PortSmash Side-Channel Vulnerability CVE-2018-5407 information

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

On 2 November 2018, five researchers from the universities of Tampere (Finland) and Havana (Cuba) published information on PortSmash - a possible side channel attack to read data from a parallel thread in a CPU.[1] The attack risk is rated as moderate (CVSS v3 score 4.8 of 10). To read data, a corresponding malicious code must first be executed on a parallel thread of the attacked CPU core. An attack is therefore only possible if the attacker is allowed to execute code on a parallel thread of the affected CPU core.

Affected systems

The vulnerability potentially affects systems with activated hyper-threading.

Affected hardware:

  • Architectures with SMT/Hyper-Threading (proven on Intel Skylake and Intel Kaby Lake, but potentially all products with SMT/Hyper-Threading are also affected by other manufacturers).

Affected software:

  • OpenSSL <= 1.1.0h.
  • Any software that has a secret dependent control flow at any granularity.

Possible solutions

Currently (05.11.2018, 15:00h) the only way to prevent a PortSmash attack is to disable Hyper-Threading. Since an attack requires the execution of malicious code, the systems most likely to be affected at the moment are those on which untrusted third parties are allowed to execute code (e.g. in a parallel virtual machine in a cloud environment).

Deactivate Hyper-Threading

As with CVE-2018-3646 from L1TF, disabling hyperthreading (via BIOS or operating system) on PortSmash also prevents the possibility of an attack.

Software update

The OpenSSL versions 1.1.1a-dev, 1.1.0j-dev and 1.0.2q-dev provide fixes for side channel attacks (CVE-2018-0734, CVE-2018-0735).

For more information on available software updates, please follow the links below for Linux distributors.

Manufacturer information

Intel and AMD have issued the following statements as of 05.11.2018.

Intel

Intel received notice of the research. This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices. Protecting our customers' data and ensuring the security of our products is a top priority for Intel and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.[2]

AMD

At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating the PortSmash side-channel vulnerability report, which we just received, to understand any potential AMD product susceptibility.[3]

Linux distributions

Information about the different Linux distributions can be found at the following places:

FAQs

  • Am I affected by the PortSmash vulnerability? Basically, all systems with Hyper-Threading enabled are potentially affected by the vulnerability. However, data can only be read if malicious code is actively executed on a parallel thread. Cloud solutions that are potentially most affected are those in which virtual machines are used by different customers in parallel on one host and Hyper-Threading is activated on the virtualization hosts at the same time.
  • Should I deactivate Hyper-Threading? If you manage a system only yourself or together with trustworthy persons (e.g. colleagues who have administrator rights anyway) we do not currently see any requirement to deactivate Hyper-Threading. If you are running a cloud environment and different users are using virtual machines in parallel, currently disabling Hyper-Threading is the only known way to prevent data from a neighboring virtual machine from being tapped via PortSmash. Note that in the worst case, disabling Hyper-Threading will double the processor load.
  • Is PortSmash a hardware bug or a software bug? This question cannot be answered unequivocally at this time.[4] The danger of this vulnerability can be reduced by hardware measures (deactivating hyper-threading) as well as software measures (e.g. security updates for OpenSSL).
  • Will there be BIOS Security Updates or Intel Microcode updates to close the vulnerability? We do not currently have information for scheduled microcode updates.

Further information

References

  1. CVE-2018-5407: new side-channel vulnerability on SMT/Hyper-Threading architectures (oss-sec mailing list, 02.11.2018)
  2. PortSmash: A New Side-Channel Vulnerability Affecting SMT/HT Processors (CVE-2018-5407) (www.phoronix.com, 02.11.2018)
  3. PortSmash attack blasts hole in Intel's Hyper-Threading CPUs, leaves with secret crypto keys (www.theregister.co.uk, 02.11.2018)
  4. Re: CVE-2018-5407: new side-channel vulnerability on SMT/Hyper-Threading architectures (Alexander Peslyak, oss-sec Mailing Liste, 02.11.2018) I think the existence of this side-channel in SMT should be obvious to the extent that it's not considered a vulnerability, but a fully expected by-design property. Maybe the problem is it wasn't documented as such. Maybe we should have put more effort into making it more obvious to everyone in 2005, like it's finally done now.


Foto Werner Fischer.jpg

Author: Werner Fischer

Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.


Related articles

Activating the Intel VT-d Virtualization Feature
AMD EPYC 7003 Milan
Information about the BMC Unique Password at Thomas-Krenn-Servers