DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th June 2012
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,142
Thanked 182 Times in 149 Posts
Default Intel CPUs affected by VM privilege escalation exploit

From http://h-online.com/-1616866

Quote:
A security vulnerability in the virtualisation software built into Intel's hardware allows an attacker to execute code in Ring 0 of the CPU. The problem affects 64-bit versions of Windows, Linux, FreeBSD and the Xen hypervisor.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 13th June 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,673
Thanked 214 Times in 189 Posts
Default

@J65nko, I know you are trying to keep our small community informed, and I appreciate the effort.

Please, check multiple sources -- and then focus on applicability to the BSD operating systems -- before deciding to post these sorts of news links.
When I post a response in your news threads it is sometimes because I feel either your excerpt, or, the linked article itself are either incomplete or not in a useful context for BSD users.
This thread is a case in point.

The vulnerability also affects NetBSD.

I have not seen an official notification or response listed, but it has been posted on OpenBSD's misc@ that this does not affect OpenBSD.
Reply With Quote
  #3   (View Single Post)  
Old 13th June 2012
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,068
Thanked 198 Times in 156 Posts
Default

Hurray for OpenBSD!
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #4   (View Single Post)  
Old 13th June 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

who's not proud of being puffy ?
Reply With Quote
  #5   (View Single Post)  
Old 14th June 2012
comet--berkeley comet--berkeley is offline
Old programmer/hacker
 
Join Date: Apr 2009
Posts: 90
Thanked 1 Time in 1 Post
Default Security Intel CPUs affected by VM privilege escalation exploit

Quote:
Security Intel CPUs affected by VM privilege escalation exploit
The keyword here being "VM".

All the Linux vulnerabilities seem to require XeN for the bug to appear:

http://www.kb.cert.org/vuls/byvendor...&SearchOrder=4

A virtual machine is no more secure than the underlying host operating system.

I wish a group with the mind-set of OpenBSD (or more stringent) would create a decent open source virtual machine environment...
Reply With Quote
  #6   (View Single Post)  
Old 14th June 2012
thirdm thirdm is offline
Package Pilot
 
Join Date: May 2009
Posts: 198
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by comet--berkeley View Post
The keyword here being "VM".

All the Linux vulnerabilities seem to require XeN for the bug to appear:
It doesn't actually require Xen in general, if I'm reading the link below correctly:

http://blog.xen.org/index.php/2012/0...ge-escalation/

You'll note that Linux fixed their non-Xen version of the problem in 2006, but others apparently weren't paying close attention to what they were fixing and whether it affected them too:

https://cve.mitre.org/cgi-bin/cvenam...=CVE-2006-0744

"Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS."

Also interesting about the Xen blog description is that the motivation for the sysret instruction (and a similar one from Intel that hasn't become the defacto standard) was performance. And I find it interesting how you have the two chip vendors not agreeing on a single solution and then implementing sysret in slightly different ways causing more complexity.

So I wonder, did Linux fix it by using iretq instead or by some other means (one of the Redhat advisories says something about guard pages)? You're implying that OpenBSD weighed sysret vs. iretq, figured sysret smelled funny, and passed on the performance gain -- i.e. you're saying it was something deliberate in the OpenBSD developers' approach that saved them. That sounds plausible, but is that how it happened or did they just get lucky?

FreeBSD's advisory doesn't mention Xen, so does that mean you can get privilege escalation with them on bare hardware?

Doesn't Amazon's EC2 service use Xen?
Reply With Quote
  #7   (View Single Post)  
Old 14th June 2012
thirdm thirdm is offline
Package Pilot
 
Join Date: May 2009
Posts: 198
Thanked 3 Times in 3 Posts
Default

This is a better link: http://dl.packetstormsecurity.net/08...-emulation.txt
Reply With Quote
  #8   (View Single Post)  
Old 14th June 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,673
Thanked 214 Times in 189 Posts
Default

Quote:
...That sounds plausible, but is that how it happened or did they just get lucky?...
Good question. The developer who commented on OpenBSD's misc@ mailing list was guenther@; he has been directly involved in patches that address sysret control blocks, though I could find no specific mention of sysret management in CVS logs when looking through marc.info just now. That archive is incomplete, of course.
Reply With Quote
  #9   (View Single Post)  
Old 14th June 2012
gpatrick gpatrick is offline
Shell Scout
 
Join Date: Nov 2009
Posts: 116
Thanked 0 Times in 0 Posts
Default

The article mentioned Windows, Linux, and FreeBSD, but sysret was also patched in Illumos 18 hours ago.
Reply With Quote
Old 18th June 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,673
Thanked 214 Times in 189 Posts
Default

Quoting myself, for correction
Quote:
Originally Posted by jggimi View Post
...I have not seen an official notification or response listed, but it has been posted on OpenBSD's misc@ that this does not affect OpenBSD.
Per this @misc post today Intel platforms running OpenBSD prior to 5.0-release are affected.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hardware DragonFly BSD developer finds hardware bug in several AMD CPUs J65nko News 3 8th April 2012 12:28 PM
Differences in processing in POWER CPUs. Ninguem General Hardware 5 25th August 2011 03:30 PM
Super-secret' debugger discovered in AMD CPUs J65nko News 3 16th November 2010 12:58 AM
Zero day exploit for Firefox 3.6 J65nko News 1 19th February 2010 06:58 PM
portability to allegedly byte compatable but non-i386 CPUs jimbus FreeBSD Installation and Upgrading 2 23rd September 2008 04:03 AM


All times are GMT. The time now is 01:13 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick