Slashdot Mirror

← Back to Stories (view on slashdot.org)

US-CERT Discloses Security Flaw In 64-Bit Intel Chips

Posted by timothy on from the yeah-but-who-uses-those dept.

Fnord666 writes "The U.S. Computer Emergency Readiness Team (US-CERT) has disclosed a flaw in Intel chips that could allow hackers to gain control of Windows and other operating systems, security experts say. The flaw was disclosed the vulnerability in a security advisory released this week. Hackers could exploit the flaw to execute malicious code with kernel privileges, said a report in the Bitdefender blog. 'Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack,' the US-CERT advisory says. 'The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.'" According to the article, exposed OSes include "Windows 7, Windows Server 2008 R2, 64-bit versions of FreeBSD and NetBSD, as well as systems that include the Xen hypervisor."

34 of 181 comments (clear)

  1. WTF is csoonline? by trifish · · Score: 5, Informative

    Proper link that ought to have been in the summary instead of that csoonline link (whatever that is):

    http://www.kb.cert.org/vuls/id/649219

    1. Re:WTF is csoonline? by k(wi)r(kipedia) · · Score: 5, Informative
      Here's another link from Xen.org with a less terse description of the problem:

      So what was the vulnerability? It has to do with a subtle difference in the way in which Intel processors implement error handling in their version of AMD's SYSRET instruction. The SYSRET instruction is part of the x86-64 standard defined by AMD. If an operating system is written according to AMD's spec, but run on Intel hardware, the difference in implementation can be exploited by an attacker to write to arbitrary addresses in the operating system's memory.

      A little note there offers further anecdotal "proof" about the robustness of OpenBSD:

      It seems that 64-bit versions of NetBSD, FreeBSD, and Microsoft Windows 7 were all vulnerable; Apple OSX may be vulnerable as well. OpenBSD and Linux were not vulnerable. Linux actually fixed the bug in 2006, with CVE-2006-0744.

    2. Re:WTF is csoonline? by speps · · Score: 2

      The patch itself : http://marc.info/?l=git-commits-head&m=114223318030280&w=2

    3. Re:WTF is csoonline? by Relayman · · Score: 2

      According to US-CERT, OS X is not affected.

      --
      If I used a sig over again, would anyone notice?
  2. Besides MS and Intel... by Anonymous Coward · · Score: 2, Informative

    "Besides Microsoft and Intel, vendors whose products are affected include Joyent, Citrix, Oracle, Red Hat and SUSE Linux, US-CERT says."

    1. Re:Besides MS and Intel... by metageek · · Score: 5, Informative

      No, in other words buy an AMD rather than an Intel

      --
      metageek
    2. Re:Besides MS and Intel... by drinkypoo · · Score: 5, Informative

      But then I get a slow as crap processor.

      I do not think that word means what you think it means. Dollar for dollar you're getting a lot more flops out of an AMD chip, and by the way, ALL modern processors are goddamned fast by most rational standards. In terms of actually completing computing tasks that users typically perform, even a budget CPU is blinding now. It's HDD speed that holds users back today; "back in the day" that wasn't true, your HDD could feed your system data a lot faster than you could do anything meaningful with it, anything more than shoveling took ages back when we had truly simple four-stage x86s.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Besides MS and Intel... by arth1 · · Score: 5, Interesting

      The CPU's 2.6GHz rating is per second which is actually just 43.33MHz Per Frame

      Hz means "per second". Your first statement is a superfluous pleonasm, while the second doesn't make sense at all.

      Anyhow, these days the internal speed of the CPU isn't as important as the interface to the outside world, including both RAM and bus access speeds.

      In pre-Core days, AMD had an advantage with overclocking/underclocking CPU and RAM in sync, where on Intel chips you had to adjust the multiplier or the externally controlled RAM would get out of sync. These days, Intel over/underclocks well too - although they don't have a "black edition", and only engineering samples (ES) are fully unlocked.

      AMD can still be good value for the money, but I'd personally avoid CPUs with built-in graphics and coprocessors. And what's best for one job might not be so for another job. Buy based on needs, not what gives the most power. Remember that we aren't all driving V12 engines either.

    4. Re:Besides MS and Intel... by The1stImmortal · · Score: 2

      Non-E3 Xeons?

  3. Score one for Vista by Likes+Microsoft · · Score: 4, Funny

    XP, Win7, and Server Core are affected, but somehow, Vista isn't!

    --
    -- Who am I? How did I get here? My God, what have I done?!
    1. Re:Score one for Vista by msauve · · Score: 5, Funny

      There are a couple of people who are going to be relieved!

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:Score one for Vista by anss123 · · Score: 2

      The summary says "some 64-bit operation systems", but MS12-042 mentions 32-bit XP. 64-Bit XP and Vista is apparently not affected.

