Tag Archives: Intel

Responding to the recent ZombieLand 2 TSX Vulnerabilities

====================
[TL DR]
====================
These vulnerabilities can only be exploited by attackers who have already compromised a system. Practice standard security precautions and install updates from hardware vendors and for your software (links provided below) when they become available. Resolution for vendors that offer cloud computing will have a more involved decision making process to consider (see below).

Early last week, security researchers disclosed security researchers disclosed further vulnerabilities within Intel’s processors.

How severe are these vulnerabilities?
These vulnerabilities ca be classed as medium severity. An attacker must already have compromised your system in order to exploit these vulnerabilities. This most recent set of vulnerabilities collectively known as ZombieLoad 2 or Transactional Synchronization Extensions (TSX) Asynchronous Abort affect Intel processors produced in the last approx. 2.5 years (August 2017 onwards).

For full technical details of these vulnerabilities, please see this page from Intel and this page from the security researchers. In summary these vulnerabilities according to the researchers allow “a malicious program to exploit internal CPU buffers to get hold of secrets currently processed by other running programs” leading to “these secrets such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys” being used by other running programs.

Of particular note are the performance implications for protecting virtual machines. If your organisation is running potentially untrusted code within virtual machines, protecting that environment will incur a performance penalty. You may need to carry out a risk assessment to determine if enabling these performance reducing mitigations outweigh the risk of putting your virtual machines at risk. Nested virtual machines will be most affected by the performance penalty.

How can I protect my organisation and myself from these vulnerabilities?
These most recent vulnerabilities can be mitigated by updating the firmware (defined) of your system. This is sometimes referred to as the UEFI / BIOS (defined) of your system.

They will be made available separately by the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard (defined) manufacturer for any custom-built systems you may have. You will have to determine from the updates those vendors issue if they are available for the products that you own.

In addition, operating system vendors and virtualisation software vendors have made patches available (links provided below).

Thank you.

====================

HP Enterprise:
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03968en_us

Fedora (referring to the Xen virtual machine (see also below):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/

Red Hat:
https://access.redhat.com/articles/11258

https://access.redhat.com/errata/RHSA-2019:3838

https://access.redhat.com/errata/RHSA-2019:3839

https://access.redhat.com/errata/RHSA-2019:3840

https://access.redhat.com/errata/RHSA-2019:3841

https://access.redhat.com/errata/RHSA-2019:3842

https://access.redhat.com/errata/RHSA-2019:3843

https://access.redhat.com/errata/RHSA-2019:3844

SUSE:
https://www.suse.com/support/update/announcement/2019/suse-su-201914217-1/

https://www.suse.com/support/update/announcement/2019/suse-su-201914218-1/

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915

Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-11135

Xen:
https://xenbits.xen.org/xsa/advisory-305.html

Performance impact to Xen:
https://xenbits.xen.org/xsa/advisory-297.html

VMware:
Security advisory:
https://www.vmware.com/security/advisories/VMSA-2019-0020.html

Further information:
https://kb.vmware.com/s/article/59139

VMware Performance Impact Statement addressing mitigations for Machine Check Exception on Page Size Change (MCEPSC) CVE-2018-12207:
https://kb.vmware.com/s/article/76050

Mitigating the Intel SWAPGS Vulnerability

====================
TL DR
This is medium severity information disclosure vulnerability. An attacker must already have compromised a system to exploit it. Patches from Red Hat, Google and Microsoft are available. Apple hardware does not appear to be affected.
====================

If we look back 2 weeks we saw the disclosure of a vulnerability relating to VideoLAN VLC being performed incorrectly. This week there is an example of how responsible disclosure should be carried out and demonstrates it can work very well.

Red Hat Linux, Google and Microsoft have all issued patches for a newly discovered variant of the original Spectre v1 vulnerability (initially disclosed in January 2018).

The performance impact of the updates is described in the Red Hat advisory in more detail:

====================
The fix for this CVE has shown to cause a minimal performance impact. The impact will be felt more in applications with high rates of user-kernel-user space transitions. For example, in system calls, NMIs, and kernel interrupts.

Early benchmarks for this mitigation show approximately 1% performance penalty:

https://www.phoronix.com/scan.php?page=article&item=swapgs-spectre-impact&num=1
====================

How does this vulnerability work?
When building a memory address to access computer make use of segment registers (CS, DS, SS, ES, FS, GS). The FS and GS registers are used when the CPU (defined) is in 64-bit mode. The SWAPGS instruction is used on 64-bit entry into kernel code to swap the current user space value of GS with the value intended to be used during kernel operations. GS is used to access kernel data, but it does not validate the values it uses. There are checks during instruction execution to check if a swap to kernel mode is necessary. It is possible for the speculative execution process (attempting to look ahead to improve performance) to mis-judge if a swap is necessary  resulting in a small window of time where the wrong GS is used for memory access leading to disclosure of privileged information.

