Bug 1645695 (CVE-2018-5407)

Summary: CVE-2018-5407 openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, bkundal, bmaxwell, bmcclain, bugproxy, cdewolf, chazlett, csutherl, darran.lofthouse, dbaker, dblechte, dfediuck, dimitris, dosoudil, eedri, erik-fedora, fgavrilo, fnovak, gzaronik, hannsj_uhl, hkario, huzaifas, jawilson, jclere, jjarvis, jokerman, jondruse, jorton, klausk, ktietz, lersek, lgao, marcandre.lureau, mbabacek, mgoldboi, michal.skrivanek, mturk, myarboro, nenad, pgier, philmd, pjurak, ppalaga, psakar, pslavice, rjones, rnetuka, rstancel, rsunog, rsvoboda, sbonazzo, sdarade, security-response-team, sherold, slawomir, sthangav, tmraz, trankin, twalsh, vtunka, weli, yhuang, ysoni, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20181030,reported=20181102,source=distros,cvss3=4.8/CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N,cwe=CWE-200,fedora-all/mingw-openssl=affected,epel-7/mingw-openssl=affected,rhel-5/openssl=wontfix,rhel-6/openssl=wontfix,eap-5/openssl=wontfix,eap-6/openssl=wontfix,rhev-m-4/redhat-virtualization-host=affected,openshift-online-3/openssl=notaffected,jbews-2/openssl=wontfix,rhel-6/openssl098e=wontfix,rhel-7/openssl098e=wontfix,rhel-8/openssl=notaffected,fedora-all/openssl=notaffected,fedora-all/compat-openssl10=affected,rhel-8/compat-openssl10=wontfix,jbcs-1/openssl=affected,jws-3/openssl=wontfix,rhel-5/openssl097a=wontfix,rhel-7/ovmf=affected,rhel-7/openssl=affected,jws-5/openssl=affected,rhev-m-4/rhvm-appliance=affected
Fixed In Version: openssl 1.1.0i, openssl 1.1.1 Doc Type: If docs needed, set a value
Doc Text:
A microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:41:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1645696, 1645697, 1645698, 1645970, 1650390, 1645699, 1651057, 1651058, 1673950    
Bug Blocks: 1645702, 1667483    

Description Laura Pardo 2018-11-02 21:29:52 UTC
A flaw was found in microprocessor execution engine sharing on SMT (e.g. Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process, can extract certain secret information.

The reporter is able to steal an OpenSSL (<= 1.1.0h) P-384 private key from a TLS server using this new side-channel vector. It is a local attack in the sense that the malicious process must be running on the same physical core as the victim (an  openSSL-powered TLS server in this case). But in general any application which branches on a secret value may be affected.

References:
https://seclists.org/oss-sec/2018/q4/123

Comment 1 Laura Pardo 2018-11-02 21:31:04 UTC
Created compat-openssl10 tracking bugs for this issue:

Affects: fedora-all [bug 1645698]


Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1645697]
Affects: fedora-all [bug 1645696]

Comment 6 Huzaifa S. Sidhpurwala 2018-11-05 05:38:04 UTC
Note about OpenSSL:

Though the reporters demonstrate this flaw against OpenSSL, any application which  has secret dependent control flaw will be affected. From an OpenSSL point of view, this particular issue has been fixed in their code via multiple commits:

For the 1.1.0 branch, at

https://github.com/openssl/openssl/commits/OpenSSL_1_1_0-stable/crypto/ec/ec_mult.c

everything starting from aab7c770353b1dc4ba045938c8fb446dd1c4531e

OpenSSL released 1.1.1 and 1.1.0i. They contain the relevant patches.

Comment 9 Huzaifa S. Sidhpurwala 2018-11-05 06:59:46 UTC
Acknowledgments:

Name: Billy Bob Brumley, Cesar Pereida Garcia, Sohaib ul Hassan, Nicola Tuveri (Tampere University of Technology; Finland), Alejandro Cabrera Aldaya (Universidad Tecnologica de la Habana CUJAE; Cuba)

Comment 13 Huzaifa S. Sidhpurwala 2018-11-15 04:24:18 UTC
Statement:

This is a timing side-channel flaw on processors which implement SMT/Hyper-Threading architectures. It can result in leakage of secret data in applications such as OpenSSL that has secret dependent control flow at any granularity level. In order to exploit this flaw, the attacker needs to run a malicious process on the same core of the processor as the victim process.

Comment 14 Huzaifa S. Sidhpurwala 2018-11-15 04:24:36 UTC
External References:

https://github.com/bbbrumley/portsmash
https://www.openssl.org/news/secadv/20181112.txt

Comment 16 Jason Shepherd 2018-11-15 23:09:49 UTC
OpenShift Online disables Hyper-Threading, see https://blog.openshift.com/what-openshift-online-customers-should-know-about-l1tf-openshift-sre-security/

Comment 22 Huzaifa S. Sidhpurwala 2019-01-24 08:16:01 UTC
Mitigation:

At this time Red Hat Engineering is working on patches for openssl package in Red Hat Enterprise Linux 7 to address this issue.  Until fixes are available, users are advised to review the guidance supplied in the L1 Terminal Fault vulnerability article: https://access.redhat.com/security/vulnerabilities/L1TF and decide what their exposure across shared CPU threads are and act accordingly.

Comment 29 errata-xmlrpc 2019-03-13 12:45:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0483 https://access.redhat.com/errata/RHSA-2019:0483