“NetSpectre: Read Arbitrary Memory over Network” is the first concept of the spectre variant 1 abusing speculative execution across a network. It allows a remote attacker to abuse spectre “gadgets” available in the code path accessible in the operating systems network stack. The attacker sends a series of crafted requests to the target system and measures the response time to leak a secret value from the victim’s memory. The response time of these attacks allow an attacker to deduce a secret value from the victims memory.
This attack requires two gadgets to be available to the attacker, either in user space or kernel space.
These gadgets are:
Leak gadget - accesses a stream at an attacker controlled location.
Transmit gadget - performs an arbitrary operation where the results depend on the microarchitectural state modified by the leak gadget.
The leak gadget is triggered to create a condition where the speculative execution event happens, and the transmit gadgets response
time is measured over many queries to statistically determine the contents of memory at that location.
The initial fixes of Spectre v1 ( https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5753 ) has hardened the kernel from the
Leak gadget", however userspace can continue to be attacked as it has yet to be hardened.
Approaches on solving this in userspace plan to be documented in this bugzilla.
Red Hat is planning to focus on the userspace networking daemons hardening and will link improvements in this flaw.
Name: Daniel Gruss
Red Hat Product Security has rated this update as having a security impact of Moderate. All Red Hat products are being evaluated for impact and Red Hat will work with the Linux community to analyze and correct any issues found. Red Hat is currently evaluating the impact of this security flaw on userspace packages, especially the network daemons and remotely accessible technologies like SSH. Successful exploitation of this flaw needs the attacker to have advanced knowledge of the software versions used on the system. For additional information about this flaw including possible mitigations please refer to: https://access.redhat.com/solutions/3545361
The following mitigation can be used to lower the impact/scope of this flaw for userspace applications:
1. Allow only trusted users/ip addresses to access remotely accessible services like SSH, LDAP, SNMP etc.
2. Since the attack involves sending large number of packets to a particular service running on a port, firewalls and some services could be configured to limit the amount of traffic per source IP address.
3. Also actively monitor excessive traffic from a particular IP address, especially in a short time interval. Certain IDS devices/software can do that and block the source of these packets.