Bug 1690716 (thunderclap)

Summary: kernel: DMA attack using peripheral devices (Thunderclap)
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, allarkin, aquini, bhu, blc, brdeoliv, bskeggs, cye, dbohanno, dhoward, dvlasenk, esammons, esandeen, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarod, jarodwilson, jdenham, jeremy, jfaracco, jforbes, jglisse, jkacur, joe.lawrence, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, lzampier, matt, mchehab, mcressma, mjg59, mlangsdo, mleitner, mmilgram, nmurray, plougher, ptalbert, rparrazo, rrobaina, rt-maint, rvrbovsk, rysulliv, scweaver, steved, sukulkar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw that allowed an attacker to corrupt memory and escalate privileges was found in the Linux kernel's protection of memory access by attached devices.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-30 13:18:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1692237, 1692238, 1692245, 1692246, 1692247, 1692248, 1692249, 1692587, 1700376, 1700377    
Bug Blocks: 1684685    

Description Wade Mealing 2019-03-20 05:28:27 UTC 
"Thunderclap vulnerabilities are security flaws that affect the way modern computers interact with peripheral devices such as network cards, storage, and graphics cards. These vulnerabilities allow an attacker with physical access to a Thunderbolt port to compromise a target machine in a matter of seconds, running arbitrary code at the highest privilege level and potentially gaining access to passwords, banking logins, encryption keys, private files, browsing and other data. Attacks exploiting these vulnerabilities can also be carried out by seemingly innocuous peripherals like chargers and projectors that correctly charge or project video but simultaneously compromise the host machine".

- From https://thunderclap.io/

Recently, Intel have contributed patches to version 5.0 of the Linux kernel (shortly to be released) that enable the IOMMU for Thunderbolt and prevent the protection-bypass vulnerability that uses the ATS feature of PCI Express.

No CVE's have been assigned to this issue at this time.

Related links:

http://thunderclap.io/

https://github.com/torvalds/linux/commit/d8b8591054575f33237556c32762d54e30774d28
https://github.com/torvalds/linux/commit/fb58fdcd295b914ece1d829b24df00a17a9624bc
Comment 1 Wade Mealing 2019-03-20 07:32:37 UTC 
Mitigation:

Disabling hardware ports affected by this flaw in system BIOS or firmware will prevent access.  However this may be too strict in some cases.

Some level of mitigation can be achieved by configuring USB guard to block untrusted devices. USB guard is available for Red Hat Enterprise Linux 7.3 and later, see  https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard for details.
Comment 4 Wade Mealing 2019-03-25 06:59:54 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1692237]
Comment 11 Justin M. Forbes 2019-04-11 12:09:12 UTC 
These patches are included in the 5.0.7 stable updates for Fedora.
Comment 13 errata-xmlrpc 2019-07-30 09:42:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1959 https://access.redhat.com/errata/RHSA-2019:1959
Comment 14 errata-xmlrpc 2019-07-30 11:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1971 https://access.redhat.com/errata/RHSA-2019:1971