New microprocessor speculative execution / transient execution / side channel attacks.

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 7 for AARM64

Issue

Red Hat has been made aware of the research paper (titled A Systematic Evaluation of Transient Execution Attacks and Defenses) that has continued analysis of Spectre and Meltdown flaw types in modern CPU architecture. Red Hat is actively investigating the issues that are raised in this paper.

Updates will be posted to this document and in the relevant Red Hat CVE pages as these flaws are allocated CVE numbers.

Meltdown
Previous Meltdown variants have been reclassified as: Meltdown-US (Meltdown), Meltdown-P (Foreshadow), Meltdown-GP (Variant 3a), Meltdown-NM (Lazy FP), and Meltdown-RW (Variant 1.2).

The two new Meltdown attack vectors are known as: Meltdown-PK and Meltdown-BR.

Meltdown BR

Meltdown BR attack is based on the abuse of the "bound" instruction.

The research paper states that it does not cross privilege boundaries and can be used to obtain memory information in 'like privileged' applications.

Meltdown PK

The meltdown PK attack abuses the Intel specific MPX instructions only available on Intel processors. It does not affect AMD or ARM processors as the do not implement the relevant instructions to be abused.

The research paper states that it does not cross privilege boundaries and can be used to obtain memory information in 'like privileged' applications.

These two new attack vectors are lesser concern than previous Meltdown style attacks as the instructions that have been featured earlier this year.

Spectre
Previous Spectre variants have been reclassified as: Spectre-PHT (Bounds Check Bypass) and Spectre-BTB (Branch Target Injection).

The paper outlines five Spectre branch prediction mistraining techniques that can be used to trigger previous Spectre exploit conditions.

At this time no public reproducer has been made available and no reports of these new flaws have been found 'in the wild'.

References:
[1] "A Systematic Evaluation of Transient Execution Attacks and Defenses"
[2] "Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 2B: Instruction Set Reference, M-U"

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments