News aggregator

CVE-2018-1108

National Vulnerability Database - Mon, 05/21/2018 - 17:29
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
Categories: Security News

CVE-2018-11330

National Vulnerability Database - Mon, 05/21/2018 - 17:29
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
Categories: Security News

CVE-2018-11331

National Vulnerability Database - Mon, 05/21/2018 - 17:29
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
Categories: Security News

Analysis and mitigation of speculative store bypass (CVE-2018-3639)

Security Research & Defense - Mon, 05/21/2018 - 17:17

In January, 2018, Microsoft published an advisory and security updates for a new class of hardware vulnerabilities involving speculative execution side channels (known as Spectre and Meltdown). In this blog post, we will provide a technical analysis of an additional subclass of speculative execution side channel vulnerability known as Speculative Store Bypass (SSB) which has been assigned CVE-2018-3639. SSB was independently discovered by Ken Johnson of the Microsoft Security Response Center (MSRC) and Jann Horn (@tehjh) of Google Project Zero (GPZ).

This post is primarily geared toward security researchers and engineers who are interested in a technical analysis of SSB and the mitigations that are relevant to it. If you are interested in more general guidance, please refer to our advisory for Speculative Store Bypass and our knowledge base articles for Windows Server, Windows Client, and Microsoft cloud services.

Please note that the information in this post is current as of the date of this post.

TL;DR

Before diving into the technical details, below is a brief summary of the CPUs that are affected by SSB, Microsoft’s assessment of the risk, and the mitigations identified to date.

What is affected? AMD, ARM, and Intel CPUs are affected by CVE-2018-3639 to varying degrees. What is the risk? Microsoft currently assesses the risk posed by CVE-2018-3639 to our customers as low. We are not aware of any exploitable instances of this vulnerability class in our software at this time, but we are continuing to investigate and we encourage researchers to find and report any exploitable instances of CVE-2018-3639 as part of our Speculative Execution Side Channel Bounty program. We will adapt our mitigation strategy for CVE-2018-3639 as our understanding of the risk evolves. What is the mitigation? Microsoft has already released mitigations as part of our response to Spectre and Meltdown that are applicable to CVE-2018-3639 in certain scenarios, such as reducing timer precision in Microsoft Edge and Internet Explorer.  Software developers can address individual instances of CVE-2018-3639 if they are discovered by introducing a speculation barrier instruction as described in Microsoft’s C++ developer guidance for speculative execution side channels.

Microsoft is working with CPU manufacturers to assess the availability and readiness of new hardware features that can be used to resolve CVE-2018-3639. In some cases, these features will require a microcode or firmware update to be installed. Microsoft plans to provide a mitigation that leverages the new hardware features in a future Windows update. Speculative Store Bypass (SSB) overview

In our blog post on mitigating speculative execution side channel hardware vulnerabilities, we described three speculation primitives that can be used to create the conditions for a speculative execution side channel. These three primitives provide the fundamental methods for entering speculative execution along a non-architectural path and consist of conditional branch misprediction, indirect branch misprediction, and exception delivery or deferral. Speculative Store Bypass (SSB) belongs to a new category of speculation primitive that we refer to as memory access misprediction.

SSB arises due to a CPU optimization that can allow a potentially dependent load instruction to be speculatively executed ahead of an older store. Specifically, if a load is predicted as not being dependent on a prior store, then the load can be speculatively executed before the store. If the prediction is incorrect, this can result in the load reading stale data and possibly forwarding that data onto other dependent micro-operations during speculation. This can potentially give rise to a speculative execution side channel and the disclosure of sensitive information.

To illustrate how this might occur, it may help to consider the following simple example. In this example, RDI and RSI are assumed to be equal to the same address on the architectural path.

01: 88040F            mov [rdi+rcx],al 02: 4C0FB6040E        movzx r8,byte [rsi+rcx] 03: 49C1E00C          shl r8,byte 0xc 04: 428B0402          mov eax,[rdx+r8]

In this example, the MOV instruction on line 1 may take additional time to execute (e.g. if the computation of the address expression for RDI+RCX is waiting on prior instructions to execute). If this occurs, the CPU may predict that the MOVZX is not dependent on the MOV and may speculatively execute it ahead of the MOV that performs the store. This can result in stale data from the memory located at RSI+RCX being loaded into R8 and fed to a dependent load on line 4. If the byte value in R8 is sensitive, then it may be observed through a side channel by leveraging a cache-based disclosure primitive such as FLUSH+RELOAD (if RDX refers to shared memory) or PRIME+PROBE. The CPU will eventually detect the misprediction and discard that state that was computed, but the data that was accessed during speculation may have created residual side effects in the cache by this point that can then be measured to infer the value that was loaded into R8.

