Protect against the chipset vulnerabilities known as Spectre and Meltdown, but encountered problem in AMD chips

Microsoft release patch this week objectives Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown. A problem encountered on AMD chip after patch installed. The system not boot. Microsoft suspected that the root causes by AV software. For  more details, please see below informative diagram for reference. The reference url shown as below:

Windows operating system security update block for some AMD based devices:

https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

Important: Windows security updates released January 3, 2018, and antivirus software:

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

Take care man!

Spectre attack works on non-Intel processors – status update by Apple 8th Jan 2018

In order to avoid the effects of Spectre (CVE-2017-5753 and CVE-2017-5715), Apple announced solution (patching) to mitigate this vulnerabilities. It was surprise that the result looks different from the security analysis report findings. It looks that no significant performance slow down and not require to re-design CPU. However Apple computer address the problem this time is for Spectre attack. Unlike Meltdown, the Spectre attack works on non-Intel processors, including AMD and ARM processors. Furthermore, it looks that it does not protect against Spectre till new design concept of idea found! It looks that the easy way is disable CPU L1 cache. But it will reduce the performance.  It surprise to me that Azuer and Apple apply the patch and did not encountered known performance issue?  Perhaps cloud base system platform is memory intensive instead of CPU intensive. Or the problem not been correctly address. For your reference: Apple patch announcement:

macOS High Sierra 10.13.2 Supplemental Update

https://support.apple.com/en-hk/HT208397

Safari 11.0.2 includes security improvements to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

https://support.apple.com/en-hk/HT208403

iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

https://support.apple.com/en-hk/HT208401

 

 

 

CPU and machines not vulnerable to “meltdown and “Spectre” vulnerabilities.

The Chinese mantra “time can tell” looks like a witness to modern hardware and software development industry. As we know IBM mainframe (s390) and Sun SPARC given the feeling to the world in last decase was that they are far away from modern technologies. Even though S390 contains LPAR function allow multuple OS platform operation includes Windows server , linux and 3rd party unix run in their box. The general comments feedback from IT world was that they are outdated. A rumours were true and Oracle laid off the core talent of the Solaris and SPARC teams last year. As a matter of fact, protect the IT world not only Cyber security services provider. (For example, the defense solution vendor headache because they do not have precise idea how to detect and defense such design limitation problem). In future may be the former giant will give you an assistance to you. Why?It was because SPARC and S390 support “Address Space Identifiers” (ASIs). In the sense that they did the Kernel page-table isolation already. They are not vulnerable to “meltdown and “Spectre” vulnerabilities.

Remark:

SPARC v8 privileged instructions shown as below:

  • user mode instruction fetch is ASI 0x08,
  • supervisor mode instruction fetch is ASI 0x09
  • user mode normal data access is ASI 0x0A
  • supervisor mode normal data access is ASI 0x0B

CVE-2017-5753,CVE-2017-5715&CVE-2017-5715 whether there is any changes?

An urgent alert announced by US Homeland security urge computer user stay alerting of CPU design bug found this month. The victim firm Intel looks provides their comments that this know issue not encountered on their product only. As a matter of fact, this is true the side channel attack on mobile devices was happened early this year (reference url):

Tragedy – Android bugs, should we wait or we should take pre-emptive action?

I speculated that WAN acceleration solution vendor and Software defined network will be the next of the victims but now they are keep silent. Perhaps headline news article comment that no know cyber attacks deployed similar definition of theory utilization in past. But I’m in doubt? We all imagine that this is a nightmare. But a potential business opportunities are coming soon. From high level point of view, perhaps such CPU design limitation of cyber attack given by end-point. A tremendous business to enhance government and enterprise firm  endpoint especially mobile devices management in preventive and detective control. The managed security services and SIEM to enhance detective control. The truth is that this is the business opportunities. Below details of the url is the new announcement by Amazon.

https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

 

Intel CPU design hiccups – CVE-2017-5753,CVE-2017-5715,CVE-2017-5754

Below details better than what I say thousand of words.
Current status update in regards to CPU (Intel) design limitations.

AMD https://www.amd.com/en/corporate/speculative-execution

  • AMD proud of it, they did not made this mistake! Seems it is a long run in development,It is hard to tell this moment. Stay tuned. Good luck to him!

