search

speed47 / spectre-meltdown-checker

Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
3.87k stars 476 forks source link

Exploit-DB 43427 performs successful exploit on a 'NOT VULNERABLE' system? #168

Closed ghost closed 6 years ago

ghost commented 6 years ago

Today I tested this Spectre PoC on my system and the exploit worked.

Meanwhile this tool shows me:

Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.4.120-45-default #1 SMP Wed Mar 14 20:51:49 UTC 2018 (623211f) x86_64
CPU is Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques                                                     
  * Indirect Branch Restricted Speculation (IBRS)                                                                
    * SPEC_CTRL MSR is available:  YES                                                                           
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)                                               
  * Indirect Branch Prediction Barrier (IBPB)                                                                    
    * PRED_CMD MSR is available:  YES                                                                            
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)                                               
  * Single Thread Indirect Branch Predictors (STIBP)                                                             
    * SPEC_CTRL MSR is available:  YES                                                                           
    * CPU indicates STIBP capability:  YES                                                                       
  * Enhanced IBRS (IBRS_ALL)                                                                                     
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO                                                      
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO                                                  
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO                                     
  * CPU microcode is known to cause stability problems:  NO  (model 58 stepping 9 ucode 0x1f)                    
* CPU vulnerability to the three speculative execution attacks variants                                          
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES 
  * Currently enabled features
    * IBRS enabled for Kernel space:  UNKNOWN 
    * IBRS enabled for User space:  UNKNOWN 
    * IBPB enabled:  UNKNOWN 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline + IBPB)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

May I ask for some clarification on this matter please?

speed47 commented 6 years ago

Closing as duplicate of #133, please read it, it'll answer your questions. Please repoen if this is not the case!

ghost commented 6 years ago

Thanks!

ghost commented 6 years ago

@anchev the tool only checks if mitigations are available on the system:

`CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' ... STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

Unless you study the disclaimer, the above output might cloud your sense of security. Because, unless you compile the code of executables afresh and correctly, the SV1 exploits still work nicely, contrary to "STATUS: NOT VULNERABLE". If you/others have not done it, this message (mitigation in place) boils down to: "No Security at all".

knweiss commented 6 years ago

@f-s You may want to take a look at this proposal by Chandler Carruth/Google for the LLVM project:

RFC: Speculative Load Hardening (a Spectre variant #1 mitigation)

This is a new proposal that comes close to (automatically) fixing occurrences of Spectre V1 problems (by recompilation) - at a high performance cost however.

ghost commented 6 years ago

@f-s which executables? I am using openSUSE Leap and I get the binaries from the official repos. I have read the disclaimer of course, that's why I asked additional questions in the linked issue which @speed47 shared.

ghost commented 6 years ago

@anchev executables which have not been recompiled with SV1 compiler mitigations active? I have no idea what openSUSE is doing. I would use LFS-like distributions to be sure, maybe Gentoo, too ;-)

ghost commented 6 years ago

@f-s I have no idea what exactly openSUSE do either but the fact is they provided patches quite quickly after the announcements. It is a well maintained distro.

In a sense perhaps you are right - LFS would be probably the cleanest and self-reliant way but I don't feel I have the knowledge to jump that deep, so I still stay with openSUSE.

In case you are interested, here is a bug report with lots of comments about Spectre and Meltdown:

https://bugzilla.suse.com/show_bug.cgi?id=1068032

Unfortunately I can't find the answer to what we discuss here in it. Are you saying that each and every program on the system needs to be recompiled with particular mitigation (of the compiler)?

ghost commented 6 years ago

Unfortunately I can't find the answer to what we discuss here in it. Are you saying that each and every program on the system needs to be recompiled with particular mitigation (of the compiler)?

@anchev every program which might use speculative execution in a security context and has not been fixed/checked/tested/debugged with regard to SV1 by the developers yet, yes I want to recompile it with compiler mitigations in place.

ghost commented 6 years ago

Thanks for this info @f-s.

Do you think it would be reasonable to file a bug report to openSUSE requesting such recompilation (they will be releasing new version of the distro soon)? Can you suggest a link with more info about such compilation or a proper way to file such a bug report? Then I can file it to them. Hopefully for the good of everyone.

Speaking of all this: how should one compile the PoC mentioned in the OP here, i.e. what compile options would make it a non-exploit?