看板NetSecurity
标 题【TWCERT/CC安全通报】TW-CA-2005-063-[FreeBSD-SA-05:09.htt: information
发信站KKCITY (Mon Jun 27 14:15:48 2005)
转信站ptt!ctu-reader!ctu-peer!news.nctu!nctumenews!news.ind.ntou!news.ntu!bb
※ 本文转录自 [Lan] 信箱
作者:
[email protected] (TWCERT/CC Fellows)
标题: 【TWCERT/CC安全通报】 TW-CA-2005-063-[FreeBSD-
时间: Mon May 30 13:26:37 2005
-----BEGIN PGP SIGNED MESSAGE-----
TW-CA-2005-063-[FreeBSD-SA-05:09.htt: information disclosure when using HTT]
────────────────────────────────────────
TWCERT/CC发布日期:2005-05-30
原漏洞发布日期:2005-05-13
原漏洞最新更新日期:2005-05-13
通用安全漏洞编号:
分类:Gain Privilege
来源参考:FreeBSD-SA-05:09.htt
──── 简述 ─────────────────────────────────
同步多执行绪(simultaneous multithreading) 指的是许多执行绪共享一个超纯量处理器
运算资源。超执行绪技术(Hyper-Threading Technology) 或 HTT 是在 Intel Pentium4,
Mobile Pentium 4,和 Xeon 处理器实作同步多执行绪的名称。
HTT 包含在不同执行绪分享特定 CPU 资源,包含记忆体快取。
FreeBSD 透过配合 SMP 选项编译核心来支援 HTT。
──── 说明 ─────────────────────────────────
当在支援超执行绪技术的处理器上,恶意的执行绪可以监看其他执行绪的运作。
注意: 相同的问题可能也会存在其他同步多执行绪实作上,或甚至在缺乏同步多执行绪的
系统。然而目前研究只专注在超执行绪技术的问题上,其使用分享记忆体快取。
──── 影响平台 ───────────────────────────────
受影响平台: 所有 FreeBSD/i386 与 FreeBSD/amd64 发行版本
已修正平台: 2005-05-13 00:13:00 UTC (RELENG_5, 5.4-STABLE)
2005-05-13 00:13:00 UTC (RELENG_5_4, 5.4-RELEASE-p1)
2005-05-13 00:13:00 UTC (RELENG_5_3, 5.3-RELEASE-p15)
2005-05-13 00:13:00 UTC (RELENG_4, 4.11-STABLE)
2005-05-13 00:13:00 UTC (RELENG_4_11, 4.11-RELEASE-p9)
2005-05-13 00:13:00 UTC (RELENG_4_10, 4.10-RELEASE-p14)
CVE 名称: CAN-2005-0109
──── 修正方式 ───────────────────────────────
若处理器支援超执行绪技术,则关闭此功能
注意: 预期未来的加密函式库及作业系统排程可为大部份的使用者解决这个问题,而不是
必须关闭超执行绪技术。未来的安全通报会强调个别案例。
执行下列步骤:
1)将有弱点的系统升级至 4-STABLE, 5-STABLE, RELENG_5_4, RELENG_5_3, RELENG_4_11,
或 RELENG_4_10
2)修正您的系统
下列的修正步骤适合 FreeBSD 4.10, 4.11, 5.3 及 5.4。
a)从下列位址下载目前的更新档
[FreeBSD 4.10]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch.asc
[FreeBSD 4.11]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch.asc
[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch.asc
b) 执行更新
# cd /usr/src
# patch < /path/to/patch
c) 重新编译核心
请参阅
http://www.freebsd.org/handbook/kernelconfig.html 并重新启动系统。
注意: 对於确知不会受到这个弱点影响使用者的环境,例如单一使用者系统,超执行绪技
术可藉由设定 "machdep.hyperthreading_allowed" 重新启动。
──── 影响结果 ───────────────────────────────
资讯可能泄漏给本地使用者,在很多情况下会导致权限提升。例如在多使用者系统,可能
导致使用在 OpenSSH 或 SSL 网页伺服器的加密钥匙遭窃。
──── 联络TWCERT/CC ─────────────────────────────
Tel: 886-7-5250211 FAX: 886-7-5250212
886-2-23563303 886-2-23924082
Email:
[email protected]
URL:
http://www.cert.org.tw/
PGP key:
http://www.cert.org.tw/eng/pgp.htm
────────────────────────────────────────
附件:[information disclosure when using HTT]
──── 原文 ─────────────────────────────────
=============================================================================
FreeBSD-SA-05:09.htt Security Advisory
The FreeBSD Project
Topic: information disclosure when using HTT
Category: core
Module: sys
Announced: 2005-05-13
Revised: 2005-05-13
Credits: Colin Percival
Affects: All FreeBSD/i386 and FreeBSD/amd64 releases.
Corrected: 2005-05-13 00:13:00 UTC (RELENG_5, 5.4-STABLE)
2005-05-13 00:13:00 UTC (RELENG_5_4, 5.4-RELEASE-p1)
2005-05-13 00:13:00 UTC (RELENG_5_3, 5.3-RELEASE-p15)
2005-05-13 00:13:00 UTC (RELENG_4, 4.11-STABLE)
2005-05-13 00:13:00 UTC (RELENG_4_11, 4.11-RELEASE-p9)
2005-05-13 00:13:00 UTC (RELENG_4_10, 4.10-RELEASE-p14)
CVE Name: CAN-2005-0109
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:
http://www.freebsd.org/security/>.
