Bug 1597992 (netspectre)

Summary: kernel: NetSpectre - observing speculative execution gadgets across network via statistical analysis.
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, acaringi, airlied, aquini, bhu, blc, bmasney, brdeoliv, bskeggs, dbaker, dhoward, dvlasenk, esammons, ewk, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, john.j5live, jokerman, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, mchehab, mcressma, mguzik, mjg59, mlangsdo, nmurray, plougher, ptalbert, rt-maint, rvrbovsk, security-response-team, skozina, sparks, steved, sthangav, trankin, walters, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in how CPU's execution mechanisms which allowed local memory to be inferred by measurement and statistical analysis across a network.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:31:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1597990    

Description Wade Mealing 2018-07-04 06:00:45 UTC 
“NetSpectre: Read Arbitrary Memory over Network” is the first concept of the spectre variant 1 abusing speculative execution across a network.  It allows a remote attacker to abuse spectre “gadgets” available in the code path accessible in the operating systems network stack.  The attacker sends a series of crafted requests to the target system and measures the response time to leak a secret value from the victim’s memory.  The response time of these attacks allow an attacker to deduce a secret value from the victims memory.

This attack requires two gadgets to be available to the attacker, either in user space or kernel space.  

These gadgets are:

Leak gadget - accesses a stream at an attacker controlled location.

Transmit gadget - performs an arbitrary operation where the results depend on the microarchitectural state modified by the leak gadget.

The leak gadget is triggered to create a condition where the speculative execution event happens, and the transmit gadgets response 
time is measured over many queries to statistically determine the contents of memory at that location.

The initial fixes of Spectre v1 ( https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5753 ) has hardened the kernel from the 
Leak gadget", however userspace can continue to be attacked as it has yet to be hardened.

Approaches on solving this in userspace plan to be documented in this bugzilla.


Red Hat is planning to focus on the userspace networking daemons hardening and will link improvements in this flaw.


Additional information:

https://access.redhat.com/solutions/3545361

http://misc0110.net/web/files/netspectre.pdf
Comment 1 Wade Mealing 2018-07-19 03:32:58 UTC 
Acknowledgments:

Name: Daniel Gruss
Comment 6 Huzaifa S. Sidhpurwala 2018-07-27 03:24:48 UTC 
Statement:

Red Hat Product Security has rated this update as having a security impact of Moderate. All Red Hat products are being evaluated for impact and Red Hat will work with the Linux community to analyze and correct any issues found.  Red Hat is currently evaluating the impact of this security flaw on userspace packages, especially the network daemons and remotely accessible technologies like SSH. Successful exploitation of this flaw needs the attacker to have advanced knowledge of the software versions used on the system. For additional information about this flaw including possible mitigations please refer to: https://access.redhat.com/solutions/3545361
Comment 7 Eric Christensen 2018-07-27 14:29:59 UTC 
Mitigation:

The following mitigation can be used to lower the impact/scope of this flaw for userspace applications:

1. Allow only trusted users/ip addresses to access remotely accessible services like SSH, LDAP, SNMP etc.

2. Since the attack involves sending large number of packets to a particular service running on a port, firewalls and some services could be configured to limit the amount of traffic per source IP address.

3. Also actively monitor excessive traffic from a particular IP address, especially in a short time interval. Certain IDS devices/software can do that and block the source of these packets.