How can I protect my organisation and myself from this vulnerability?
Earlier this week Red Hat and Google released updates to resolve this vulnerability. Microsoft issued their update silently on 9th July:

Red Hat Linux
https://access.redhat.com/articles/4329821

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=18ec54fdd6d18d92025af097cd042a75cf0ea24c

Google Chrome OS
https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1739575

Microsoft Windows
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1125

Thank you.

Intel VISA Vulnerabilities Explained

In late March; security researchers published new research concerning a previously undocumented debugging feature of Intel motherboards and CPUs known as VISA (Visualization of Internal Signals Architecture).

TL DR: If your system is affected (please see the advisory); please ensure that you have applied the fixes from Intel’s advisory. Please only allow trusted individuals to physical access your systems e.g. servers and workstations: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html

What is this technology?
VISA (Visualization of Internal Signals Architecture) is a logic signal analyser within the Platform Controller Hub (PCH) of motherboards since the release of the 5-Series Chipsets (November 2008 onwards). This can be used for debugging purposes during manufacturing and is disabled by default.

This feature allows for the real-time monitoring of internal data and address lines as well as other buses within the motherboard.

What is the risk of having this technology within my motherboard?
While the researchers demonstrated 3 methods of exploiting these vulnerabilities:

  • Previous known high severity buffers overflows and privilege escalation flaws within the Intel Management Engine (ME) patched by Intel in 2017
  • Use of the Intel JTAG password
  • Fault injection technique into Intel Management Engine firmware read-only memory (ROM)

If you have already patched the first means of using the VISA technology an attacker would require physical access to your system in order to exploit the remaining 2 methods. Thus the residual risk would be low.

As per Microsoft’s Immutable Laws of Security (the official link seems to have been removed); if an attacker has physical access to a computer system; it can’t be considered your system anymore since the avenues of attack now open to them are large and little can be done to avoid this.

How can I can protect my organisation or system from mis-use of this debugging feature?
Check your systems using the downloadable tool from Intel to check if your system is vulnerable to the known issues from 2017.

If so, please contact the manufacturer of your system or motherboard to obtain the most appropriate firmware updates for your system. You can provide them a link to Intel’s security advisory for further details.

Please only allow authorised and trusted individuals physical access to your systems. Be security aware by knowing that attackers can socially engineer you into providing physical access to a system by impersonating your internal IT support or Security staff. Please check that such individuals work for or on behalf of your company before allowing them access.

Personally; my Asus ROG Rampage VI Apex system has received 3 Intel ME firmware updates to address security vulnerabilities first identified in 2017. Intel’s tool linked to above shows my system as not vulnerable to the issues listed within it’s advisory.

Thank you.

Responding to the Intel Spoiler Vulnerability

====================
Updated: 20th March 2019
====================
TL DR:
The Intel Spoiler vulnerability is not as bad as predicted. Software developers should continue to use safer code development practices.

====================
After the disclosure earlier this month of this vulnerability Intel have provided further information on how it affects their microprocessors. They have clarified that the Spoiler exploit by itself does not reveal secret data and is not a speculative execution side channel method:

Other good news is that existing mitigations such as KPTI (kernel page table isolation) reduce the risk of leaking data across privilege levels. They again confirmed that side channel safe software development practices such as “ensuring execution time and control flows are identical regardless of secret data” will mitigate classic side channel methods enabled by the Spoiler exploit. Furthermore, they confirmed memory modules which are already mitigated against Rowhammer attacks remain protected against the Spoiler exploit.

Lastly AMD provided formal confirmation that their microprocessors are not vulnerable after preliminary findings suggested they weren’t vulnerable. AMD’s statement is available from this link.

Thank you.

====================
Original Post:
====================
Earlier this month a new vulnerability was disclosed in a research paper titled “Spoiler: Speculative load hazards boost Rowhammer and cache attacks”.

TL DR: Mitigating this newly disclosed vulnerability is the job of software developers to work around using safer code development practices. Mitigating this issue in hardware will take longer since current measures cause too much of a performance penalty.