This example is simplified for the purposes of explaining the issue, but it is possible to imagine generalizations of this concept that could occur. For example, it may be possible for similar sequences to exist where SSB could give rise to a speculative out-of-bounds read, type confusion, indirect branch, and so on. We have revised our C++ Developer Guidance for Speculative Execution Side Channels to include additional examples of code patterns and conditions that could give rise to an instance of CVE-2018-3639. In practice, finding an exploitable instance of CVE-2018-3639 will require an attacker to identify an instruction sequence where:

  1. The sequence is reachable across a trust boundary, e.g. an attacker in user mode can trigger the sequence in kernel mode through a system call.
  1. The sequence contains a load instruction that is architecturally dependent on a prior store.
  1. The stale data that is read by the load instruction is sensitive and is used in a way that can create a side channel on the non-architectural path, e.g. the data feeds a disclosure gadget.
  1. The store instruction does not execute before the load and the dependent instructions that compose the disclosure gadget are speculatively executed.

While our research into this new vulnerability class is ongoing, we have not identified instruction sequences that satisfy all of the above criteria and we are currently not aware of any exploitable instances of CVE-2018-3639 in our software.

In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that satisfies the criteria above. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to reduce the precision of timers to increase the difficulty of successfully creating a side channel.

Mitigations for Speculative Store Bypass (SSB)

There are multiple mitigations that are applicable to SSB. In our previous blog post on mitigating speculative execution side channels, we characterized the software security models that can generally be at risk and the various tactics for mitigating speculative execution side channels. We will reuse the previously established terminology from that post to frame the mitigation options available for SSB.

Relevance to software security models

The following table summarizes the potential relevance of SSB to the various intra-device attack scenarios that software security models are typically concerned with. As with CVE-2017-5753 (Spectre variant 1), SSB is theoretically applicable to each attack scenario as indicated by the orange cells (grey cells indicate not applicable).

Attack Category Attack Scenario Conditional branch misprediction Indirect branch misprediction Exception delivery or deferral CVE-2018-3639 (SSB) Inter-VM Hypervisor-to-guest Host-to-guest Guest-to-guest Intra-OS Kernel-to-user Process-to-process Intra-process Enclave Enclave-to-any Preventing speculation techniques involving SSB

As we’ve noted in the past, one of the best ways to mitigate a vulnerability is by addressing the issue as close to the root cause as possible. In the case of SSB, there are a few techniques that can be used to prevent speculation techniques that rely on SSB as the speculation primitive.

Speculation barrier via serializing instruction

As with CVE-2017-5753 (Spectre variant 1), it is possible to mitigate SSB by using an instruction which is architecturally defined to serialize execution, thus acting as a speculation barrier. In the case of SSB, a serializing instruction (such as an LFENCE on x86/x64 and SSBB on ARM) can be inserted between the store instruction and the load that could be speculatively executed ahead of the store. For example, inserting an LFENCE on line 2 mitigates the simplified example from this post. Additional information can be found in the C++ Developer Guidance for Speculative Execution Side Channels.

01: 88040F            mov [rdi+rcx],al 02: 0FAEE8            lfence 03: 4C0FB6040E        movzx r8,byte [rsi+rcx] 04: 49C1E00C          shl r8,byte 0xc 05: 428B0402          mov eax,[rdx+r8] Speculative store bypass disable (SSBD)

In some cases, CPUs can provide facilities for inhibiting a speculative store bypass from occurring and can therefore offer a categorical mitigation for SSB. AMD, ARM, and Intel have documented new hardware features that can be used by software to accomplish this. Microsoft is working with AMD, ARM, and Intel to assess the availability and readiness of these features. In some cases, these features will require a microcode or firmware update to be installed. Microsoft plans to provide a mitigation that leverages the new hardware features in a future Windows update.

Generally applicable mitigations for SSB

There are a number of previously described mitigations that are also generally applicable to SSB. These include mitigations that involve removing sensitive content from memory or removing observation channels. Generally speaking, the mitigation techniques for these two tactics that are effective against CVE-2017-5753 (Spectre variant 1) are also applicable to SSB.

Applicability of mitigations

The complex nature of these issues makes it difficult to understand the relationship between mitigations, speculation techniques, and the attack scenarios to which they apply. This section provides tables to help describe these relationships. Some of the mitigation techniques mentioned in the tables below are described in our previous blog post on this subject.

The legend for the tables that follow is:

Applicable Not applicable Mitigation relationship to attack scenarios

The following table summarizes the relationship between attack scenarios and applicable mitigations.

Mitigation Tactic Mitigation Name Inter-VM Intra-OS Enclave Prevent speculation techniques Speculation barrier via execution serializing instruction Security domain CPU core isolation Indirect branch speculation barrier on demand and mode change Non-speculated or safely-speculated indirect branches Speculative Store Bypass Disable (SSBD) Remove sensitive content from memory Hypervisor address space segregation Split user and kernel page tables (“KVA Shadow”) Remove observation channels Map guest memory as noncacheable in root extended page tables Do not share physical pages across guests Decrease browser timer precision Mitigation relationship to variants

The following table summarizes the relationship among SSB and the Spectre and Meltdown variants, and applicable mitigations.

