"Thunderclap vulnerabilities are security flaws that affect the way modern computers interact with peripheral devices such as network cards, storage, and graphics cards. These vulnerabilities allow an attacker with physical access to a Thunderbolt port to compromise a target machine in a matter of seconds, running arbitrary code at the highest privilege level and potentially gaining access to passwords, banking logins, encryption keys, private files, browsing and other data. Attacks exploiting these vulnerabilities can also be carried out by seemingly innocuous peripherals like chargers and projectors that correctly charge or project video but simultaneously compromise the host machine". - From https://thunderclap.io/ Recently, Intel have contributed patches to version 5.0 of the Linux kernel (shortly to be released) that enable the IOMMU for Thunderbolt and prevent the protection-bypass vulnerability that uses the ATS feature of PCI Express. No CVE's have been assigned to this issue at this time. Related links: http://thunderclap.io/ https://github.com/torvalds/linux/commit/d8b8591054575f33237556c32762d54e30774d28 https://github.com/torvalds/linux/commit/fb58fdcd295b914ece1d829b24df00a17a9624bc
Mitigation: Disabling hardware ports affected by this flaw in system BIOS or firmware will prevent access. However this may be too strict in some cases. Some level of mitigation can be achieved by configuring USB guard to block untrusted devices. USB guard is available for Red Hat Enterprise Linux 7.3 and later, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard for details.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1692237]
These patches are included in the 5.0.7 stable updates for Fedora.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1959 https://access.redhat.com/errata/RHSA-2019:1959
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1971 https://access.redhat.com/errata/RHSA-2019:1971