【TWCERT/CC安全通報】TW-CA-2005-063-[FreeBSD-SA-05:09.htt: infor
※ 本文轉錄自 [Lan] 信箱
作者: twcert@cert.org.tw (TWCERT/CC Fellows)
標題: 【TWCERT/CC安全通報】 TW-CA-2005-063-[FreeBSD-
時間: Mon May 30 13:26:37 2005
-----BEGIN PGP SIGNED MESSAGE-----
TW-CA-2005-063-[FreeBSD-SA-05:09.htt: information disclosure when using HTT]
────────────────────────────────────────
TWCERT/CC發布日期:2005-05-30
原漏洞發布日期:2005-05-13
原漏洞最新更新日期:2005-05-13
通用安全漏洞編號:
分類:Gain Privilege
來源參考:FreeBSD-SA-05:09.htt
──── 簡述 ─────────────────────────────────
同步多執行緒(simultaneous multithreading) 指的是許多執行緒共享一個超純量處理器
運算資源。超執行緒技術(Hyper-Threading Technology) 或 HTT 是在 Intel Pentium4,
Mobile Pentium 4,和 Xeon 處理器實作同步多執行緒的名稱。
HTT 包含在不同執行緒分享特定 CPU 資源,包含記憶體快取。
FreeBSD 透過配合 SMP 選項編譯核心來支援 HTT。
──── 說明 ─────────────────────────────────
當在支援超執行緒技術的處理器上,惡意的執行緒可以監看其他執行緒的運作。
注意: 相同的問題可能也會存在其他同步多執行緒實作上,或甚至在缺乏同步多執行緒的
系統。然而目前研究只專注在超執行緒技術的問題上,其使用分享記憶體快取。
──── 影響平台 ───────────────────────────────
受影響平台: 所有 FreeBSD/i386 與 FreeBSD/amd64 發行版本
已修正平台: 2005-05-13 00:13:00 UTC (RELENG_5, 5.4-STABLE)
2005-05-13 00:13:00 UTC (RELENG_5_4, 5.4-RELEASE-p1)
2005-05-13 00:13:00 UTC (RELENG_5_3, 5.3-RELEASE-p15)
2005-05-13 00:13:00 UTC (RELENG_4, 4.11-STABLE)
2005-05-13 00:13:00 UTC (RELENG_4_11, 4.11-RELEASE-p9)
2005-05-13 00:13:00 UTC (RELENG_4_10, 4.10-RELEASE-p14)
CVE 名稱: CAN-2005-0109
──── 修正方式 ───────────────────────────────
若處理器支援超執行緒技術,則關閉此功能
注意: 預期未來的加密函式庫及作業系統排程可為大部份的使用者解決這個問題,而不是
必須關閉超執行緒技術。未來的安全通報會強調個別案例。
執行下列步驟:
1)將有弱點的系統升級至 4-STABLE, 5-STABLE, RELENG_5_4, RELENG_5_3, RELENG_4_11,
或 RELENG_4_10
2)修正您的系統
下列的修正步驟適合 FreeBSD 4.10, 4.11, 5.3 及 5.4。
a)從下列位址下載目前的更新檔
[FreeBSD 4.10]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch.asc
[FreeBSD 4.11]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch.asc
[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch.asc
b) 執行更新
# cd /usr/src
# patch < /path/to/patch
c) 重新編譯核心
請參閱 http://www.freebsd.org/handbook/kernelconfig.html 並重新啟動系統。
注意: 對於確知不會受到這個弱點影響使用者的環境,例如單一使用者系統,超執行緒技
術可藉由設定 "machdep.hyperthreading_allowed" 重新啟動。
──── 影響結果 ───────────────────────────────
資訊可能洩漏給本地使用者,在很多情況下會導致權限提升。例如在多使用者系統,可能
導致使用在 OpenSSH 或 SSL 網頁伺服器的加密鑰匙遭竊。
──── 聯絡TWCERT/CC ─────────────────────────────
Tel: 886-7-5250211 FAX: 886-7-5250212
886-2-23563303 886-2-23924082
Email: twcert@cert.org.tw
URL: http://www.cert.org.tw/
PGP key: http://www.cert.org.tw/eng/pgp.htm
────────────────────────────────────────
附件:[information disclosure when using HTT]
──── 原文 ─────────────────────────────────
=============================================================================
FreeBSD-SA-05:09.htt Security Advisory
The FreeBSD Project
Topic: information disclosure when using HTT
Category: core
Module: sys
Announced: 2005-05-13
Revised: 2005-05-13
Credits: Colin Percival
Affects: All FreeBSD/i386 and FreeBSD/amd64 releases.
Corrected: 2005-05-13 00:13:00 UTC (RELENG_5, 5.4-STABLE)
2005-05-13 00:13:00 UTC (RELENG_5_4, 5.4-RELEASE-p1)
2005-05-13 00:13:00 UTC (RELENG_5_3, 5.3-RELEASE-p15)
2005-05-13 00:13:00 UTC (RELENG_4, 4.11-STABLE)
2005-05-13 00:13:00 UTC (RELENG_4_11, 4.11-RELEASE-p9)
2005-05-13 00:13:00 UTC (RELENG_4_10, 4.10-RELEASE-p14)
CVE Name: CAN-2005-0109
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
0. Revision History
v1.0 2005-05-13 Initial release.
v1.1 2005-05-13 Additional details.
