search

WoTTsecurity / agent

Simple security audit for linux systems
https://wott.io/
MIT License
22 stars 12 forks source link

Spectre/Meltdown detected when running in Vagrant/Virtualbox #252

Open vpetersson opened 4 years ago

vpetersson commented 4 years ago

How to reproduce:

$ vagrant init ubuntu/xenial64
$ vagrant up
[ install agent ]

You will then get:

Screen Shot 2019-12-11 at 9 52 55 AM

Reproduced on macOS 10.15.1 and VirtualBox 6.0.14 r133895 (Qt5.6.3)

a-martynovich commented 4 years ago

Why are you sure it's a bug?

vpetersson commented 4 years ago

I used this script to check:

$ sudo sh spectre-meltdown-checker.sh
[...]
CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO
* Kernel has mask_nospec64 (arm64):  NO
> STATUS:  NOT VULNERABLE  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, STIBP: disabled, RSB filling)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  NO
  * Kernel is compiled with IBPB support:  YES
    * IBPB enabled and active:  NO
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO
  * Kernel compiled with retpoline option:  YES
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Kernel supports RSB filling:  YES
> STATUS:  NOT VULNERABLE  (Full retpoline is mitigating the vulnerability)
[...]
CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES
  * PTI enabled and active:  YES
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)
[...]

I've also upgraded the box fully:

$ sudo apt update -q && sudo apt upgrade
Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:3 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Hit:5 https://packagecloud.io/wott/agent/ubuntu bionic InRelease
Fetched 252 kB in 2s (116 kB/s)
Reading package lists...
Building dependency tree...
Reading state information...
All packages are up to date.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  linux-image-unsigned-4.15.0-55-generic linux-modules-4.15.0-55-generic
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
a-martynovich commented 4 years ago

@vpetersson Please run agent with --debug and post full output here. Also are you running vagrant in some OS in Virtualbox or are you running vagrant on MacOS which uses Virtualbox?

vpetersson commented 4 years ago

Please run agent with --debug and post full output here.

https://gist.github.com/vpetersson/4c8b60c643c12f1e23cdf3e2000cf14b

Also are you running vagrant in some OS in Virtualbox or are you running vagrant on MacOS which uses Virtualbox?

I'm using Vagrant directly on macOS.

$ vagrant --version
Vagrant 2.2.6
a-martynovich commented 4 years ago

@vpetersson Please post the result of grep . /sys/devices/system/cpu/vulnerabilities/*

vpetersson commented 4 years ago 
$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT Host state unknown
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
vpetersson commented 4 years ago

My gut-feeling is that this is a false positive because of the VirtualBox hypervisor.

a-martynovich commented 4 years ago

@vpetersson Look at this: /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable It says "Vulnerable", meaning that either the mitigation failed to load or it is disabled. I don't see any mention of CVE-2018-3639 in the output of the script you've used.

My gut-feeling is that this is a false positive because of the VirtualBox hypervisor.

Can't prove or disprove it until I try an actual exploit and see what it can do in this environment. Need at least a week of hardcore hacking.

There's even a related ticket and another one. And a stackexchange question.

a-martynovich commented 4 years ago

VirtualBox 6.0.8 exposes the following mitigations (which can be enabled using VBoxManage modifyvm):

--mds-clear-on-vm-entry on
--l1d-flush-on-vm-entry on
--spec-ctrl on
--ibpb-on-vm-exit on
--ibpb-on-vm-entry on

https://security.stackexchange.com/questions/211265/virtualbox-spectre-v4