News Intel/ARM/AMD: Sicherheitslücken Meltdown & Spectre V1, V2 etc. (Links in Post 1)

Peet007

Admiral Special
Mitglied seit
30.09.2006
Beiträge
1.792
Renomée
22
Die Ausgabe von lscpu (zen2) unter Linux, aktueller Kernel .14.0-AMD mit amd Patches

Code:
Schwachstellen:                   
  Itlb multihit:                   Not affected
  L1tf:                            Not affected
  Mds:                             Not affected
  Meltdown:                        Not affected
  Spec store bypass:               Mitigation; Speculative Store Bypass disabled
                                    via prctl and seccomp
  Spectre v1:                      Mitigation; usercopy/swapgs barriers and __us
                                   er pointer sanitization
  Spectre v2:                      Mitigation; Full AMD retpoline, IBPB conditio
                                   nal, STIBP conditional, RSB filling
  Srbds:                           Not affected
  Tsx async abort:                 Not affected

Wie es bei Zen3 mit dem geänderten L3 aussieht weiß ich nicht. Das ganze ist anscheinend eine längere Baustelle.
 

eratte

Redaktion
☆☆☆☆☆☆
Mitglied seit
11.11.2001
Beiträge
17.372
Renomée
1.648
Standort
Rheinberg / NRW
  • BOINC Pentathlon 2012
  • BOINC Pentathlon 2013
  • BOINC Pentathlon 2014
  • BOINC Pentathlon 2015
  • BOINC Pentathlon 2016
  • BOINC Pentathlon 2017
  • BOINC Pentathlon 2020
  • SETI@Home Intel-Race II
  • BOINC Pentathlon 2021

Complicated

Grand Admiral Special
Mitglied seit
08.10.2010
Beiträge
4.592
Renomée
335
Sieht doch jetzt mal gut aus. Simpel und effektiv mit den zero overwrites der verwendeten register. Die Einstiegdshürde ist zumindest mal nach oben verschoben worden.
 

Jackpot

Lieutnant
Mitglied seit
29.09.2020
Beiträge
64
Renomée
19
Es gibt eine Lücke im AMD PSP-Chipsatz-Treiber. Es sind einige Prozessoren betroffen, aber nur bis Zen 1000.
Die haben aber lange gebraucht für den fix, wenn die CVE schon im Januar 2021 in einer Debian-Security Liste aufgetaucht ist(Link).

AMD-SB-1009
Severity
Medium

Low privileged malicious users may be able to access and leak data through the AMD Chipset Driver.

CVE-2021-26333
An information disclosure vulnerability exists in AMD Platform Security Processor (PSP) chipset driver. The discretionary access control list (DACL) may allow low privileged users to open a handle and send requests to the driver resulting in a potential data leak from uninitialized physical pages.

Affected Products

6th Generation AMD FX APU with Radeon™ R7 Graphics
AMD A10 APU with Radeon R6 Graphics
AMD A8 APU with Radeon R6 Graphics
AMD A6 APU with Radeon R5 Graphics
AMD A4-Series APU with Radeon Graphics
AMD Athlon™ X4 Processor
AMD E1-Series APU with Radeon Graphics
AMD Ryzen™ 1000 series Processor
Quelle: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1009
 

eratte

Redaktion
☆☆☆☆☆☆
Mitglied seit
11.11.2001
Beiträge
17.372
Renomée
1.648
Standort
Rheinberg / NRW
  • BOINC Pentathlon 2012
  • BOINC Pentathlon 2013
  • BOINC Pentathlon 2014
  • BOINC Pentathlon 2015
  • BOINC Pentathlon 2016
  • BOINC Pentathlon 2017
  • BOINC Pentathlon 2020
  • SETI@Home Intel-Race II
  • BOINC Pentathlon 2021

Jackpot

Lieutnant
Mitglied seit
29.09.2020
Beiträge
64
Renomée
19
Aktuell gibt es eine "Lücke" in ACPI in der WPBT-Tabelle, die es ermöglicht Treiber in Windows nachzuladen und worüber schon, wie bei Lenovo, die Software "Superfish"(heise.de) ausgeliefert wurde.

