Meltdown and Spectre vulnerability

Systems Affected

CPU hardware implementations

Overview

National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown (link is external) and Spectre (link is external)— that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

Explanation:-

A series of major security vulnerabilities impacting nearly all Intel processors were recently discovered.  Dubbed "Meltdown" and "Spectre", these issues could allow an unprivileged process access to kernel
memory. These are hardware-level vulnerabilities, with Intel CPUs being the most impacted, although there is some exposure in AMD-branded CPUs as well.


Description

CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. These attacks are described in detail by CERT/CC’s Vulnerability Note VU#584653, the United Kingdom National Cyber Security Centre’s guidance on Meltdown and Spectre, Google Project Zero (link is external), and the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz). The Linux kernel mitigations for this vulnerability are referred to as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.


Impact

Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

Solution

NCCIC encourages users and administrators to refer to their OS vendors for the most recent information. However, the table provided below lists available advisories and patches. Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.

After patching, performance may be diminished by up to 30 percent. Administrators should ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect if possible.

Additionally, impacts to availability in some cloud service providers (CSPs) have been reported as a result of patches to host OSes. Users and administrators who rely on cloud infrastructure should work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.

The following table contains links to advisories and patches published in response to the vulnerabilities.

MAC:-

Apple today confirmed that it has addressed the recent "Meltdown" vulnerability in previously released iOS 11.2, macOS 10.13.2, and tvOS 11.2 updates, with additional fixes coming to Safari in the near future to defend against the "Spectre" vulnerability


Windows:-

To fix the issue in windows system, Update to the latest version of Chrome (on January 23rd) or Firefox 57 if you use either browser
Check Windows Update and ensure KB4056892 is installed for Windows 10
Check your PC OEM website for support information and firmware updates and apply any immediately

Linux:-

Affected Linux Systems

Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5)
Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6)
Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7)
Debian Linux wheezy
Debian Linux jessie
Debian Linux stretch
Deiban Linux buster, sid
SUSE Linux Enterprise 11
SUSE Linux Enterprise 12
OpenSuse Linux based upon SUSE 12/11
Fedora Linux 26
Fedora Linux 27
Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

To fix the vulnerability in linux update the kernal by using yum update.

#sudo yum update

Dirty Cow’ Linux Vulnerability

What is ‘Dirty Cow’ Linux vulnerability and will it impact you.


Dirty COW is a marketing name given to CVE-2016-5195. It describes a bug which allows a malicious actor to increase their level of privilege in a Linux environment up to and including ‘root’. The bug itself is an exploitable race condition. A race condition occurs when two different threads of execution are able to modify the state of the program or system based solely on timing.


Impact Statement

The core issue in CVE-2016-5195 has been present in all Linux kernels since version 2.6.22 released in 2007. The latest long term supported kernel version is 4.4.26. There are known in the wild exploits for CVE-2016-5195. Phil Oester, the security researcher who identified the vulnerability, first identified the issue through forensic log analysis of web server traffic. This implies exploit code is or will soon be part of malicious toolkits.

Mitigation

Mitigation of this issue is best accomplished via kernel update. The known exploit has been reported as non-viable for certain Linux distributions, but users of those distributions should minimize any patching delay to reduce the risk of exploit. Due to the nature of race conditions, the potential exists for other viable trigger models than those currently identified.

Does this impact me

Most users of desktop or server Linux devices are aware of the fact they have a Linux environment. For those users, obtaining an update from their Linux distribution is the ideal path to remediation. Linux as a platform has been used as a core operating system for consumer and industrial devices for much of its 25 year history. This continues today, and includes many of the most popular IoT and home automation devices on the market including devices such as internet routers, WiFi enabled thermostats and internet cameras. Owners of those devices should proactively contact the vendor to verify when an update will be available for their devices.”



How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE-2016-5195


A very serious security problem has been found in the Linux kernel. A 0-day local privilege escalation vulnerability has existed for eleven years since 2005. This bug affects all sort of of Android or Linux kernel to escalate privileges. Any user can become root in less than 5 seconds. The bug has existed since Linux kernel version 2.6.22+. How do I fix this problem?


This bug is named as Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel. Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. So you can not detect if someone has exploited this against your server.


What is CVE-2016-5195 bug?

From the project:

A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

A nasty bug for sure. Any local users can write to any file they can read, and present since at least Linux kernel version 2.6.22. Linus Torvalds explained:

This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a (“Fix get_user_pages() race for write access”) but that was then undone due to problems on s390 by commit f33ea7f404e5 (“fix get_user_pages bug”).

In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better). The s390 dirty bit was implemented in abf09bed3cce (“s390/mm: implement software dirty bits”) which made it into v3.9. Earlier kernels will have to look at the page state itself.

Also, the VM has become more scalable, and what used a purely theoretical race back then has become easier to trigger.

To fix it, we introduce a new internal FOLL_COW flag to mark the “yes, we already did a COW” rather than play racy games with FOLL_WRITE that is very fundamental, and then use the pte dirty flag to validate that the FOLL_COW flag is still valid.

A list of affected Linux distros (including VMs and containers that share the same kernel)

Red Hat Enterprise Linux 7.x
Red Hat Enterprise Linux 6.x
Red Hat Enterprise Linux 5.x
CentOS Linux 7.x
CentOS Linux 6.x
CentOS Linux 5.x
Debian Linux wheezy
Debian Linux jessie
Debian Linux stretch
Debian Linux sid
Ubuntu Linux precise (LTS 12.04)
Ubuntu Linux trusty
Ubuntu Linux xenial (LTS 16.04)
Ubuntu Linux yakkety
Ubuntu Linux vivid/ubuntu-core
SUSE Linux Enterprise 11 and 12.
Openwrt

How do I fix CVE-2016-5195 on Linux?

Type the commands as per your Linux distro. You need to reboot the box. Before you apply patch, note down your current kernel version:

$ uname -a
$ uname -mrs

Sample outputs:

Linux 3.13.0-95-generic x86_64



Debian or Ubuntu Linux

$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade



Reboot the server:

$ sudo reboot

Related: Ubuntu Linux users can hotfix this Linux kernel bug without rebooting the server.



RHEL / CentOS Linux 5.x/6.x/7.x

$ sudo yum update
$ sudo reboot



RHEL / CentOS Linux 4.x

$ sudo up2date -u
$ sudo reboot


Suse Enterprise Linux or Opensuse Linux


To apply all needed patches to the system type:

# zypper patch
# reboot


Verification

You need to make sure your version number has changed:

$ uname -a
$ uname -r
$ uname -mrs


Determine if your system is vulnerable

For RHEL/CentOS Linux, use the following script:

$ wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_2.sh
$ bash rh-cve-2016-5195_2.sh



For all other distro try PoC (proof of concept exploit code)

Grab the PoC:

$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c


Run it as follows. First be root:

$ sudo -s
# echo this is not a test > foo



Run it as normal user:

$ gcc -lpthread dirtyc0w.c -o dirtyc0w
### ***[ If you get an error while compiling code, try ***] ###
$ gcc -pthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo