updates for Surface devices.

Windows Meltdown-Spectre patches: If you haven't got them, blame your
antivirus
Microsoft says your antivirus software could stop you from receiving
the emergency patches issued for Windows.

Critical flaws revealed to affect most Intel chips since 1995
Most Intel processors and some ARM chips are confirmed to be
vulnerable, putting billions of devices at risk of attacks. One of the
security researchers said the bugs are "going to haunt us for years."

Apple confirms iPhone, Mac affected by Meltdown-Spectre vulnerabilities
The iPhone maker has confirmed all Mac systems and devices running iOS
are affected by the vulnerabilities, but also said there are currently
no known exploits.

Google reveals trio of speculative execution flaws, says AMD affected
CPUs can leak data when unwinding unused speculative execution paths.

Major Linux redesign in the works to deal with Intel security flaw
A serious security memory problem in all Intel chips has led to Linux's
developers resetting how to deal with memory. The result will be a more
secure, but -- as Linux creator Linus Torvalds says -- slower operating
system.

Intel chips have critical design flaw, and fixing it will slow Linux,
Mac, and Windows systems
The faulty design has been present in chips for years and it will force
a redesign of the Linux and Windows kernels. "

rmstock · January 08, 2018, 05:36:39 PM

Intel CEO Brian Krzanich at the IDF developer conference in 2016. Krzanich said updates will be available for 95 percent of systems affected by the Spectre and Meltdown vulnerabilities by the end of next week.
Stephen Shankland/CNET

SECURITY
Nope, no Intel chip recall after Spectre and Meltdown, CEO says
CEO Brian Krzanich says the new security vulnerabilities may be deep but they're also being fixed with software updates.
BY STEPHEN SHANKLAND, LAURA HAUTALA
JANUARY 4, 2018 5:36 PM PST
https://www.cnet.com/news/meltdown-spectre-intel-ceo-no-recall-chip-processor/

"Hoping the Meltdown and Spectre security problems might mean Intel
would be buying you a shiny new computer after a chip recall? Sorry,
ain't gonna happen.

Intel famously paid hundreds of millions of dollars to recall its
Pentium processors after the 1994 discovery of the "FDIV bug" that
revealed rare but real calculation errors. Meltdown and Spectre are
proving similarly damaging to Intel's brand, sending the company's
stock down more than 5 percent.

But Intel CEO Brian Krzanich said the new problems are much more easily
fixed -- and indeed are already well on their way to being fixed, at
least in the case of Intel-powered PCs and servers. Intel said Thursday
that 90 percent of computers released in the last 5 years will have
fixes available by the end of next week.

"This is very very different from FDIV," Krzanich said, criticizing
media coverage of Meltdown and Spectre as overblown. "This is not an
issue that is not fixable... we're seeing now the first iterations of
patches."

The vulnerabilities, announced Wednesday by Google and other
researchers, open a new avenue of attack on PCs, phones, and servers --
computing devices using chips designed by Intel, Arm and, to a lesser
degree, AMD. If an attacker manages to place malicious software on your
device, it could use Meltdown or Spectre to listen in on other software
whose data is supposed to be secure from eavesdropping within the
system. That could mean an attacker could get access to passwords,
encryption keys and other extremely sensitive data.

he attacks involve a modern chip feature called speculative execution.
Patches to fix the problem affect operating systems, web browsers and
the operation of the processors themselves. Tech companies are
scrambling to release updates to protect against Spectre and Meltdown
after news of the vulnerabilities started slipping out ahead of a
planned coordinated announcement.

One concern has been that the fixes for Meltdown and Spectre will
degrade performance. Krzanich flatly denied it. "For the real-world
applications... it's minimal impact," he said.

Intel, working with makers of computers and their operating system
software, plans patches that'll bring "complete mitigations" to
computers using Intel chips designed in the last five years, said Steve
Smith, Intel's general manager for data center engineering. The
majority are already done, Krzanich said. For chips up to 10 years old,
fixes will be released in coming weeks for the "vast majority" of Intel
chips, Smith said.

RELATED STORIES --------------------------------------------------

Spectre and Meltdown: Details you need on those big chip flaws
Major Intel, Arm chip security flaw puts your PCs, phones at risk
How to protect yourself from Meltdown and Spectre CPU flaws

Asked why Intel isn't talking about fixes for machines more than a
decade old, Smith said, "We're working with [computer makers] to
determine which ones to prioritize based on what they see as systems in
the field."

Intel also is fixing the problem in future chips, starting with
products that will arrive later this year, Smith said. Intel is
effectively taking the software fixes being released now and building
them directly into hardware, he said.

"We're putting those mitigations in our designs," Smith said. "We're
not turning off the benefits of speculation."

The problems occur only when the chip is switching from one level of
privilege to another, for example the change from running a computer
user's software like Photoshop to the computer's operating system,
which gets deeper access to the processor. The Intel fix will address
those "corner cases... where you're moving from one level of protection
to another," Smith said.

The issue is a particular concern for data centers run by companies
like Google, Amazon and Microsoft, where many computing processes run
side by side in different compartments on the same hardware. Google,
Amazon and Microsoft all say they've updated their systems to protect
against Spectre and Meltdown.

Intel chips from the last 15 years are affected, the company said.
That's an awful lot of computers, though Intel declined to say how many
chips it's shipped since then, and in any event it's impossible to know
how many are still in use.

"You don't know, if somebody went out and bought a PC five years ago,
whether someone owns that PC, whether it's operational or whether
they've turned it into a paperweight," Krzanich said.

There's been concern that Spectre in particular will be difficult to
fix, but Krzanich disagreed.

"The mitigations we're providing -- the ones that will roll out by next
week from the [computer makers] and the ones cloud service providers
have already put in place -- solve both problems," Krzanich said.

Krzanich sold hundreds of thousands of Intel shares in November, based
on a plan filed in October, both months after Google told the company
of the vulnerabilities in June 2017. But the stock sale was unrelated,
Intel said.

"It wasn't something where I had information that allowed me to trade,"
Krzanich said. "Intel has a very rigorous process for how I manage my
stock. I have a stock trading plan that is defined over time, so when
socks sell it's defined up front and I have no control over that. Those
[plans] are reviewed by the company."

And though he sold lots of stock, Krzanich still has 250,000 shares, as
required by his employment contract. "To me, 250,000 shares is still
quite a bit of stock to be owning," he said. "I'm a strong believer in
Intel's stock. That's a large amount of my net worth, and I'm
passionate about Intel's future."

Watch this: Intel chip flaw intensifies, Spotify filing for IPO?

First published Jan. 4, 4:53 p.m. PT.
Update, 5:36 p.m. PT: Adds detail about CEO Brian Krzanich stock sale. "