‘Kernel memory leaking’ Intel processor design flaw

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

A fundamental design flaw in Intel’s processor chips related to virtual memory system (Intel x86-64 hardware) allows normal user programs (even JavaScript in web browsers) to discern to some extent the layout or contents of protected kernel memory areas.

It is understood the bug is present in modern Intel processors produced in the past decade. It appears a microcode update can’t address it, so it has to be fixed in software at the OS level. This has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug, which is expected to cause 5 to 30 per cent slow down of your computer on next update!

Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. Patches for the Linux kernel are available. Apple’s 64-bit macOS, will also need to be updated.

This is bad news for Intel. Last year they had AMT vulnerability remote exploit and now this new blow in Intel security. I don’t think that computer buyers like that their computers become slower! 

Details of the vulnerability within Intel’s silicon are under wraps and are expected to be released later this month – so follow the comments for updates.

358 Comments

  1. Tomi Engdahl says:

    Microsoft Releases Intel Microcode Patches for Foreshadow Flaws
    https://www.securityweek.com/microsoft-releases-intel-microcode-patches-foreshadow-flaws

    Microsoft this week made available another round of microcode updates created by Intel for mitigating the recently disclosed speculative

    execution vulnerabilities tracked as Foreshadow and L1 Terminal Fault (L1TF).

    The Foreshadow/L1TF vulnerabilities are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts

    operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).

    Reply
  2. Tomi Engdahl says:

    Intel Simplifies Microcode Update License Following Complaints
    https://www.securityweek.com/intel-simplifies-microcode-update-license-following-complaints

    Intel has made significant changes to the license for its latest CPU microcode updates after users complained that the previous version banned benchmarks and comparison tests.

    Since January, when researchers disclosed the existence of the speculative execution vulnerabilities known as Spectre and Meltdown, Intel has released several rounds of microcode updates designed to prevent these and similar attacks.

    The latest updates are designed to address three vulnerabilities tracked as Foreshadow or L1 Terminal Fault (L1TF). Microsoft and Linux distributions have begun distributing the microcode updates for these flaws, but some people noticed that the license file delivered with the updates prohibits benchmarking.

    “Unless expressly permitted under the Agreement, You will not, and will not allow any third party to [...] publish or provide any Software benchmark or comparison test results,” the license read.

    The mitigations for speculative execution vulnerabilities have been known to have a significant impact on performance in some cases. In the case of the Foreshadow flaws, Intel and Microsoft said there should not be any performance degradation on consumer PCs and many data center workloads. However, some data center workloads may be slowed down.

    Reply
  3. Tomi Engdahl says:

    Linus Torvalds talks frankly about Intel security bugs
    https://www.zdnet.com/article/linus-torvalds-talks-frankly-about-intel-security-bugs/

    Linus Torvalds thinks Intel has gotten better about keeping the Linux open-source community in the loop with CPU security problems, but it started out really badly. And it’s still not fair that Linux has to fix hardware problems.

    At The Linux Foundation’s Open Source Summit North America in Vancouver, Linus Torvalds, Linux’s creator, and Dirk Hohndel, VMware VP and chief open source officer, had a wide-ranging conversation about Linux security, open-source developer, and quantum computing.

    Torvalds would really like his work to get back to being boring. It hasn’t been lately because of Intel’s CPU Meltdown and Spectre security bugs. The root cause behind these security holes was speculative execution.

    In speculative execution, when a program does a calculation, which might go several ways, the processor assumes several results and works on them. If it’s wrong, it goes back to the beginning and restarts with the correct data. Because CPUs are so fast these days, it’s much quicker to do this than to have the hardware sit idle waiting for data.

    Torvalds “loves speculative execution. CPUs must do this.” But, Torvalds is annoyed that “people didn’t think about the problems of taking shortcuts with speculative execution. We knew speculative work that wasn’t used had to be thrown away.” It wasn’t. That problem is now baked in most modern processors. The long-term fix is a new generation of Intel CPUs.

    Also, added Torvalds “The good news is the bugs have become more esoteric. They impact fewer and fewer cases. Intel and other hardware vendors are really getting down to the dregs of the hardware security bugs.”

    For the rest of 2018, Torvalds said, “Every three months hardware bugs would show up. There have been eight serious bugs this year. There were only two or three in all the years before.”

    Even now though the Spectre problems still haunt the Linux development process. The “Linux 4.19 merge window was not good. Usually it’s not a big deal. It’s just two weeks of me sitting in front of my computer. But the new security issue popped up in early in the merge window, which just added the usual frustration due to having patches that weren’t public. This made it particularly stressful.”

