Memory corruption vulnerability in the Linux kernel component / Exposing a new security vulnerability to Intel processors

Cybersecurity researchers for Memory corruption vulnerability in the Linux kernel component have identified three dangerous vulnerabilities

in part of the SystemDate system service,

which are part of the core components of the Linux operating system.

This service is responsible for managing system processes after the boot stage is executed. The reported Journald service vulnerability,

which is responsible for collecting and storing event logging data, causes critical system information to be infiltrated with successful exploitation,

access to the Root level in the target machine and in addition to it. No patches for this vulnerability have been provided so far.

According to Qualys, including companies active in the field of cybersecurity,

Qualys identified two memory corruption vulnerabilities:

The first one is CVE-2018-16864 of type Stack Buffer Overflow and the second with the identifier CVE-2018-16865 of the type Memory Allocation.

Also,

the company found the Out-of-Bounds Error vulnerability identifier CVE-2018-16866 in the Linux kernel.

Qualys continues to announce the possibility of successfully exploiting second and third vulnerabilities,

and can access the local Root Shell on x86 and x64 machines from the victim’s system.

Exploit on a 32-bit machine responds faster, with a response time of about ten minutes, while the 64-bit machine has a response time of about seventy minutes.

 Qualys also said that exploit will soon release PoC for these vulnerabilities, but will not explain more about how they are exploited.

According to available information,

it is known that the SystemDate system service is vulnerable to all Linux distributions, but SUSE Linux Enterprise 15 and openSUSE Leap 15 and Fedora 28 & 29 distributions are due to the compilation of the User Space by the GCC compiler

and the use of memory-protected security capabilities through the structure Protecting fStack Clash Protection When compiling, it’s not possible to exploit them.

All three released vulnerabilities can be exploited without user interaction, one of which can be exploited locally, and the rest can be exploited through the network.

These vulnerabilities have been exploited since the SystemD has v201 and v230 versions.

It’s worth noting that only the CVE-2018-16866 vulnerability, known as the Information Leak type, has been fixed in the updated systemd v240-1 update.

RedHat also reported these vulnerabilities on the Important level,

giving them a score of 7.4 and 7.5, and introduced the OOB vulnerability at Moderate level with a score of 4.3.

Red Hat Enterprise Linux 7 distributes all three vulnerabilities,

but the redistribution RedHat Virtualization 4 only has two memory corruption vulnerabilities and there is no OOB vulnerability.

Exposing a new security vulnerability to Intel processors

افشای یک آسیب‌پذیری امنیتی جدید در پردازنده‌های اینتل

Researchers have discovered new security vulnerabilities known as MDS vulnerabilities in Intel processors, all based on the guesswork function, something similar to the one used in Spectrum and Meltdown vulnerabilities.

In January 2018, the researchers discovered a series of vulnerabilities related to the performance of new processors at the time of the implementation of the function known as speculative execution.

The importance of Specter and Meltdown vulnerabilities was partly due to the fact that Specter was responsible for all attacks that operate in a way. Intel spent most of its time confronting these attacks in 2018.

Nearly one and a half years after that, researchers are still researching similar issues.

Several new vulnerabilities have been discovered, and researchers have put several names on them: ZombieLoad, RIDL, and Fallout.

Intel called this particular type of vulnerability called MDS, the abbreviation of “Microarchitectural Data Sampling.”

Rogue In-flight Data Load (RIDL) was discover by the Vrije Universiteit Amsterdam and the Helmholtz Center for Information Security.

Fallout was observed by a group of experts from the Graz University of Technology, the Austrian Catholic University of Leuven (KU Leuven), the University of Michigan, and the Worcester Polytechnic Institute.

And finally, the ZombieLoad vulnerability is also the result of research done at the universities of Graz, Worcester and Cayo Levon.

Attackers using MDS can not directly store data stored in the target buffer directly

A glimpse of these vulnerabilities suggests that all of them, including specter and modeller, relate to how all processors or only Intel processors work when they perform the guesswork implementation, but MDS vulnerabilities are only relevant to Intel processors.

The reason for these problems is the differences between the processor architecture (how to document how processors work in writing) and their microarchitecture (actual performance of processors at runtime).

 The “guesswork implementation” function does exactly what its name implies: the processor, instead of waiting to be aware of the need for subsequent operations, guesses it ahead of time and performs its results if necessary.

Architecturally, all operations are executing in sequence, and only the data store by the processors is the data that is requiring for execution of the operations.

But it is possible to look at the microarchitecture and find clever clues to find the storage location of the data on the chip.

This will be done using the time differences available for the time it takes to access the information.

Measuring these differences allows attackers to extract the numeric values ​​stored in the cache or buffer memory on the chip.

Typically, similar vulnerabilities to Spectra on leaked data were at the heart of attention; however, the MDS uses subtle buffer data, which is the very small data that chips use to transmit data internally.

How important are new security defects?

اینتل / Intel

The controversy about the extent to which these vulnerabilities are serious

and dangerous have not yet come to an end, but some have also led to publications.

Maybe some of you will find last year’s news that a security research company called CTS-Labs,

in collaboration with a borrowing company, was making apparent attempts to attack the stock price of AMD,

and a series of seemingly important security defects

And it was saying that these disclosures could endanger the lives of some.