Microsoft WPBT flaw lets hackers install rootkits on Windows devices - bleepingcomputer.com

Everyone Gets a Rootkit - securityboulevard.com

The Eclypsium research team has identified a weakness in Microsoft’s WPBT capability that can allow an attacker to run malicious code with kernel privileges when a device boots up. WPBT is a feature that allows OEMs to modify the host operating system during boot to include vendor-specific drivers, applications, and content. Compromising this process can enable an attacker to install a rootkit compromising the integrity of the device.
...
This weakness can be potentially exploited via multiple vectors (e.g. physical access, remote, and supply chain) and by multiple techniques (e.g. malicious bootloader, DMA, etc). Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices.

Quelle: Everyone Gets a Rootkit - eclypsium.com
 

Complicated

Grand Admiral Special
Mitglied seit
08.10.2010
Beiträge
4.592
Renomée
335
Falscher Thread?
 

Complicated

Grand Admiral Special
Mitglied seit
08.10.2010
Beiträge
4.592
Renomée
335
Hier sind eigentlich nur die Side-Channel Attacken zusammengefaßt ;)

Das ist ja ein MS eigenes Tool das Windows Software nachlädt.
ACPI hat hier ja keine Lücke, sondern mit der API wird OEM-Software (Treiber/Firmware/Bloatware) von Microsoft supported:
Aus Deiner verlinkten Quelle: https://securityboulevard.com/2021/09/everyone-gets-a-rootkit/
WPBT — The OEM Rootkit
Windows Platform Binary Table (WPBT) is an ACPI table first introduced in Windows 8. And while ACPI was originally intended to give the OS more control, WPBT can give the firmware a foothold in the OS. Microsoft describes WPBT as follows:

The WPBT is a fixed Advanced Configuration and Power Interface (ACPI) table that enables boot firmware to provide Windows with a platform binary that the operating system can execute. The binary handoff medium is physical memory, allowing the boot firmware to provide the platform binary without modifying the Windows image on disk.
  • Source: Microsoft, Windows Platform Binary Table (.docx)
This functionality was intended to let OEMs include important files, drivers, or executables for the system without needing to modify the Windows image on disk. The technology has been used by a number of vendors including Lenovo, ASUS, and many others. However, by executing files and modifying the operating system, this type of functionality can be seen as a vendor-specific rootkit. Acclaimed researcher and co-author of Windows Internals, Alex Ionescu, has been calling out the dangers of WPBT as a rootkit as early as 2012 and continues to do so today.
Und das führt dann eben zu häufigen Unachtsamkeiten bei so vielen OEMs:
Several public incidents have provided examples of vendor-supplied code in firmware putting systems at risk. Lenovo’s Superfish adware and vulnerable Lenovo Service Engine (LSE) use WPBT to install software on devices, as does Absolute Software’s Computrace/LoJack. This LoJack software was later trojanized by attackers, resulting in the now infamous LoJax UEFI rootkit.
 

eratte

Redaktion
☆☆☆☆☆☆
Mitglied seit
11.11.2001
Beiträge
17.372
Renomée
1.648
Standort
Rheinberg / NRW
  • BOINC Pentathlon 2012
  • BOINC Pentathlon 2013
  • BOINC Pentathlon 2014
  • BOINC Pentathlon 2015
  • BOINC Pentathlon 2016
  • BOINC Pentathlon 2017
  • BOINC Pentathlon 2020
  • SETI@Home Intel-Race II
  • BOINC Pentathlon 2021

