Duro golpe de nuevo a INTEL, 3 nuevas vulnerabilidades encontradas

UPDATE a Marzo 2019 (Mas vulnerabilidades encontradas que solo afectan a INTEL)

arxiv.org/pdf/1903.00446.pdf

---

Post Viejo

---

3 Nuevas vulnerabilidades fueron reveladas hoy, que incluyen fuertes hoyos de seguridad que permiten robar datos.

Lo peor de todo, Intel podria ser severamente golpeado por estos parches ya que tienen que ver con el SMM, SGX y el cache.
2 de estos bugs parecen ser similares a SPECTRE.

Lo feo? este error deja vulnerables a sistemas virtuales también.

Intel will today disclose three more vulnerabilities in its processors that can be exploited by malware and malicious virtual machines to potentially steal secret information from computer memory.

These secrets can include passwords, personal and financial records, and encryption keys. They can be potentially lifted from other applications and other customers' virtual machines, as well as SGX enclaves, and System Management Mode (SMM) memory. SGX is Intel's technology that is supposed to protect these secrets from snooping code. SMM is your computer's hidden janitor that has total control over the hardware, and total access to its data.

Across the board, Intel's desktop, workstation, and server CPUs are vulnerable. Crucially, they do not work as documented: where their technical manuals say memory can be marked off limits, it simply is not. This means malicious software on a vulnerable machine, and guest virtual machines on a cloud platform, can potentially lift sensitive data from other software and other customers' virtual machines.

Los bugs fueron llamados por intel como "L1 Terminal Fault". Ya que permiten sacar información almacenada en el cache.

CVE-2018-3615: This affects Software Guard Extensions (SGX), and was discovered by various academics who will reveal their findings this week at the Usenix Security Symposium. According to Intel, "systems with microprocessors utilizing speculative execution and software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis." This vulnerability was named Foreshadow by the team who uncovered it. This will require the microcode update to fix.
CVE-2018-3620: This affects operating systems and SMM. According to Intel, "systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis." Operating system kernels will need patching, and the SMM requires the microcode update, to be protected.
CVE-2018-3646: This affects hypervisors and virtual machines. According to Intel, "systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis." This will require the microcode, operating system, and hypervisor updates to protect data.

La parte mas critica de porque:

These tables, defined in Intel's manuals, specify whether or not information can be read, or written to, by applications. Crucially, they also have a setting called "present", which when set to 1 indicates an actual chunk of physical RAM is available to store some information for a running application. When it is zero, there is no physical RAM allocated, so any accesses to that area should be blocked by a page fault.

When an application tries to touch some of its data in memory, it references the information using a virtual memory address. This address has to be converted into a physical memory address, which points to some part of a RAM chip in the system.

The processor therefore may consult the page tables to convert the app's virtual memory address to the corresponding physical RAM address. This takes time, and today's Intel CPUs will not wait for a page table walk to complete when they could be doing something more useful. They will speculatively execute code based on a copy of the requested information cached in the L1 data cache, even if the page tables specify that this data is no longer present in physical memory and thus should not be read.

Mas informacion: www.theregister.co.uk/2018/08/14/intel_l1_terminal_fault_bugs/

Mas información detallada por Phoronix.
www.phoronix.com/scan.php?page=news_item&px=L1-Terminal-Fault

Ahora se dice que se tiene que deshabilitar el SMT(hyperthreading) para evitar este bug hasta que haya protección por microcode. Lo cual significa otra reducción de casi 10% del desempeño.

y Posibilidades de otra vulnerabilidad aun mas critica, que afectaria TODOS los VM's, Servidores, Kernel, etc..

www.zdnet.com/article/beyond-spectre-foreshadow-a-new-intel-security-problem/

Y el impacto real de los parches de la vulnerabilidad de "L1 Terminal Fault" en linux. La perdida de desempeño es bastante grande..

www.phoronix.com/scan.php?page=article&item=l1tf-early-look&num=2

Para los proveedores de servicios y hosting (incluyendo virtuales y managed) la perdida es ENORME si deciden por seguridad apagar el SMT (hyperthreading).

Con la novedad de que Intel finalmente presento sus nuevos parches de seguridad para sus procesadores.
Incluyendo mitigaciones para Spectre y los nuevos problemas de su "speculative" y el devastador hoyo de "L1 Terminal Fault" .

Todo bien no? NO.. porque Intel ha prohibido que pongan benchmarks de acuerdo con el contrato que aceptas al descargar los nuevos microcodes.