    Reply
  4. Tomi Engdahl says:

    The Security Penalty
    https://semiengineering.com/the-security-penalty/

    Just building systems based on speed now comes with a well-publicized risk.

    It’s not clear if Meltdown, Spectre and Foreshadow caused actual security breaches, but they did prompt big processor vendors like Intel, Arm, AMD and IBM to fix these vulnerabilities before they were made public by Google’s Project Zero.

    While all of this may make data center managers and consumers feel better in one respect, it has created a level of panic of a different sort. For decades, the primary job of chip architects was to build the fastest processors possible, and over the past 15 years that has included big improvements in performance per watt. But as the power/performance benefits of Moore’s Law scaling begin to dwindle—the most recent estimates are a maximum of 20% power/performance improvement at each new node after 10/7nm—the cost of adding in security to eliminate security issues could impact that number further. Prior to 40nm, performance improvements for each new node shrink were in 30% to 35% range.

    This may seem inconsequential for desktop or mobile apps. A slightly slower word-processing or spreadsheet application is an annoyance, but consumers are as likely to blame that on a barrage of software patches. Inside of data centers, however, performance has a direct economic impact. Any loss of performance in the cloud needs to be supplemented by additional servers, which require power, cooling and floorspace. A 10% loss in performance has a measurable effect on profitability.

    Reply
  5. Tomi Engdahl says:

    That moment when you know Intel is fucked. Time for AMD fellas to get triggered.

    https://people.cs.kuleuven.be/~jo.vanbulck/ccs18.pdf

    Reply
  6. Tomi Engdahl says:

    The Security Penalty
    https://semiengineering.com/the-security-penalty/

    Just building systems based on speed now comes with a well-publicized risk.

    It’s not clear if Meltdown, Spectre and Foreshadow caused actual security breaches, but they did prompt big processor vendors like Intel, Arm, AMD and IBM to fix these vulnerabilities before they were made public by Google’s Project Zero.

    Reply
  7. Tomi Engdahl says:

    Linux Kernel Vulnerability Affects Red Hat, CentOS, Debian
    https://www.securityweek.com/linux-kernel-vulnerability-affects-red-hat-centos-debian

    Qualys has disclosed the details of an integer overflow vulnerability in the Linux kernel that can be exploited by a local attacker for privilege

    escalation. The flaw, dubbed “Mutagen Astronomy,” affects certain versions of the Red Hat, CentOS and Debian distributions.

    The vulnerability affects versions of the kernel released between July 19, 2007, and July 7, 2017. While many Linux distributions have backported the

    commit that addresses the bug, the fix hasn’t been implemented in Red Hat Enterprise Linux, CentOS (which is based on Red Hat), and Debian 8 Jessie.

    Red Hat, which assigned the flaw an impact rating of “important” and a CVSS score of 7.8 (high severity), has started releasing updates that should

    address the issue.

    “This issue does not affect 32-bit systems as they do not have a large enough address space to exploit this flaw,” Red Hat explained. “Systems with less

    than 32GB of memory are unlikely to be affected by this issue due to memory demands during exploitation.”

    Mutagen Astronomy: Integer overflow in Linux’s create_elf_tables()
    (CVE-2018-14634)
    https://www.qualys.com/2018/09/25/cve-2018-14634/mutagen-astronomy-integer-overflow-linux-create_elf_tables-cve-2018-14634.txt

    We discovered an integer overflow in the Linux kernel’s
    create_elf_tables() function: on a 64-bit system, a local attacker can
    exploit this vulnerability via a SUID-root binary and obtain full root
    privileges.

    Only kernels with commit b6a2fea39318 (“mm: variable length argument
    support”, from July 19, 2007) but without commit da029c11e6b1 (“exec:
    Limit arg stack to at most 75% of _STK_LIM”, from July 7, 2017) are
    exploitable.

    Most Linux distributions backported commit da029c11e6b1 to their
    long-term-supported kernels, but Red Hat Enterprise Linux and CentOS
    (and Debian 8, the current “oldstable” version) have not, and are
    therefore vulnerable and exploitable.

    Reply
  8. Tomi Engdahl says:

    Security
    Intel’s commitment to making its stuff secure is called into question
    Security is a process or at least an aspiration
    https://www.theregister.co.uk/2018/10/08/intel_security_commitment/

    Intel claims that “protecting our customers’ data and ensuring the security of our products is a top priority” for the semiconductor giant – however, security researcher Stefan Kanthak argues otherwise.

    In an email to The Register in response to our report about the problems posed by the Manufacturing Mode in Intel’s Management Engine (ME), which if left open leaves processors vulnerable to local attack, Kanthak called Intel’s statement “a blatant lie.”

    “The statement is typical PR, and as such of no value,” he said.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*