ARM https://developer.arm.com/support/security-update

Intel https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

Microsoft https://portal.msrc.microsoft.com/en-US/eula

Linux https://lkml.org/lkml/2017/11/22/956

F5 https://support.f5.com/csp/article/K91229003

It looks strange that similar vulnerability found on Aug 2017. I remember that my article posted here mentioned before (see below url for reference). In the meantime, I personally agree with Intel announcement that  based on the CPU features to date, many types of computing devices  with many different vendors’ processors and operating systems are susceptible to these exploits. And therefore Intel might not the only victim.

The enemy of ASLR (Address space layout randomization) – memory leak

Any other vendors especially virtual machine OS, they do not confirm yet and inform that they are not involve in this CPU design limitation vulnerability?

The cache side channel attack of this security incident on Intel side looks compatible to other chips vendor. The worst scenario is that similar channel attack will be happened once you have cache. So, foreseen that this is the prelude of new form of attack in this year!

Processor Bug harm virtual machine and cloud computing platform

Headline news today told the world of chip design hiccups given by CPU manufacturer (Intel).  You are easy to do a google search to find out the details.  During the first announcement of virtual machine design concept come to the world, security expert foreseen that a multiple vulnerabilities will be happen in future. It looks that the victims on this incident is cloud computing service provider. Since their operation fully compatible with virtual machine. In short below picture can simply to provide the idea. For more detail, please refer below url issued by Forbes.

Intel Processor Bug Leaves All Current Chips Vulnerable And Its Fix Saps Performance [Updated by forbes.com] – https://www.forbes.com/sites/davealtavilla/2018/01/03/intel-processor-bug-leaves-all-current-chips-vulnerable-and-its-fix-saps-performance/#75546002570a

VMware VMSA-2018-0001 – CVE-2017-15548,CVE-2017-15549,CVE-2017-15550

A runner who run faster achieve the goal, he is the winner. We just go to first week of 2018. The VMware faster than Microsoft announce their critical vulnerability on 2nd Jan 2018 (Advisory ID: VMSA-2018-0001). Quote: “A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems” Remark: vSphere Data Protection is a backup solution for use in vSphere. The official announcement shown in below url:

https://www.vmware.com/security/advisories/VMSA-2018-0001.html

Renaissance – Cyber attack transformation

Preface:

Renaissance – The period of this revival, roughly the 14th through the 16th century, marking the transition from medieval to modern times.

Background:

The virus and malware wreak havoc in information technology environment in past decade especially on Microsoft windows operating system platform. It looks that a transformation was happened since smartphone leading the IT technology trend today. The percentage of usage for smartphones are bigger than traditional computer devices (desktop, notebook and server).

Transformation of cyber attack scenario

The major of cyber attacks in information technology environment are given by tradition virus since early 90’s. A quick and simplified explanation below diagram is able to awaken your memories in this regard.

The Evolution diagram of virus, worm, malware and ransomware

Remark: Perhaps we shown the generations of the virus and malware past three decades. The diagram looks simple. However it represents the virus and malware in the specific period of time.

The attack surface targets to Microsoft products till SmartPhone appears.

We all known the design goal of virus and malware targeted Microsoft products fundamentally. We feel that Linux base operating system will be provided a secure environment. But the question is that which element change the atmosphere in silent way?

We understand that the infection of malware divided into four phase (see below diagram). Since the malicious file (so called dropper – file) relies on the PE (portable executable) to execute the infiltation. The way is that the malicious code will try to infiltrate for executables, object code, DLLs, FON Font files, and others used in 32-bit and 64-bit versions of Windows operating systems.

However the specifics mechanism does not work in Linux environment till ELF malware invented.

Stages of a Malware Infection and technology evolution overview

Where it began? Code Injection to Linux world.

Linux Operating system looks like a well protected castle but a beast live inside. Whether are you familiar with ptrace() command on Linux? With reference to tutorial (execute man command in Linux). The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers. It is primarily used to implement breakpoint debugging and system call tracing.

Docker, an open-source technology. Meanwhile Docker is the company driving the container movement and the only container platform provider to address every application across the hybrid cloud. Microsoft cloud product family also embraced Docker. Below informatics diagram can bring an idea to you on how the docker works.

No matter Fedora workstation or Cloud computing platform (Docker). The command (ptrace()) can do the magic. Even though attach to system process!