You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results.

perens.com/2018/08/22/new-intel-microcode-license-restriction-is-not-acceptable/

Es obvio que intel esta perdiendo terreno de manera alarmante a Intel. Luego de que los rumores de que el procesador de 8 cores de Intel costara mas que un threadripper 1950X!!! Lo cual hace preguntar que tan mal están sus yields.. tan mal como su tecnología de 10nm?

www.reddit.com/r/intel/comments/99nmls/first_pricelists_intel_core_i99900k_for_560_euro/


Por otro lado, es obvio que intel no esperaba ser cachado con ese EULA tan estupido en su microcode.. porque ya que la gente en reddit y otros sitios empezaran a demostrar su furia hacia intel..
Inetl decidio responder con :

We are updating the license now to address this and will have a new version available soon. As an active member of the open source community, we continue to welcome all feedback.

De acurdo con Toms, quien ha hablado con varios distribuidores de Linux. Estos parches y software ya tenian tiempo listos para activarse e instalarse. Parece que intel estaba esperando a "demostrar" sus nuevos procesadores sin las fallas.

It's troubling, then, that Intel prohibited Linux vendors from sharing their findings. As with any set of vendor-provided benchmarks, enthusiasts like to see third-party results to suss out any inconsistencies. Intel could have been concerned that benchmarkers wouldn't follow testing best practices and thus share inaccurate test results.

Another troubling angle came from Intel's restriction that seemingly prevented distributing the microcodes. Debian developers have complained publicly that its supporting packages are ready and have been for several weeks, but the company can't distribute them due to the new restrictions. Meanwhile, other Linux players, like Red Hat and SUSE, are busy distributing their patches regardless of the new licensing terms. This may just be a case of a single group having a philosophical complaint about the licensing terms, which wouldn't be unheard of from open source supporters.

Curiosamente intel también "demostró" su Cascade Lake, en donde supuestamente ya se repara todo el problema de Spectre, Meltdown y similares de manera física en el silicon.

www.tomshardware.com/news/intel-cascade-lake-details-spectre-meltdown,37674.html

Lo cual hace que todo el "timing" en que se hicieron la demostración junto con la salida de los parches y el EULA/NDA del microcode.. se vea como si fuera extremadamente planeado para que no golpeara el valor de intel en Wall Street.

Para un ejemplo de los "golpes" de desempeño con los parches nuevos de intel..

www.phoronix.com/scan.php?page=article&item=l1tf-foreshadow-xeon&num=1

El golpe varia de 1 a 5% con mitigacion parcial, y hasta 60% con mitigacion total. Esto es critico y fatal para muchos trabajos de servidores.

In most workloads, the default mitigation for L1 Terminal Fault / Foreshadow yielded up to a few percent performance impact in the default behavior for this mitigation that only should impact the virtual machine performance and not the bare metal system's performance abilities. Obviously when switching to unconditional L1D cache flushing the performance tended to have a more profound performance cost while if opting for the "full" mitigation that disables SMT there is a very sizable performance impact for VMs due to losing out on Hyper Threading. Additional tests are currently running as we continue exploring the performance cost of L1TF/Foreshadow.

Tamalero wrote:
Curiosamente intel también "demostró" su Cascade Lake, en donde supuestamente ya se repara todo el problema de Spectre, Meltdown y similares de manera física en el silicon.

www.tomshardware.com/news/intel-cascade-lake-details-spectre-meltdown,37674.html

Lo cual hace que todo el "timing" en que se hicieron la demostración junto con la salida de los parches y el EULA/NDA del microcode.. se vea como si fuera extremadamente planeado para que no golpeara el valor de intel en Wall Street.

Muchas gracias Tamalero, se agradecen todas las actualizaciones y seguimiento al caso Intel.

Lo del EULA reciente, que de inicio Intel no permitía hacer benchmarks está de risa. Tan desesperado estaba Intel de que no le encontraran más hoyos? ahah

leblueorange wrote:

Tamalero wrote:
Curiosamente intel también "demostró" su Cascade Lake, en donde supuestamente ya se repara todo el problema de Spectre, Meltdown y similares de manera física en el silicon.

www.tomshardware.com/news/intel-cascade-lake-details-spectre-meltdown,37674.html

Lo cual hace que todo el "timing" en que se hicieron la demostración junto con la salida de los parches y el EULA/NDA del microcode.. se vea como si fuera extremadamente planeado para que no golpeara el valor de intel en Wall Street.