However, no outcomes from the vulnerabilities that Viceroy Research has predicted is likely to lead to a sharp decline in AMD’s stock value.

As it was saying at the time,

irrespective of who and with what motive the purpose of such programs is,

such disclosures are highly misleading by filling the exaggerated marketing claims

with the aim of making things worse than those in reality.

Intel’s current conditions have not worsened AMD’s situation over the past year, but it’s going to upset the same trend.

Researchers have published their findings on a website called “CPU.fail”, which, according to the type of design and the questions and answers posed, appear to scare others rather than seek to be informed.

For example, site operators respond very briefly to the question of whether they have been using for large-scale malicious purposes for the time being: “We do not know.”

But the fact is that asking questions about the significance of vulnerabilities is a clever question.

Apart from a few examples of conceptual proofs carried out by researchers,

however, no learning attacks have been reporting using Specter and Meltdown.

 Also, the use of MDS is much more complicated than the one mentioned on this website.

Invaders can not directly control the data stored in the buffer they target,

that is, they can only get old and non-historical data that has no benefit to them.

Updating microcodes for systems that use Sandy Lake or Kaby Lake processors are now sending to customers.

Currently, the Coffee Lake and Whiskey Lake processors are safe against the attack. The impact of software repairs on system performance is estimating at around 3%.

اینتل / Intel

Updating is one of the best ways to stay safe from these threats

In an official statement from Intel, it says:

At the moment,

many of the Intel® Core ™ 8th and Ninth Generation processors

and the second generation Xeon scalable processors have put the MDS issue on the agenda.

Other vulnerabilities also attempt to reduce the vulnerability of systems by updating microcodes,

along with other related updates and Hypervisor software that are available to users today.

We’ve put more information on the site and we’re still asking everyone to keep their systems up-to-date. Because updating is one of the best ways to stay safe.

We appreciate all the researchers who have collaborated with us

and all our industry partners for the role they played in disclosing these issues.

There are different opinions about the risk of newly discover vulnerabilities.

The Wired site casts a warning tone and believes that these vulnerabilities

will allow attackers to get almost bit of raw data that a victim processor receives.

The site says that the researchers’ comments on the key to these vulnerabilities are correct.

Intel believes that, given their complex implementation,

the failure to report large-scale malicious attacks,

and the fact that updates of microcodes and hardware-refurbish processors are already available on the market,

these vulnerabilities may be of medium to low risk.

According to PCMag:

MDS vulnerabilities discovered today reveal more scientific issues at this time. For the time being,

there have not been any public reports in the real world about any attacks

that have been involve with these vulnerabilities.

Perhaps an important reason is that attackers can easily use traditional malware to steal computer data,

rather than having to deal with Intel processors.

How the attacks work

Both variants of the vulnerability gain access to the victim machine using what’s know as a side channel attack. These attacks infer information about a system’s inner workings by observing patterns in seemingly innocuous information—how long it takes the processor to access the machine’s memory, for example. This can be use to gain access to the inner workings of the machine.

The attack then confuses the system’s processor by exploiting a feature call speculative execution. Used in all modern CPUs, speculative execution speeds processing by enabling the processor to essentially guess what it will be asked to do next and plan accordingly.

The attack feeds in false information that leads speculative execution into a series of wrong guesses. Like a driver following a faulty GPS, the  becomes hopelessly lost. This confusion is then exploit to cause the victim machine to leak sensitive information. In some cases, it can even alter information on the victim machine.

While these vulnerabilities were caught before causing major damage, they expose the fragility of secure enclaves and virtualization technologies says Ofir Weisse, the graduate student research assistant involved in the work. He believes that the key to keeping technologies secure lies in making designs open and accessible to researchers so that they can identify and repair vulnerabilities quickly.

Foreshadow is detail in a paper titled “Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution.”

The fact that all users do not update their operating systems or hardware is a proof of the inadequacy of these solutions. But these security issues have existed since the beginnings of personal computers.

Part of the difficulty in deciding whether and to what extent these vulnerabilities are important and dangerous is because users still do not know which expert should be taken seriously.

For example, last year Theo de Raadt, a Canadian software engineer, decided to change the default behavior of the FreeBSD operating system and disable the Hyper-Threading option because it considered it an important security risk.

But the designers of other operating systems did not find it possible to do this. Is Hyper-Threading A Potential Security Potential?

The answer is yes. Is the risk to the extent that current users attempt to disable Hyper-Threading capabilities? Experts are literally opposed to this.

The logical answer to this question is: “It depends,” not because no one can make a decisive decision in this regard, but because the appropriate security practices in each situation depend on the threats and the cost of fixing it.

How much should users take these threats seriously? The answer is: upgrade your systems so much so that they are convinced. After all, the consequences of these real-world threats are not yet clear to anyone.

To date, there has not been a widespread specter or multitasking attack that involves Intel processors (or any other processor) in any generation.

That does not mean that such a thing will never happen in the future, and, of course, it does not absolve Intel from its responsibility to secure its products.

But that’s not to say that the invisible hackers are now throwing your pockets out of hardware attacks that your soul does not know.

 Each security vulnerability does not necessarily end with an attack, at least until today.

 

Leave a Reply

Your email address will not be published. Required fields are marked *