Reference: you can disable this behavior by the following:

If you are using Fedora (see below for reference)

echo 0 > /proc/sys/kernel/yama/ptrace_scope

or modify (with root privileges)

/etc/sysctl.d/10-ptrace.conf

If you are using Docker, you will probably need below options:

docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined

Above detail information intends to proof of comment which described earlier. Linux Operating system looks like a well protected castle but a beast live inside. Why? If there is a zero day vulnerability occurred in Linux. A ELF format of file embedded malicious code relies on zero day vulnerability execute the attack. That is to awake the beast with privileges escalation. This assumption not rare. Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel found last year. Such incident not only harm to workstation. It also includes cloud infrastructure. From technical point of view, it do not have difference in between Microsoft Product and Linux product.

ELF malware space

Above example highlight the ELF format file. ELF is flexible, extensible, and cross-platform, not bound to any given central processing unit (CPU) or instruction set architecture. This has allowed it to be adopted by many different operating systems on many different hardware platforms. Since smartphone especially Android phone fully utilize Linux OS platform. Perhaps the vendor announcement told this is not a standard Linux OS. But the truth is that they are using Linux base kernel.

According to the IDC Quarterly Mobile Phone Tracker, phone companies shipped a total of 344.3 million smartphones worldwide in the first quarter of 2017 (1Q17). And such away the cyber attack includes BYOD botnet or IoT botnet wreak havoc.

In order to cope with IT technology and smartphone trend. The attackers will build ELF malware using a customized builder. And therefore the malware of target to Linux system includes smartphone rapidly growth. For instance, Gyrfalcon implant, which targets OpenSSH clients on a wider variety of Linux platforms. Should you have interest, please refer below url for reference.

https://wikileaks.org/vault7/#OutlawCountry

Summary:

Information security expert found Stagefright exploit puts millions of Android devices at risk on early 2016. The attack is effective against devices running Android versions 2.2 through 4.0 and 5.0 and 5.1. Another way round of malware attack to android devices is copyCat. CopyCat Malware Infected 14M Android Devices, Rooted 8M, in 2016. Since this is a history but the malware attacks to Linux world are on the way!

Forever 21 retail shop data breach – official announcement

Credit Card POS malware wreak havoc. Read the headline news notice that  Forever 21 confirm that data breach occurred. The breach exposed card numbers, expiration dates and verification codes, but not cardholder names. Regarding to the information reported by engadget.com. Chipotle and GameStop suffered similar breaches this year (2017). Hotel giant HEI similar data breach occurred 2016. An announcement on 27th June 2017 told that Forever 21 Partners With Toshiba GCS on New POS. Found that hardware vendor announce that a potential vulnerability in Infineon TPN used in Toshiba notebook products. Do you think POS and notebook will be using similar TPM? Since POS and workstation can run on top of Windows OS. World not safe especially technology world!

Forever 21 breach exposed customer credit card info for months URL for reference – https://www.engadget.com/2017/12/29/forever-21-breach-exposed-credit-card-info-months/

Potential vulnerability in Infineon TPM (Trusted Platform Module) used in Toshiba notebook products URL for reference – http://www.toshiba.co.uk/generic/potential-vulnerability-in-Infineon-TPM/

Say Goodbye to 2017 cyber incidents

We are going to say goodbye to 2017. What is your expectation in the new year? Cyber World activities especially cyber attacks looks intensive this year. Perhaps we cannot imagine ransomware threat which contain powerful destruction power last decade.The crypto worm (WANNACRY) break the Cyber incident world records which suspended huge volume of workstations and servers operations in the world on May 2017. A shock to the world that the only way to recover your system or data is pay the ransom. Apart from that an alert to the business world is that how does the open source software provides the IT security assurance to the company. The data breach incident occurred in Equifix was awaken everybody. However the data breach incidents continuous exposed to the world caused by misconfiguration instead of vulnerabilities. It such a way discredit the cloud services provider. On the banking environment, the  ATM malwares are wreak havoc. A speculation by expert that DDOS attack will be replaced by ransomware. It looks that DDOS looks running strong this year. My opinion is that application security will be the focus of IT people next year. By the way, I wish you Happy New Year.

Layer 7 (application layer) – What is the information security key factors?

antihackingonline.com