    3. Re:Score one for Vista by drinkypoo · · Score: 2

      Well, that would really be a relief to me if my 64 bit Vista machine had an intel CPU (it's got a crappy Athlon 64 L110) or if the machine had come with 64 bit Vista, which it didn't even though it has a 64 bit CPU. Thanks, Gateway.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re:Why is this tagged linux and redhat by lindi · · Score: 5, Informative

    This was found by Rafal Wojtczuk who is a co-author of Qubes OS that tries to bring strong security to the desktop. http://qubes-os.org/Home.html http://groups.google.com/group/qubes-devel/browse_thread/thread/248a59a1050fe9d4

  5. Does a guest know it's a guest by Gothmolly · · Score: 2

    Say you have local access to a machine, which is a Xen guest. Does the machine KNOW it's a guest? If yes, how "virtual" is it, and if no, how would the attacker know to try the escape?

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Does a guest know it's a guest by PlusFiveTroll · · Score: 2

      I'm guessing you've never ran virtual hosts. It's really pretty easy to tell by the hardware list. See, lots of the hardware can use virtualized drivers that would be a pretty big tip off right there. Also, at least under Xen, both Windows and Linux can run the Xen tools that do things like keep the clock in sync with the host under it.

      Also, the hacker could just try to escape even if it didn't look virtual.

    2. Re:Does a guest know it's a guest by Sponge+Bath · · Score: 3, Funny

      This is an illegal exit. You must return to game grid. Repeat! This is an illegal exit. You must return to the grid.

  6. Re:What is the bug? by mevets · · Score: 5, Informative

    Read the xen link from the article. Intel throws a #GP in supervisor mode when sysretâ(TM)ing to an invalid %rip (loaded from %rcx) - invalid because reserved bits have junk in them.
    Amdâ(TM)s throws it in user mode.
    Intels problem is that the kernel needs to have loaded the user stack before issuing the sysret; so you can arrange your stack to gain supervisor access.
    Fix is check %rcx is valid before issuing sysret.

  7. the bazaar strikes again by marcello_dl · · Score: 4, Funny

    Microsoft Corporation: Affected by the bug-
    notified:01 May 2012 corrected:08 Jun 2012
    Debian GNU/Linux: Affected by the bug- Unknown
    notified:02 May 2012 corrected:02 May 2012

    Easy victory for debian, as there was no manager who had to wonder how fixing the bug ASAP vs. schedule the fix for later could potentially affect his career...

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
    1. Re:the bazaar strikes again by hweimer · · Score: 4, Informative

      Easy victory for debian, as there was no manager who had to wonder how fixing the bug ASAP vs. schedule the fix for later could potentially affect his career...

      According to Debian's security tracker, the stable version is still vulnerable (and unstable was fixed only two days ago).

      --
      OS Reviews: Free and Open Source Software
    2. Re:the bazaar strikes again by Anonymous Coward · · Score: 4, Informative

      Both are the same issue.
      Please note however, the Parent is the Debian/Linux bug, GP is the debian/freebsd & xen bug.

      Debian/Linux has completely resolved this, but Debian using freebsd or Xen has not completely resolved it for all versions.

  8. Re:Why is this tagged linux and redhat by errandum · · Score: 5, Informative

    Details from Red Hat

    RHSA-2012:0720-1 & RHSA-2012:0721-1: It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important)

    from the original article

  9. Re:What is the bug? by amorsen · · Score: 5, Interesting

    Quote from Red Hat bug 813428:

    "On Intel CPUs sysret to non-canonical address causes a fault on the sysret instruction itself after the stack pointer is set to guest value but before the CPL is changed. Systems running on AMD CPUs are not vulnerable to this issue as sysret on AMD CPUs does not generate a fault before the CPL change."

    It is arguable whether it is a CPU bug or an OS/hypervisor bug. The CPU should not run the fault code with privileges, but on the other hand the OS should prevent the fault code from being called in the first place. AMD got the CPU part right, Intel didn't. I don't think anyone got the OS/hypervisor part right except by accident. Red Hat Enterprise Linux 4 is not exploitable due to the way it limits task virtual memory to 511 GB. VMWare doesn't use sysret, so that isn't exploitable either.

    I wonder what VIA Nano does...

    --
    Finally! A year of moderation! Ready for 2019?
  10. Article by DaMattster · · Score: 4, Interesting

    I thought it was interesting to note that the article never mentioned anything about OpenBSD. While this does not necessarily mean that OpenBSD is not vulnerable to the Intel 64-bit bug, I still find it interesting. If OpenBSD had been tested, I wouldn't be surprised if researchers found privilege escalation by exploiting said bug impossible. The OpenBSD team has spent an inordinate amount of time working to make their OS highly secure.

    1. Re:Article by Anonymous Coward · · Score: 3, Informative

      OpenBSD plugged this hole back in 2004.

      http://old.nabble.com/CVE-2012-0217%3A-SYSRET-64-bit-operating-system-privilege-escalation-vulnerability-on-Intel-CPU-hardware-td34003925.html

    2. Re:Article by Anonymous Coward · · Score: 2, Informative

      In long (64-bit) mode, Intel provides SYSRET and not SYSEXIT in order to conform to AMD's spec. The problem at hand is that Intel's implementation of that instruction under virtualization handles one kind of exception differently than does AMD's.

  11. Re:Why is this tagged linux and redhat by buchner.johannes · · Score: 4, Interesting

    Qubes looks like a smart idea!
    A useful feature that could be built on Qubes is to allow users to install and update programs from the repo -- because of the isolation, there is no harm for other users or root, and it doesn't clutter the system or require the admin to intervene.

    For mainframe computers, where multiple users work and need access to software packages, this would be useful, and solve the issue of breaking other, incompatible programs through updates.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  12. Re:What is the bug? by unixisc · · Score: 5, Interesting
    From TFA

    The flaw stems from the way the CPUs implement error handling in their version of the SYSRET instruction, which is part of the x86-64 standard defined by Advanced Micro Devices, according to the Xen community blog. "If an operating system is written according to AMD's spec, but run on Intel hardware, the difference in implementation can be exploited by an attacker to write to arbitrary addresses in the operating system's memory."

    Reading the wiki article on Differences b/w Intel 64 and AMD 64, Intel 64 allows SYSCALL and SYSRET only in 64-bit mode (not in compatibility mode). It allows SYSENTER and SYSEXIT in both modes. AMD64 lacks SYSENTER and SYSEXIT in both sub-modes of long mode.

    As a result, anything written w/ binary compatibility in mind would have to support SYSCALL and SYSRET - using SYSENTER and SYSEXIT would lock the code to Intel, but make it unusable on AMD. The result I'm guessing is that most compilers are written to use SYSCALL and SYSRET rather than SYSENTER and SYSEXIT, and since Intel has not implemented these 2 correctly, OSs that use them would have trouble on Intel platforms, but not on AMD.

    I'm guessing the only software fix here would be that if the software in question can detect that it's running on Intel, rather than AMD CPUs, it needs to substitute SYSENTER for SYSCALL and SYSEXIT for SYSRET, and run, until Intel fixes it in its next CPU spin. Unless of course Intel has implemented them badly as well.

  13. good hosting providers already patched... by TeddyR · · Score: 3, Informative

    I am surprised that it took this long for it to reach /.

    Linode.com had already patched the items last month. During an emergency but scheduled update round (took less than 30mins per host) and most users did not notice any issues since they were given more than 7 days advanced notice of the emergency update. [linode uses XEN on intel].

    http://blog.linode.com/2012/06/13/xen-security-advisories-and-how-we-handled-them/

    --

    --
    Time is on my side
  14. Re:Is this really a hardware issue? by arth1 · · Score: 3, Interesting

    And to answer my own question, it does appear that Intel has a microcode update dated 2012-06-06. The Linux version is at http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=21385

    (Linux itself isn't vulnerable, but guest operating systems might be.)

  15. Re:Gateway is bad? Talk about Dell then... by drinkypoo · · Score: 2

    Yes, same on this T900 here. And all the bundled apps install themselves along with the 32 bit Windows. Yet another fun project ahead of me. That machine needs an SSD swap anyway though so it doesn't seem like it will be that arduous a restriction... I'd have to do it anyway if I didn't want to fiddle with Partition Magic, and mine is too old to do Win7 anyway.

    As for the sibling comment... yeah, I shoulda known better than to buy a gateway. The point of the story is not that I shouldn't have known better, because I should, but don't buy a gateway, or maybe don't trust that an AMD-based platform will have good support of any kind, because it may not. Indeed, this is the machine I'm always bitching about that doesn't work worth a shit with Linux. I haven't tried it in a little while though so I may give it another go.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  16. Re:What is the bug? by TheRaven64 · · Score: 4, Interesting

    The result I'm guessing is that most compilers are written to use SYSCALL and SYSRET rather than SYSENTER and SYSEXIT

    Compilers never emit either instruction, because the source languages don't provide a system call mechanism. This code appears in hand-written assembly stubs in libc. A typical libc will contain multiple versions of the system call function for x86 (SYSCALL, SYSENTER, int 80h) and will install the correct one depending on the CPUID results.

    --
    I am TheRaven on Soylent News
  17. Re:What is the bug? by Dwonis · · Score: 5, Insightful

    It is arguable whether it is a CPU bug or an OS/hypervisor bug. The CPU should not run the fault code with privileges, but on the other hand the OS should prevent the fault code from being called in the first place.

    I think it's only arguable inside Intel's reality-distortion field. The whole point of SYSCALL/SYSRET is to create a *fast* syscall path. Requiring extra code before *every* SYSRET in order to prevent it from overwriting arbitrary memory is pretty clearly a design flaw in Intel's specification, especially since (as TFA notes) that specification was intended to be compatible with AMD's specification.

  18. Re:What is the bug? by kiwix · · Score: 2

    I don't think anyone got the OS/hypervisor part right except by accident.

    Apparently, the same bug was in the Linux kernel and has been fixed in 2006, with CVE-2006-0744. So they intially got it wrong, but fixed it before most other OS/hypervisors. It also seems that OpenBSD is not affected.