Complicated

Grand Admiral Special
Mitglied seit
08.10.2010
Beiträge
4.592
Renomée
335
Wenn ich das richtig verstehe, dann halten die den HPET für so kaputt, dass sie den komplett raus patchen wo immer es möglich ist.
HPET zu deaktivieren war mal ein Performance Tipp bei Zen1, der von AMD mit Zen+ gefixed wurde. Tatsächlich benötigt angeblich der Ryzen Master und andere Software anscheinend den synchronisierenden Hardware-Taktgeber um alle Daten korrekt darzustellen.
Auf meinem 3700X ist HPET deaktiviert (gechecked mit CPU-Z) und Ryzen Master macht keine Probleme.
Anandtech hat AMD zu dem Thema befragt und es wurde von AMD mitgeteilt, dass Ryzen Master HPET im BIOS aktiviert bei Installation, was den Neustart nötig macht, um es im OS zu aktivieren. Ich habe allerdings nach der Ryzen Master Installation BIOS Updates durchgeführt und diese scheinen HPET auf meinem MSI-Board wieder deaktiviert zu haben. Ich hatte noch keine Zeit mir das im BIOS anzusehen.
For those that remember the Ryzen 7 1000-series launch, about a year ago from now, one point that was lightly mentioned among the media was that in AMD’s press decks, it was recommended that for best performance, HPET should be disabled in the BIOS. Specifically it was stated that:

Make sure the system has Windows High Precision Event Timer (HPET) disabled. HPET can often be disabled in the BIOS. [T]his can improve performance by 5-8%.

The reasons at the time were unclear as to why, but it was a minor part in the big story of the Zen launch so it was not discussed in detail. However, by the Ryzen 5 1000-series launch, that suggestion was no longer part of the reviewer guide. By the time we hit the Ryzen-2000 series launched last week, the option to adjust HPET in the BIOS was not even in the motherboards we were testing. We cycled back to AMD about this, and they gave the following:

The short of it is that we resolved the issues that caused a performance difference between on/off. Now that there is no need to disable HPET, there is no need for a toggle [in the BIOS].

Interestingly enough, with our ASUS X470 motherboard, we did eventually find the setting for HPET – it was not in any of the drop down menus, but it could be found using their rather nice ‘search’ function. I probed ASUS about whether the option was enabled in the BIOS by default, given that these options were not immediately visible, and was told:

It's enabled and never disabled, since the OS will ignore it by default. But if you enable it, then the OS will use it – it’s always enabled, that way if its needed it is there, as there would be no point in pulling it otherwise.

So from an AMD/ASUS perspective, the BIOS is now going to always be enabled, and it needs to be forced in the OS to be used, however the previous guidance about disabling it in the BIOS has now gone, as AMD expects performance parity.

It is worth noting that AMD’s tool, Ryzen Master, requires a system restart when the user first loads it up. This is because Ryzen Master, the overclocking and monitoring tool, requires HPET to be forced in order to do what it needs to do. In fact, back at the Ryzen 7 launch in 2017, we were told:

AMD Ryzen Master’s accurate measurements present require HPET. Therefore it is important to disable HPET if you already installed and used Ryzen Master prior to game benchmarking.

Ultimately if any AMD user has Ryzen Master installed and has been run at any point, HPET is enabled, even if the software is not running or uninstalled. The only way to stop it being forced in the OS is with a command to chance the value in the BCD, as noted above.

For the Ryzen 2000-series launch last week, Ryzen Master still requires HPET to be enabled to run as intended. So with the new guidance that HPET should have minimal effect on benchmarks, the previous guidance no longer applies.
Hier ein interessanter Beitrag der das Thema beleuchtet:
CPU-Z lässt sich nutzen um zu checken ob HPET aktiv ist auf dem eigenen System - Aufruf erfolgt über Tools:

large


Lässt man den Timer-Test einige Minuten laufen sieht man die immer größere Abweichung des RTC-Timers.