I. Background
Sharing the execution resources of a superscalar processor between
multiple execution threads is referred to as "simultaneous
multithreading". "Hyper-Threading Technology" or HTT is the name used
for the implementation of simultaneous multithreading on Intel Pentium
4, Mobile Pentium 4, and Xeon processors. HTT involves sharing
certain CPU resources between multiple threads, including memory
caches. FreeBSD supports HTT when using a kernel compiled with
the SMP option.
II. Problem Description
When running on processors supporting Hyper-Threading Technology, it is
possible for a malicious thread to monitor the execution of another
thread.
NOTE: Similar problems may exist in other simultaneous multithreading
implementations, or even some systems in the absence of simultaneous
multithreading. However, current research has only demonstrated this
flaw in Hyper-Threading Technology, where shared memory caches are used.
III. Impact
Information may be disclosed to local users, allowing in many cases for
privilege escalation. For example, on a multi-user system, it may be
possible to steal cryptographic keys used in applications such as OpenSSH
or SSL-enabled web servers.
IV. Workaround
Systems not using processors with Hyper-Threading Technology support are
not affected by this issue. On systems which are affected, the security
flaw can be eliminated by setting the "machdep.hlt_logical_cpus" tunable:
# echo "machdep.hlt_logical_cpus=1" >> /boot/loader.conf
The system must be rebooted in order for tunables to take effect.
Use of this workaround is not recommended on "dual-core" systems, as
this workaround will also disable one of the processor cores.
V. Solution
Disable Hyper-Threading Technology on processors that support it.
NOTE: It is expected that future work in cryptographic libraries and
operating system schedulers may remedy this problem for many or most
users, without necessitating the disabling of Hyper-Threading
Technology. Future advisories will address individual cases.
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, and 5.4 systems.
a) Download the relevant patch from the location below and verify the
detached PGP signature using your PGP utility.
[FreeBSD 4.10]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch.asc
[FreeBSD 4.11]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch.asc
[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
NOTE: For users that are certain that their environment is not affected
by this vulnerability, such as single-user systems, Hyper-Threading
Technology may be re-enabled by setting the tunable
"machdep.hyperthreading_allowed".
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- - -------------------------------------------------------------------------
RELENG_4
src/sys/i386/i386/mp_machdep.c 1.115.2.23
src/sys/i386/include/cpufunc.h 1.96.2.4
RELENG_4_11
src/UPDATING 1.73.2.91.2.10
src/sys/conf/newvers.sh 1.44.2.39.2.13
src/sys/i386/i386/mp_machdep.c 1.115.2.22.2.1
src/sys/i386/include/cpufunc.h 1.96.2.3.12.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.15
src/sys/conf/newvers.sh 1.44.2.34.2.16
src/sys/i386/i386/mp_machdep.c 1.115.2.20.2.1
src/sys/i386/include/cpufunc.h 1.96.2.3.10.1
RELENG_5
src/sys/amd64/amd64/mp_machdep.c 1.242.2.11
src/sys/amd64/include/cpufunc.h 1.145.2.1
src/sys/i386/i386/mp_machdep.c 1.235.2.10
src/sys/i386/include/cpufunc.h 1.142.2.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.10
src/sys/amd64/amd64/mp_machdep.c 1.242.2.7.2.4
src/sys/amd64/include/cpufunc.h 1.145.6.1
src/sys/conf/newvers.sh 1.62.2.18.2.6
src/sys/i386/i386/mp_machdep.c 1.235.2.6.2.3
src/sys/i386/include/cpufunc.h 1.142.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.18
src/sys/amd64/amd64/mp_machdep.c 1.242.2.2.2.2
src/sys/amd64/include/cpufunc.h 1.145.4.1
src/sys/conf/newvers.sh 1.62.2.15.2.20
src/sys/i386/i386/mp_machdep.c 1.235.2.3.2.2
src/sys/i386/include/cpufunc.h 1.142.4.1
- - -------------------------------------------------------------------------
VII. References
http://www.daemonology.net/hyperthreading-considered-harmful/
The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:09.htt.asc
────────────────────────────────────────
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQEVAwUBQpqjS6cyQYefg2/NAQFNTggAyD1h21MhW4li97tXhTyyiLISIx7QG+kF
u+BPvSz4v+ELpS/i7smPFXz4LkwAGGX1pkk7ad42zE0Wb5KgMBUJ336eGlo0ftSi
wCGi4S5wUxUk0WpssfRZ6+S3H/l1xZwrFdatczLwdu8eZkzZfhloXrSZxTQRPPTH
XkrrF7NoCIsUfaKGqLUqmGFxHJpNcd+X5amPkY7AXNt58YL5UebvWith8krNCMgc
TlFm3DhO5B386l5U7TImY0sWyeFqvkmq95DHjQK3MnraobvtQD9KsTKBQaWZRrcn
KK0OhdfMSSvap8ZzFpnX22EvMxnGleAxfx8u+6mASdzm+xUQCBkLaQ==
=jLe0
-----END PGP SIGNATURE-----
--
Taiwan Computer Emergency Response Team Security Advisory mailing list.
Mail to : Majordomo@cert.org.tw and include a line "subscribe advisory".
Please visit http://www.cert.org.tw/.
PGP key : http://www.cert.org.tw/eng/pgp.htm
NetSecurity 近期熱門文章
PTT數位生活區 即時熱門文章
