Linux Security – How to Mitigate Spectre and Meltdown Vulnerabilities

linuxvulnerabilityx86

Security researchers have published on the Project Zero a new vulnerability called Spectre and Meltdown allowing a program to steal information from a memory of others programs. It affects Intel, AMD and ARM architectures.

This flaw can be exploited remotely by visiting a JavaScript website. Technical details can be found on redhat website, Ubuntu security team.

Information Leak via speculative execution side channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 a.k.a. Spectre and Meltdown)

It was discovered that a new class of side channel attacks impact most processors, including processors from Intel, AMD, and ARM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory. To address the issue, updates to the Ubuntu kernel and processor microcode will be needed. These updates will be announced in future Ubuntu Security Notices once they are available.

Example Implementation in JavaScript

As a proof-of-concept, JavaScript code was written that, when run in the Google Chrome browser, allows JavaScript to read private memory from the process in which it runs.

My system seem to be affected by the spectre vulnerability. I have compiled and executed this proof-of-concept (spectre.c).

System information:

$ uname -a
4.13.0-0.bpo.1-amd64 #1 SMP Debian 4.13.13-1~bpo9+1 (2017-11-22) x86_64 GNU/Linux

$ cat /proc/cpuinfo
model name  : Intel(R) Core(TM) i3-3217U CPU @ 1.80GHz

$gcc --version
gcc (Debian 6.3.0-18) 6.3.0 20170516

How to mitigate the Spectre and Meldown vulnerabilities on Linux systems?

Further reading: Using Meltdown to steal passwords in real time.

Update

Using the Spectre & Meltdown Checker after switching to the 4.9.0-5 kernel version following @Carlos Pasqualini answer because a security update is available to mitigate the cve-2017-5754 on debian Stretch:

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO  (only 31 opcodes found, should be >= 70)
> STATUS:  VULNERABLE  (heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

Update Jan 25 , 2018

The spectre-meltdown-checker script is officially packaged by debian , it is available for Debian Stretch through backports repository , Buster and Sid.

Update 05/22/2018

Speculative Store Bypass (SSB) – also known as Variant 4

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

Rogue System Register Read (RSRE) – also known as Variant 3a

Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis.

Edit July 27 , 2018

NetSpectre: Read Arbitrary Memory over Network

In this paper, we present NetSpectre, a new attack based on
Spectre variant 1, requiring no attacker-controlled code on the
target device, thus affecting billions of devices. Similar to a local
Spectre attack, our remote attack requires the presence of a Spectre
gadget in the code of the target. We show that systems containing
the required Spectre gadgets in an exposed network interface or API
can be attacked with our generic remote Spectre attack, allowing to
read arbitrary memory over the network. The attacker only sends
a series of crafted requests to the victim and measures the response
time to leak a secret value from the victim’s memory.

Best Answer

Alan Cox shared a link from AMD's blog: https://www.amd.com/en/corporate/speculative-execution

Variant One: Bounds Check Bypass

Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.

Variant Two: Branch Target Injection

Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.

Variant Three: Rogue Data Cache Load

Zero AMD vulnerability due to AMD architecture differences.

It would be good to have confirmation of these AMD's statements by a third party though.

The 'mitigation' on affected systems, would require a new kernel and a reboot, but on many distributions there is not yet released packages with the fixes:

https://www.cyberciti.biz/faq/patch-meltdown-cpu-vulnerability-cve-2017-5754-linux/

Debian:

Other sources of information I found:

Related Solutions

Linux – “WannaCry” on Linux systems: How to protect yourself

This Samba new vulnerability is already being called "Sambacry", while the exploit itself mentions "Eternal Red Samba", announced in twitter (sensationally) as:

Samba bug, the metasploit one-liner to trigger is just: simple.create_pipe("/path/to/target.so")

Potentially affected Samba versions are from Samba 3.5.0 to 4.5.4/4.5.10/4.4.14.

If your Samba installation meets the configurations described bellow, the fix/upgrade should be done ASAP as there are already exploits, other exploit in python and metasploit modules out there.

More interestingly enough, there are already add-ons to a know honeypot from the honeynet project, dionaea both to WannaCry and SambaCry plug-ins.

Samba cry seems to be already being (ab)used to install more crypto-miners "EternalMiner" or double down as a malware dropper in the future.

honeypots set up by the team of researchers from Kaspersky Lab have captured a malware campaign that is exploiting SambaCry vulnerability to infect Linux computers with cryptocurrency mining software. Another security researcher, Omri Ben Bassat‏, independently discovered the same campaign and named it "EternalMiner."

The advised workaround for systems with Samba installed (which also is present in the CVE notice) before updating it, is adding to smb.conf:

nt pipe support = no

(and restarting the Samba service)

This is supposed to disable a setting that turns on/off the ability to make anonymous connections to the windows IPC named pipes service. From man samba:

This global option is used by developers to allow or disallow Windows NT/2000/XP clients the ability to make connections to NT-specific SMB IPC$ pipes. As a user, you should never need to override the default.

However from our internal experience, it seems the fix is not compatible with older? Windows versions ( at least some? Windows 7 clients seem to not work with the nt pipe support = no), and as such the remediation route can go in extreme cases into installing or even compiling Samba.

More specifically, this fix disable shares listing from Windows clients, and if applied they have to manually specify the full path of the share to be able to use it.

