Bug 1597992 (netspectre) - kernel: NetSpectre - observing speculative execution gadgets across network via statistical analysis.
Summary: kernel: NetSpectre - observing speculative execution gadgets across network v...
Keywords:
Status: CLOSED NOTABUG
Alias: netspectre
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1597990
TreeView+ depends on / blocked
 
Reported: 2018-07-04 06:00 UTC by Wade Mealing
Modified: 2019-09-29 14:43 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in how CPU's execution mechanisms which allowed local memory to be inferred by measurement and statistical analysis across a network.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:31:52 UTC


Attachments (Terms of Use)

Description Wade Mealing 2018-07-04 06:00:45 UTC
“NetSpectre: Read Arbitrary Memory over Network” is the first concept of the spectre variant 1 abusing speculative execution across a network.  It allows a remote attacker to abuse spectre “gadgets” available in the code path accessible in the operating systems network stack.  The attacker sends a series of crafted requests to the target system and measures the response time to leak a secret value from the victim’s memory.  The response time of these attacks allow an attacker to deduce a secret value from the victims memory.

This attack requires two gadgets to be available to the attacker, either in user space or kernel space.  

These gadgets are:

Leak gadget - accesses a stream at an attacker controlled location.

Transmit gadget - performs an arbitrary operation where the results depend on the microarchitectural state modified by the leak gadget.

The leak gadget is triggered to create a condition where the speculative execution event happens, and the transmit gadgets response 
time is measured over many queries to statistically determine the contents of memory at that location.

The initial fixes of Spectre v1 ( https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5753 ) has hardened the kernel from the 
Leak gadget", however userspace can continue to be attacked as it has yet to be hardened.

Approaches on solving this in userspace plan to be documented in this bugzilla.


Red Hat is planning to focus on the userspace networking daemons hardening and will link improvements in this flaw.


Additional information:

https://access.redhat.com/solutions/3545361

http://misc0110.net/web/files/netspectre.pdf

Comment 1 Wade Mealing 2018-07-19 03:32:58 UTC
Acknowledgments:

Name: Daniel Gruss

Comment 6 Huzaifa S. Sidhpurwala 2018-07-27 03:24:48 UTC
Statement:

Red Hat Product Security has rated this update as having a security impact of Moderate. All Red Hat products are being evaluated for impact and Red Hat will work with the Linux community to analyze and correct any issues found.  Red Hat is currently evaluating the impact of this security flaw on userspace packages, especially the network daemons and remotely accessible technologies like SSH. Successful exploitation of this flaw needs the attacker to have advanced knowledge of the software versions used on the system. For additional information about this flaw including possible mitigations please refer to: https://access.redhat.com/solutions/3545361

Comment 7 Eric Christensen 2018-07-27 14:29:59 UTC
Mitigation:

The following mitigation can be used to lower the impact/scope of this flaw for userspace applications:

1. Allow only trusted users/ip addresses to access remotely accessible services like SSH, LDAP, SNMP etc.

2. Since the attack involves sending large number of packets to a particular service running on a port, firewalls and some services could be configured to limit the amount of traffic per source IP address.

3. Also actively monitor excessive traffic from a particular IP address, especially in a short time interval. Certain IDS devices/software can do that and block the source of these packets.


Note You need to log in before you can comment on or make changes to this bug.