Mitigation Tactic Mitigation Name CVE-2017-5753 (variant 1) CVE-2017-5715 (variant 2) CVE-2017-5754 (variant 3) CVE-2018-3639 (SSB) Prevent speculation techniques Speculation barrier via execution serializing instruction Security domain CPU core isolation Indirect branch speculation barrier on demand and mode change Non-speculated or safely-speculated indirect branches Speculative Store Bypass Disable (SSBD) Remove sensitive content from memory Hypervisor address space segregation Split user and kernel page tables (“KVA Shadow”) Remove observation channels Map guest memory as noncacheable in root extended page tables Do not share physical pages across guests Decrease browser timer precision Wrapping up

In this post, we analyzed a new class of speculative execution side channel hardware vulnerabilities known as Speculative Store Bypass (SSB). This analysis provided the basis for evaluating the risk associated with this class of vulnerability and the mitigation options that exist. As we noted in our previous post, research into speculative execution side channels is ongoing and we will continue to evolve our response and mitigations as we learn more. While we currently assess the risk of SSB as low, we encourage researchers to help further our understanding of the true risk and to report any exploitable instances of CVE-2018-3639 that may exist as part of our Speculative Execution Side Channel bounty program.

Matt Miller
Microsoft Security Response Center (MSRC)

Categories: Security News

CVE-2018-7687

National Vulnerability Database - Mon, 05/21/2018 - 16:29
The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnerability that could allow a local attacker to elevate privileges via a buffer overflow in ncfsd.sys.
Categories: Security News

CVE-2018-8010

National Vulnerability Database - Mon, 05/21/2018 - 15:29
This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs.
Categories: Security News

CVE-2018-8012

National Vulnerability Database - Mon, 05/21/2018 - 15:29
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
Categories: Security News

CVE-2018-1067

National Vulnerability Database - Mon, 05/21/2018 - 13:29
In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.
Categories: Security News

Bugtraq: Qualys Security Advisory - Procps-ng Audit Report

SecurityFocus Vulnerabilities - Mon, 05/21/2018 - 12:20
Qualys Security Advisory - Procps-ng Audit Report
Categories: Security News

Bugtraq: [SECURITY] [DSA 4205-1] Advance notification for upcoming end-of-life for

SecurityFocus Vulnerabilities - Mon, 05/21/2018 - 12:20
[SECURITY] [DSA 4205-1] Advance notification for upcoming end-of-life for
Categories: Security News

Bugtraq: [SECURITY] [DSA 4204-1] imagemagick security update

SecurityFocus Vulnerabilities - Mon, 05/21/2018 - 12:20
[SECURITY] [DSA 4204-1] imagemagick security update
Categories: Security News

Bugtraq: [SYSS-2018-007] ILIAS e-Learning - Reflected Cross-Site-Scripting

SecurityFocus Vulnerabilities - Mon, 05/21/2018 - 12:20
[SYSS-2018-007] ILIAS e-Learning - Reflected Cross-Site-Scripting
Categories: Security News

CVE-2018-7268

National Vulnerability Database - Mon, 05/21/2018 - 11:29
MagniComp SysInfo before 10-H81, as shipped with BMC BladeLogic Automation and other products, contains an information exposure vulnerability in which a local unprivileged user is able to read any root (uid 0) owned file on the system, regardless of the file permissions. Confidential information such as password hashes (/etc/shadow) or other secrets (such as log files or private keys) can be leaked to the attacker. The vulnerability has a confidentiality impact, but has no direct impact on system integrity or availability.
Categories: Security News

CVE-2018-11092

National Vulnerability Database - Mon, 05/21/2018 - 10:29
An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.
Categories: Security News

CVE-2018-11096

National Vulnerability Database - Mon, 05/21/2018 - 10:29
Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely.
Categories: Security News

CVE-2018-11320

National Vulnerability Database - Mon, 05/21/2018 - 10:29
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
Categories: Security News

CVE-2018-8142

National Vulnerability Database - Mon, 05/21/2018 - 09:29
A security feature bypass exists when Windows incorrectly validates kernel driver signatures, aka "Windows Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1035.
Categories: Security News

Vuln: Dell EMC RecoverPoint and RecoverPoint for Virtual Machines Multiple Security Vulnerabilities

SecurityFocus Vulnerabilities - Mon, 05/21/2018 - 00:00
Dell EMC RecoverPoint and RecoverPoint for Virtual Machines Multiple Security Vulnerabilities
Categories: Security News

Vuln: VMware Workstation and Fusion CVE-2018-6963 Multiple Denial of Service Vulnerabilities

SecurityFocus Vulnerabilities - Mon, 05/21/2018 - 00:00
VMware Workstation and Fusion CVE-2018-6963 Multiple Denial of Service Vulnerabilities
Categories: Security News

Vuln: VMware Fusion CVE-2018-6962 Local Security Bypass Vulnerability

SecurityFocus Vulnerabilities - Mon, 05/21/2018 - 00:00
VMware Fusion CVE-2018-6962 Local Security Bypass Vulnerability
Categories: Security News

Pages