Why should this vulnerability be considered important?
Using this new method; attackers are likely to find existing cache and memory Rowhammer attacks easier to carry out. In addition, JavaScript (defined) attacks which can take long periods of time may be shortened to mere seconds. The paper contains a cache prime and probe technique to leak sensitive data using JavaScript.

This Spoiler vulnerability can be used by attackers (who MUST have already compromised your system) to extract sensitive information from the systems memory (RAM). An attack does not require elevated privileges.

What CPUs (microprocessors / computer chips) are affected?
This vulnerability affects Intel processors only; first generation Intel Core (from early 2006) and later are affected. ARM and AMD processors are not affected. Any system with an Intel Core processor is affected regardless of the operating they are using namely Linux, Unix, Apple macOS and Windows can be all affected.

How does this vulnerability achieve the above results?
The security researchers who authored the paper found a vulnerability in the memory order buffer that can be used to gradually reveal information about the mappings of physical memory to non-privileged software processes (in other words; applications). This technique also affects virtual machine (VM) and sandboxed (defined) environments.

The technique works by understanding the relationship between virtual and physical memory by timing the speculative load and store operations to these areas while looking out for discrepancies which disclose the memory layout to you. With this information an attacker knows where to focus their efforts.

Intel’s proprietary implementation of the memory subsystem (memory disambiguation) is the root cause of the vulnerability. When a physical address conflict (the address/area is already in use) occurs, the algorithm leaks the access timings. The algorithm in the researcher’s words works as follows “Our algorithm, fills up the store buffer within the processors with addresses that have the same offset but they are in different virtual pages. Then, we issue a memory load that has the same offset similarly but from a different memory page and measure the time of the load. By iterating over a good number of virtual pages, the timing reveals information about the dependency resolution failures in multiple stages.”

How can this vulnerability be mitigated/patched?
This vulnerability lies within the memory disambiguation algorithm which won’t be trivial to resolve anytime soon. Since this vulnerability is not related to last years Spectre vulnerability; mitigations for that vulnerability don’t help here. Current Spoiler mitigations have too much of performance penalty. At this time, Intel has issued the following statement:

“Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.”

The side channel safe development practices are linked to below:

Software Guidance for Security Advisories

Addressing Hardware Vulnerabilities

Thank you.

January 2019 Update Summary

====================
Updated: 9th January 2019
====================
Happy New Year to all of my readers. Thanks very much.

Today Microsoft made available monthly updates resolving 47 vulnerabilities (more formally known as CVEs (defined)) respectively. Further details are available from Microsoft’s monthly summary page.

Separately Adobe released out of band (unscheduled) updates last week for Acrobat 2017 and Acrobat DC/Acrobat DC. These updates address 2x critical CVEs.

Other updates released today are as follows:
Adobe Connect: 1x priority 3 CVE resolved
Adobe Digital Editions: 1x priority 3 CVE resolved
Adobe Flash Player: reliability/performance update only

While the Flash Player update is a non-security update it’s likely Adobe chose to release it via the usual channels since it’s what people are familiar with and it helps to get updates out sooner.

Similar to last month; Microsoft’s updates come with a long list of Known Issues that will be resolved in future updates. They are listed below for your reference:

KB4468742
KB4471389
KB4480116
KB4480961
KB4480962
KB4480963
KB4480966
KB4480970
KB4480973
KB4480975
KB4480978

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows DHCP Client (Further details here)

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)(please also remember last months’s Internet Explorer update).

Microsoft Hyper-V (CVE-2019-0550 and CVE-2019-0551)

Microsoft Exchange (CVE-2019-0586)(Further details here)
====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

====================
Intel Security Advisories:
====================
Intel have released a series of security advisories so far this month. Of highest priority is the advisory for their Intel PROSet/Wireless WiFi Software to resolve a high severity CVSS Base Score 7.8 vulnerability. The security advisory affects many of their WiFi adapters.

Further important updates for their System Support Utility and Intel SGX SDK and Intel SGX Platform Software were also made available. Meanwhile lower severity issues were addressed in Intel’s SSD data-center tool for Windows, Intel NUC Firmware and Intel Optane SSD DC P4800:

If you use any of the affected software or products, please update them as soon as possible especially in the case of the PROSet/Wireless WiFi Software.

=======================
Mozilla Firefox
=======================
In the final week of January; Mozilla made available Firefox 65 and Firefox ESR (Extended Support Release) 60.5:

Firefox 65: Resolves 3x critical, 2x high and 2x moderate CVEs (defined)

Firefox 60.5: Resolves 2x critical and 1x high CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the most recent improvements by Mozilla.