0. Revision History
v1.0 2005-05-13 Initial release.
v1.1 2005-05-13 Additional details.
I. Background
Sharing the execution resources of a superscalar processor between
multiple execution threads is referred to as "simultaneous
multithreading". "Hyper-Threading Technology" or HTT is the name used
for the implementation of simultaneous multithreading on Intel Pentium
4, Mobile Pentium 4, and Xeon processors. HTT involves sharing
certain CPU resources between multiple threads, including memory
caches. FreeBSD supports HTT when using a kernel compiled with
the SMP option.
II. Problem Description
When running on processors supporting Hyper-Threading Technology, it is
possible for a malicious thread to monitor the execution of another
thread.
NOTE: Similar problems may exist in other simultaneous multithreading
implementations, or even some systems in the absence of simultaneous
multithreading. However, current research has only demonstrated this
flaw in Hyper-Threading Technology, where shared memory caches are used.
III. Impact
Information may be disclosed to local users, allowing in many cases for
privilege escalation. For example, on a multi-user system, it may be
possible to steal cryptographic keys used in applications such as OpenSSH
or SSL-enabled web servers.
IV. Workaround
Systems not using processors with Hyper-Threading Technology support are
not affected by this issue. On systems which are affected, the security
flaw can be eliminated by setting the "machdep.hlt_logical_cpus" tunable:
# echo "machdep.hlt_logical_cpus=1" >> /boot/loader.conf
The system must be rebooted in order for tunables to take effect.
Use of this workaround is not recommended on "dual-core" systems, as
this workaround will also disable one of the processor cores.
V. Solution
Disable Hyper-Threading Technology on processors that support it.
NOTE: It is expected that future work in cryptographic libraries and
operating system schedulers may remedy this problem for many or most
users, without necessitating the disabling of Hyper-Threading
Technology. Future advisories will address individual cases.
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, and 5.4 systems.
a) Download the relevant patch from the location below and verify the
detached PGP signature using your PGP utility.
[FreeBSD 4.10]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch.asc
[FreeBSD 4.11]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch.asc
[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
NOTE: For users that are certain that their environment is not affected
by this vulnerability, such as single-user systems, Hyper-Threading
Technology may be re-enabled by setting the tunable
"machdep.hyperthreading_allowed".
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- - -------------------------------------------------------------------------
RELENG_4
src/sys/i386/i386/mp_machdep.c 1.115.2.23
src/sys/i386/include/cpufunc.h 1.96.2.4
RELENG_4_11
src/UPDATING 1.73.2.91.2.10
src/sys/conf/newvers.sh 1.44.2.39.2.13
src/sys/i386/i386/mp_machdep.c 1.115.2.22.2.1
src/sys/i386/include/cpufunc.h 1.96.2.3.12.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.15
src/sys/conf/newvers.sh 1.44.2.34.2.16
src/sys/i386/i386/mp_machdep.c 1.115.2.20.2.1
src/sys/i386/include/cpufunc.h 1.96.2.3.10.1
RELENG_5
src/sys/amd64/amd64/mp_machdep.c 1.242.2.11
src/sys/amd64/include/cpufunc.h 1.145.2.1
src/sys/i386/i386/mp_machdep.c 1.235.2.10
src/sys/i386/include/cpufunc.h 1.142.2.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.10
src/sys/amd64/amd64/mp_machdep.c 1.242.2.7.2.4
src/sys/amd64/include/cpufunc.h 1.145.6.1
src/sys/conf/newvers.sh 1.62.2.18.2.6
src/sys/i386/i386/mp_machdep.c 1.235.2.6.2.3
src/sys/i386/include/cpufunc.h 1.142.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.18
src/sys/amd64/amd64/mp_machdep.c 1.242.2.2.2.2
src/sys/amd64/include/cpufunc.h 1.145.4.1
src/sys/conf/newvers.sh 1.62.2.15.2.20
src/sys/i386/i386/mp_machdep.c 1.235.2.3.2.2
src/sys/i386/include/cpufunc.h 1.142.4.1
- - -------------------------------------------------------------------------
VII. References
http://www.daemonology.net/hyperthreading-considered-harmful/
The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:09.htt.asc
────────────────────────────────────────
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <
http://www.pgp.com>
iQEVAwUBQpqjS6cyQYefg2/NAQFNTggAyD1h21MhW4li97tXhTyyiLISIx7QG+kF
u+BPvSz4v+ELpS/i7smPFXz4LkwAGGX1pkk7ad42zE0Wb5KgMBUJ336eGlo0ftSi
wCGi4S5wUxUk0WpssfRZ6+S3H/l1xZwrFdatczLwdu8eZkzZfhloXrSZxTQRPPTH
XkrrF7NoCIsUfaKGqLUqmGFxHJpNcd+X5amPkY7AXNt58YL5UebvWith8krNCMgc
TlFm3DhO5B386l5U7TImY0sWyeFqvkmq95DHjQK3MnraobvtQD9KsTKBQaWZRrcn
KK0OhdfMSSvap8ZzFpnX22EvMxnGleAxfx8u+6mASdzm+xUQCBkLaQ==
=jLe0
-----END PGP SIGNATURE-----
--
Taiwan Computer Emergency Response Team Security Advisory mailing list.
Mail to :
[email protected] and include a line "subscribe advisory".
Please visit
http://www.cert.org.tw/.
PGP key :
http://www.cert.org.tw/eng/pgp.htm