Sollte das deaktivieren des HPET-Timers die einzige Mitigation sein für den Bug, dann kommen auf Intel schwere Zeiten bei Gamingbenchmarks zu:
8700KGPU_575px.png


Für AMD ist das weniger problematisch in Gaming:
2700XGPU_575px.png


Die Tests auf Seite 4 bei Anantech: https://www.anandtech.com/show/12678/a-timely-discovery-examining-amd-2nd-gen-ryzen-results/4

Given that the difference between the two sets of data is related to the timer, one could postulate that the more granular the timer, the more the effect it can have: on both of our systems, the QPC timer is set for 3.61 MHz as a baseline, but the HPET frequencies are quite different. The AMD system has a HPET timer at 14.32 MHz (~4x), while the Intel system has a HPET timer at 24.00 MHz (~6.6x). It is clear that the higher granularity of the Intel timer is causing substantially more pipeline delays – moving from a tick-to-tick delay of 277 nanoseconds to 70 nanoseconds to 41.7 nanoseconds is crossing the boundary from being slower than a CPU-to-DRAM access to almost encroaching on a CPU-to-L3 cache access, which could be one of the reasons for the results we are seeing, along with the nature of how the HPET timer works.
 
Zuletzt bearbeitet:

Jackpot

Lieutnant
Mitglied seit
29.09.2020
Beiträge
64
Renomée
19
AMD hat eine Side-Channel-Lücke für alle ihre Prozessoren bekannt gegeben, die Lücke ist in der x86 Prefetch-Funktion.

Side-channels Related to the x86 PREFETCH Instruction
AMD-SB-1017
Potential Impact Leaked kernel address space information
Severity Medium

Researchers from Graz University of Technology with CISPA Helmholtz Center for Information Security have demonstrated timing and power-based side channel attacks leveraging the x86 PREFETCH instructions on some AMD CPUs. The attacks discussed in the paper do not directly leak data across address space boundaries. As a result, AMD is not recommending any mitigations at this time.

CVE-2021-26318
A timing and power-based side channel attack leveraging the x86 PREFETCH instructions on some AMD CPUs could potentially result in leaked kernel address space information.

Affected Products
All AMD CPUs

Quelle - amd.com

*edit*
LEN-65528 AMD x86 PREFETCH instruction related side-channels CVE-2021-26318 AMD-SB-1017 2021-10-12 2021-10-12
Quelle - lenovo.com
 
Zuletzt bearbeitet:

pipin

Administrator
Teammitglied
Mitglied seit
16.10.2000
Beiträge
22.108
Renomée
8.686
Standort
East Fishkill, Minga, Xanten
  • SIMAP Race
  • QMC Race
  • RCN Russia
  • Spinhenge ESL
  • Docking@Home
  • BOINC Pentathlon 2019
  • SETI@Home Intel-Race II
  • THOR Challenge 2020
  • BOINC Pentathlon 2021

CVE dazu ist aktuell noch nicht öffentlich. Wurde schon im März eingereicht.
 

Complicated

Grand Admiral Special
Mitglied seit
08.10.2010
Beiträge
4.592
Renomée
335
AMD schreibt dazu
CVE-2021-26318
A timing and power-based side channel attack leveraging the x86 PREFETCH instructions on some AMD CPUs could potentially result in leaked kernel address space information.
Was einen lokalen Zugriff auf die Stromversorgung bedeutet zur Ausnutzung des Vektors.
 

eratte

Redaktion
☆☆☆☆☆☆
Mitglied seit
11.11.2001
Beiträge
17.372
Renomée
1.648
Standort
Rheinberg / NRW
  • BOINC Pentathlon 2012
  • BOINC Pentathlon 2013
  • BOINC Pentathlon 2014
  • BOINC Pentathlon 2015
  • BOINC Pentathlon 2016
  • BOINC Pentathlon 2017
  • BOINC Pentathlon 2020
  • SETI@Home Intel-Race II
  • BOINC Pentathlon 2021

Complicated

Grand Admiral Special
Mitglied seit
08.10.2010
Beiträge
4.592
Renomée
335
Wichtig zu beachten:
It's also worth mentioning that besides AMD not recommending any mitigation changes at this time, external Linux kernel developers so far have not proposed any kernel patches changing any page table isolation behavior or the defaults. So for now just take these results for hypothetical scenario if KPTI needs to be flipped on for AMD CPUs or are very paranoid about security and side with the researchers about the need to enable it. It's also possible that should improved page table isolation become necessary, AMD or other parties may suggest enhancements or alternatives to the existing KPTI code.
 
Oben Unten