=======================
Wireshark 2.4.12 and 2.6.6
=======================
v2.4.12: 6 security advisories

v2.6.6: 4 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.6 or v2.4.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Thank you.

Oracle VirtualBox Zero Day Disclosed

In early November a security researcher publicly disclosed (defined) a zero day (defined) vulnerability within Oracle’s VirtualBox virtualisation software.

How severe is this vulnerability?
In summary; this vulnerability is serious but it could have been worse. In order to exploit it, an attacker would first need to have obtained elevated privileges on your system; root (defined) in the case of Linux and administrator (defined) in the case of Windows. Using this privilege the attacker can leverage the exploit to escape from the confines of the virtual machine (VM)(defined) into the system which hosts the virtual machine (in other words; the system which houses the virtual machine within its physical infrastructure). Once outside of the virtual machine the attacker must then elevate their privileges again since breaking out of the VM only gives them user level/standard privileges and not elevated privileges in the physical system. Thus the attacker would then need to use a separate exploit for another vulnerability (not related to this VirtualBox flaw) to elevate their privileges again to become root/admin within the physical system.

Obviously; the consequences of exploiting this vulnerability on a shared service/cloud infrastructure system would be more serious since multiple users would be affected all at once and the further exploitation of the resulting host systems could potentially provide the attacker with control over all the virtual machines.

How can an attacker exploit this vulnerability?
VirtualBox makes use of the Intel Pro/1000 MT Desktop (82540EM) network adapter to provide an internet connection to the virtual machines it manages. The attacker must first turn off this adapter in the guest (virtualised) operating system. Once complete they can then load a custom Linux kernel module (LKM)(defined) (this does not require a reboot of the system). That custom LKM contains the exploit derived from the technical write up provided. That new LKM loads its own custom version of the Intel network adapter. Next the LKM exploits a buffer overflow (defined) vulnerability within the virtualised adapter to escape the guest operating system. The attack must then unload the custom LKM to re-enable the real Intel adapter to resume their access to the internet.

How can I protect myself from this vulnerability?
While this is a complex vulnerability to exploit (an attacker would need to chain exploits together in order to elevate their privilege on the host system after escaping the VM), the source code needed to do so is available in full from the researcher’s disclosure; increasing the risk of it being used by attackers.

At the time of writing; this vulnerability has not yet been patched by VirtualBox. It affects versions 5.2.20 and earlier when installed on Ubuntu version 16.04 and 18.04 x86-64 guests (Windows is believed to be affected too). While a patch is pending; you can change the network card type to PCnet or Para virtualised Network. If this isn’t an option available or convenient for you; you can an alternative to the NAT mode of operation for the network card.

Thank you.

Retpoline To Improve Windows 10 Performance Following Spectre Vulnerability

Alex Ionescu, a Windows Internals expert and Security Architect with CrowdStrike in mid-October provided new insight into performance improvements coming to the next update of Windows, namely 19H1 or Version 1903:

With performance decreases estimated to be up to 30% in the worst-case scenarios while mitigating the Spectre vulnerabilities earlier this year; the upcoming version of Windows will add Google’s Retpoline instructions to improve performance:

Such instructions are already present in Red Hat, SUSE and Oracle Linux 6 and 7. Ionescu revealed that performance was significantly improved while trusting the newer version of Windows 10. Moreover; Spectre variant 2 (CVE-2017-5715) will now be fully mitigated even if your hardware was not updated to support indirect branch restricted speculation (IBRS); making it more secure. In his words “On systems without IBRS, Windows won’t flush the BPB on kernel->user transitions. This opens up a potential security issue for CPUs without microcode that implements IBRS”.

He also confirmed that Retpoline is enabled on systems with indirect branch prediction barrier (IBPB). This will protect such systems from kernel to user transitions where currently no protection exists. Finally he asked that Retpoline be back ported earlier (but currently supported) versions of Windows since systems without IBRS are “sitting ducks”:

These changes were also announced by a Microsoft engineer, Mehmet Iyigun working within the Windows and Azure kernel team.

In April 2019 we can look forward to a more secure and faster version of Windows. I’m particularly pleased to learn this since my water cooled Intel processor; an 18 core (36 thread) Core i9 7980XE has received full protection from Spectre in the form of IBRS and IBPB from the motherboard vendor. Performance impact has been minimal but any increase in performance is welcomed for my donations to Stanford’s Folding@Home project.

More info on IBRS and IBPB is available from this link. Thank you.