Muchas gracias Tamalero, se agradecen todas las actualizaciones y seguimiento al caso Intel.

Lo del EULA reciente, que de inicio Intel no permitía hacer benchmarks está de risa. Tan desesperado estaba Intel de que no le encontraran más hoyos? ahah

Pues quien sabe cuantas mas variantes de SPECTRE le puedan golpear a intel.
Todo por hacer un truco para aumentar el desempeño de sus chips a consta de la seguridad ( Speculative Execution )


Muy buerna historia del descubrimiento de MELTDOWN: www.wired.com/story/meltdown-spectre-bug-collision-intel-chip-flaw-discovery/

Pues la saga continua.. OTRO error letal que afectaría severamente los VMs (virtual machines) y Hyperthreading.

www.zdnet.com/article/intel-cpus-impacted-by-new-portsmash-side-channel-vulnerability/

En este caso no se sabe todavía si afecta a AMD Zen. Pero se ha dicho que en varios distros de linux, por default se deshabilitara el SMT o HT.

Intel processors are impacted by a new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes.

The new vulnerability, which has received the codename of PortSmash, has been discovered by a team of five academics from the Tampere University of Technology in Finland and Technical University of Havana, Cuba.

Researchers have classified PortSmash as a side-channel attack. In computer security terms, a side-channel attack describes a technique used for leaking encrypted data from a computer's memory or CPU, which works by recording and analyzing discrepancies in operation times, power consumption, electromagnetic leaks, or even sound to gain additional info that may help break encryption algorithms and recovering the CPU's processed data.

MORE SECURITY NEWS
China has been 'hijacking the vital internet backbone of western countries'
Emotet malware gang is mass-harvesting millions of emails in mysterious campaign
Zuckerberg disses Apple, misses
Inside the mind of a sextortion scam artist
Researchers say PortSmash impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core.

Pues la saga continua.. OTRO error letal que afectaría severamente los VMs (virtual machines) y Hyperthreading.

www.zdnet.com/article/intel-cpus-impacted-by-new-portsmash-side-channel-vulnerability/

En este caso no se sabe todavía si afecta a AMD Zen. Pero se ha dicho que en varios distros de linux, por default se deshabilitara el SMT o HT.

Intel processors are impacted by a new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes.

The new vulnerability, which has received the codename of PortSmash, has been discovered by a team of five academics from the Tampere University of Technology in Finland and Technical University of Havana, Cuba.

Researchers have classified PortSmash as a side-channel attack. In computer security terms, a side-channel attack describes a technique used for leaking encrypted data from a computer's memory or CPU, which works by recording and analyzing discrepancies in operation times, power consumption, electromagnetic leaks, or even sound to gain additional info that may help break encryption algorithms and recovering the CPU's processed data.

Lo feo de este ataque es que es probable que afecte a todos los procesadores con SMT o HT o mecanismos similares (incluyendo celulares y servidores como Power9 )

AMD CPUS LIKELY IMPACTED
"We leave as future work exploring the capabilities of PortSmash on other architectures featuring SMT, especially on AMD Ryzen systems," the research team said in a version of their paper shared with ZDNet, but Brumley told us via email that he strongly suspects that AMD CPUs are also impacted.

The work behind discovering PortSmash is also the first result of "SCARE: Side-Channel Aware Engineering," a five-year security research project funded by the European Research Council.

"The goal of the project is to find new side-channel vectors and mitigate them," Brumley told us.

y otra vulnerabilidad encontrada en la que no se ve ninguna posible mitigacion de por software.

Los detallitos también son feos.. SOLO AFECTA A INTEL y ES NECESARIO PARCHE EN HARDWARE

Lo cual significaría que intel tiene que ir de nuevo a rediseñar sus procesadores para la nueva generación (10nm y 7nm) para impedir que este problema sea usado por criminales y grupos espías.

www.dsogaming.com/news/spoiler-is-a-brand-new-security-vulnerability-affecting-all-intel-cpus-amds-cpus-safe-from-this-thread/

El reporte original: arxiv.org/pdf/1903.00446.pdf

Otro reporte:
www.zdnet.com/article/all-intel-chips-open-to-new-spoiler-non-spectre-attack-dont-expect-a-quick-fix/

El error fue descubierto desde el año pasado. Varios expertos dicen que este error no es posible parchar con Microcode sin tener un golpe enorme de perdida de desempeño y que tardaría al menos 5 años a intel sacar un nuevo sistema. Ya que es una parte critica del manejo de MEMORIA y del CACHE..