Other known workaround is to make sure Samba shares are mounted with the noexec option. This will prevent the execution of binaries residing on the mounted filesystem.

The official security source code patch is here from the samba.org security page.

Debian already pushed yesterday (24/5) an update out the door, and the corresponding security notice DSA-3860-1 samba

To verify in if the vulnerability is corrected in Centos/RHEL/Fedora and derivates, do:

#rpm -q –changelog samba | grep -i CVE
– resolves: #1450782 – Fix CVE-2017-7494
– resolves: #1405356 – CVE-2016-2125 CVE-2016-2126
– related: #1322687 – Update CVE patchset

There is now an nmap detection script :samba-vuln-cve-2017-7494.nse for detecting Samba versions, or a much better nmap script that checks if the service is vulnerable at http://seclists.org/nmap-dev/2017/q2/att-110/samba-vuln-cve-2017-7494.nse , copy it to /usr/share/nmap/scripts and then update the nmap database , or run it as follows:

nmap --script /path/to/samba-vuln-cve-2017-7494.nse -p 445 <target>

About long term measures to protect the SAMBA service: The SMB protocol should never be offered directly to the Internet at large.

It goes also without saying that SMB has always been a convoluted protocol, and that these kind of services ought to be firewalled and restricted to the internal networks [to which they are being served].

When remote access is needed, either to home or specially to corporate networks, those accesses should be better done using VPN technology.

As usual, on this situations the Unix principle of only installing and activating the minimum services required does pay off.

Taken from the exploit itself:

Eternal Red Samba Exploit -- CVE-2017-7494.
Causes vulnerable Samba server to load a shared library in root context.
Credentials are not required if the server has a guest account.
For remote exploit you must have write permissions to at least one share.
Eternal Red will scan the Samba server for shares it can write to. It will also determine the fullpath of the remote share.
    For local exploit provide the full path to your shared library to load.  

    Your shared library should look something like this

    extern bool change_to_root_user(void);
    int samba_init_module(void)
    {
        change_to_root_user();
        /* Do what thou wilt */
    }

It is also known systems with SELinux enabled are not vulnerable to the exploit.

See 7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely

According to the Shodan computer search engine, more than 485,000 Samba-enabled computers exposed port 445 on the Internet, and according to researchers at Rapid7, more than 104,000 internet-exposed endpoints appeared to be running vulnerable versions of Samba, out of which 92,000 are running unsupported versions of Samba.

Since Samba is the SMB protocol implemented on Linux and UNIX systems, so some experts are saying it is "Linux version of EternalBlue," used by the WannaCry ransomware.

...or should I say SambaCry?

Keeping in mind the number of vulnerable systems and ease of exploiting this vulnerability, the Samba flaw could be exploited at large scale with wormable capabilities.

Home networks with network-attached storage (NAS) devices [that also run Linux] could also be vulnerable to this flaw.

The seven-year-old flaw, indexed as CVE-2017-7494, can be reliably exploited with just one line of code to execute malicious code, as long as a few conditions are met. Those requirements include vulnerable computers that:

(a) make file- and printer-sharing port 445 reachable on the Internet,
(b) configure shared files to have write privileges, and
(c) use known or guessable server paths for those files.

When those conditions are satisfied, remote attackers can upload any code of their choosing and cause the server to execute it, possibly with unfettered root privileges, depending on the vulnerable platform.

Given the ease and reliability of exploits, this hole is worth plugging as soon as possible. It's likely only a matter of time until attackers begin actively targeting it.

Also Rapid 7 - Patching CVE-2017-7494 in Samba: It’s the Circle of Life

And more SambaCry: The Linux Sequel to WannaCry.

Need-to-Know Facts

CVE-2017-7494 has a CVSS Score of 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)3.

Threat Scope

A shodan.io query of "port:445 !os:windows" shows approximately one million non-Windows hosts that have tcp/445 open to the Internet, more than half of which exist in the United Arab Emirates (36%) and the U.S. (16%). While many of these may be running patched versions, have SELinux protections, or otherwise don't match the necessary criteria for running the exploit, the possible attack surface for this vulnerability is large.

P.S. The commit fix in the SAMBA github project appear to be commit 02a76d86db0cbe79fcaf1a500630e24d961fa149

Linux – How to secure Linux systems against the BlueBorne remote attack

The coordinated disclosure date for the BlueBorne vulnerabilities was September 12, 2017; you should see distribution updates with fixes for the issues shortly thereafter. For example:

Until you can update the kernel and BlueZ on affected systems, you can mitigate the issue by disabling Bluetooth (which might have adverse effects of course, especially if you use a Bluetooth keyboard or mouse):

blacklist the core Bluetooth modules

printf "install %s /bin/true\n" bnep bluetooth btusb >> /etc/modprobe.d/disable-bluetooth.conf

disable and stop the Bluetooth service

systemctl disable bluetooth.service
systemctl mask bluetooth.service
systemctl stop bluetooth.service

remove the Bluetooth modules
```
rmmod bnep
rmmod bluetooth
rmmod btusb
```
(this will probably fail at first with an error indicating other modules are using these; you’ll need to remove those modules and repeat the above commands).

If you want to patch and rebuild BlueZ and the kernel yourself, the appropriate fixes are available here for BlueZ and here for the kernel.