Tag Archives: Xen Project

Intel Lazy Floating Point Vulnerability: What you need to know

====================
Update: 24th July 2018:
====================
I have updated the list of vendor responses below to include further Red Hat versions and CentOS:

Red Hat Enterprise Linux 6:
https://access.redhat.com/errata/RHSA-2018:2164

Red Hat Enterprise Linux 5 and 7:
https://access.redhat.com/solutions/3485131

CentOS 6:
https://lists.centos.org/pipermail/centos-announce/2018-July/022968.html

CentOS 7:
https://lists.centos.org/pipermail/centos-announce/2018-June/022923.html

====================

On Wednesday of last week, a further vulnerability affecting Intel CPUs (defined) was disclosed.

TL;DR: Keep your operating system up to date and you should be fine.

What makes this vulnerability noteworthy?
According to Intel’s security advisory; this is an information disclosure issue. Similar to Spectre/Meltdown the flaw is the result of a performance optimization (used when saving and restoring the current state of applications as a system switches from one application to another). A feature known as Lazy Floating Point (defined) Unit (FPU) is used to save and restore registers (defined) within the CPU used to store floating point numbers (non-integers numbers, namely decimal numbers).

The issue is that these registers may be accessed by another application on the same system. If the registers are storing for example results of performing cryptographic equations for a key you have just created or used to decrypt data, the attacker could use this data to infer what the actual key is. The same applies for any type of data the registers store; that data can be used to infer what the previous contents were via a speculative execution side channel.

This vulnerability has been rated as moderate since it is difficult to exploit via a web browser (in contrast to Spectre) and the updates will be a software update only; no microcode (defined) and/or firmware (defined) updates will be necessary. With exploitation via a web browser being difficult; this vulnerability will likely instead be exploited from the victim system (at attacker will need to have already compromised your system).

How can I protect myself from this vulnerability?
Please note; AMD CPUs are NOT affected by this vulnerability.

The following vendors have responded to this vulnerability with software updates now in progress. Separately Red Hat has completed their updates for Red Hat Linux 5, 6 and 7 (with further applicable updates still in progress).

Other vendors responses are listed below. Thank you:

Amazon Web Services

Apple (currently release notes for an update to macOS to resolve the vulnerability)

DragonFlyBSD

Intel’s Security Advisory

Linux

Microsoft Windows

OpenBSD

Xen Project

Xen Project Patches 7 Year Old Critical Security Vulnerability

In late October the Xen Project who is the maintainer of its very popular Xen Project virtualization software (defined) released a series of security advisories to resolve 9 security issues (consisting of 8 CVEs (defined)) within their software. The most serious of which (described in this advisory) has been present within the software for the last 7 years (but went undetected during that time).

Why Should These Issues Be Considered Important?
The most serious issue which affects version 3.4 (onwards) of the Xen Project involved how a guest server (namely a server which only exists in software rather than a physical device enabling multiple servers to exist on a single physical server) accesses the memory of the physical server within which it resides. This was due to code that validates access to the page table (see page 10 and 11 of this PDF for a definition of a level 2 table specific to this vulnerability. This slide deck explains the more general concept) being bypassed under certain conditions meaning that the guest server (if under the control of an attacker or malware) could have escalated it’s privileges to completely control the physical server.

The remaining 8 security issues could also cause a severe impact to your server infrastructure since they are denial of service issues (defined).

How Can I Protect Myself From These Issues?
While mitigations are available for the majority of these issues, it is recommended to apply the necessary security updates if you use the Xen Project virtualization software within your organization.

The main Xen security advisories page is located here. Links to the appropriate advisories with steps to install the necessary updates are provided below:

Thank you.