Code, Security and Server Stuff

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View All Posts.

CVE

Ubuntu 16.04: Spectre, Meltdown Security Vulnerabilities (and how to patch).

by

Below is a post about the Spectre and Meltdown Security vulnerabilities and mostly how it relates to Ubuntu.

Advertisement:



Spectre and Meltdown Background

Google Project Zero found a server-side hardware bug (undocumented feature) that allows reading of privileged memory by leveraging a CPU (and possibly any GPU and SOC) feature to execute code ahead of time in “if” code branches before the result of the “if” case is known. This execute code ahead of demand feature was added to speed up processors to assists the FETCH, DECODE, EXECUTE and WRITE-BACK stages in the execution pipeline preparation.

Processors hate reading from main memory (it is too slow) so if data can be PREFETCHED or CACHED before being executed in the CPU allowing the CPU can do more work. This bug/flaw is not really a bug/flaw IMHO but an insecure efficiency feature.

Read more on the Spectre and Meltdown bug here at Wired.

CPU History

Aside: Check out the Red Hill Hardware guide and the evolution (documentation) of early CPU’s.

You can read more about the Pentium 4’s cache, rapid execution engine and instruction set additions to learn more about the evolution of CPU efficiency here.

Making processors faster (adding more MHZ) may be futile if the cache is too small or slow, and simply adding more cache can increase costs. Branch prediction was a way to increase performance (by using idle clock cycles or saving clock cycles) without adding extra cache or silicone (extra cost). I suspect in the future branch prediction and read ahead features may be locked down or processor manufacturers may swing back to adding more MHZ/Cores/Cache.

Anandtech https://www.anandtech.com have a great article on branch prediction (I can’t find the article now but will add it when I find it later) but this guide gives the gist.

CPU 101

A CPU is much like a checkout area at a grocery store, and a multi-core CPU is like a grocery store with multiple checkouts.

  • Things (processing and reading to/from memory) happen sequentially (per core).
  • Only one item can be scanned (processed) at a time (per core).
  • Customers trolleys and items are like program threads and items to scan (to be calculated in the CPU).
  • Customers trolleys (programs with things to calculate) line up and wait for the CPU (attendant) to scan (execute) items. PRE-FETCH and other CPU tasks help organize data related to instructions.
  • One checkout line (core) cannot read or affect items at another checkout (thread safety).

When a price check is called on an item (causing huge delays while the price is being checked by a runner (reading from main memory)) the checkout attendant (CPU core) processes the next items at the checkout (items in the processor execution pipeline). Branch predicting will read ahead in idle times to prevent idle delays or cache-misses to prevent slowdown. Processors usually make sure things are in the processors L3, L2 or L1 memory before they are executed but some commands with pre-requisite data cannot be pre-cached.

CPU instruction information

Here is a list of x86 instructions

Troy Hunt in Weekly Update 68 https://www.troyhunt.com/weekly-update-68/ mentioned a twitter thread by Graham Sutherland (@gsuberland) https://twitter.com/gsuberland/status/948907452786933762 that summaries speculative execution more succinctly. Meltdown and Spectre bugs are due to the speculative execution in the processor.

Official Information on Spectre and Meltdown

Spectre (Security Vulnerability Wikipedia Article)

Meltdown (Security Vulnerability Wikipedia Article)

Proof of concepts exploits in the wide

Proof of concept and exploits are no doubt in the wild (as reported by Michael Schwarz@misc0110)

Ubuntu Impact

I have a number of Ubuntu servers and I have updated them to fix Spectre and Meltdown issues.

UpCloud is my favourite cloud provider.

    Ubuntu said here that is has been notified by Intel of this issue since November 09 2017.

    Ubuntu Timeline (16.04 related snip from here)

      • 2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA.
      • 2017 Nov 20: the CRD is established as 2018-01-09.
      • 2017 Dec: the Ubuntu Security team receives notifications from additional silicon vendors about the impact to their products.
      • 2018 Jan 03: issue becomes public a few days before the CRD.
      • 2018 Jan 04: Canonical publicly communicates the planned update schedule.
      • 2018 Jan 04: Mozilla releases timing attack mitigations.
      • 2018 Jan 05: Ubuntu Firefox updates are made available in USN 3516-1.
      • 2018 Jan 07: Candidate kernels are beginning to be made available for testing at ppa:canonical-kernel-team/pti. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds. Kernels currently available are as follows. We will continue to update this table as more become available:
      • Package: linux, Version: 4.4.0-108.131, Series: Xenial 16.04
      • -2018 Jan 09: NVIDIA driver updates published, see USN-3521-1.
      • Cloud image updates.
      • Core image updates.

      At this time it looks like this has been fixed on Ubuntu 16.04 LTS (Xenial Xerus) with released (57.0.4+build1-0ubuntu0.16.04.1). Consider updating your Ubuntu servers.

      You can follow the Ubuntu CVE listing here to be ahead of future security issues.
      https://people.canonical.com/~ubuntu-security/cve/main.html

      Spectre and Meltdown related Ubuntu CVE’s

      Spectre – CVE-2017-5715

      Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

      Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html

      Spectre – CVE-2017-5753

      Description: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

      Ubuntu-Description: Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory.

      Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html

      Meltdown – CVE-2017-5754

      Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

      Ubuntu-Description: Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory.

      Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html

      Links

      Ubuntu Security News https://usn.ubuntu.com/usn/

      Subscribe to the Ubuntu Security Announcement Distribution List https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

      Ubuntu CVE Tracker (Main) http://people.canonical.com/~ubuntu-security/cve/main.html

      Links from CVE articles

      https://spectreattack.com/
      https://meltdownattack.com/
      https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
      https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
      https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
      https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
      http://www.amd.com/en/corporate/speculative-execution
      https://developer.arm.com/support/security-update
      https://www.qemu.org/2018/01/04/spectre/
      https://usn.ubuntu.com/usn/usn-3516-1
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
      http://nvidia.custhelp.com/app/answers/detail/a_id/4611
      https://usn.ubuntu.com/usn/usn-3521-1
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
      https://github.com/IAIK/KAISER
      https://gruss.cc/files/kaiser.pdf
      https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
      https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html

      FYI: Ubuntu 17.04 will not be getting the Spectre and Meltdown fixes, this is a good reason why not to use a non-LTS (long time support) release of Ubuntu (abandoned after 9 months):
      https://lists.ubuntu.com/archives/ubuntu-announce/2018-January/000227.html

      How to update Ubuntu

      As always backup your server and configuration first (consider taking a snapshot). I run the following command to update my system and reboot.

      Warning: Some packages may overwrite in-production configuration files (or break production servers) so take your time updating, use test servers (green and blue or dev, test and prod) and only upgrade production when you are ready.

      fyi: AWS related Speculative Execution post: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

      Impact on Future Program Build Times

      Twitter user Peter Czanik (@PCzanik https://twitter.com/PCzanik) reports that compile times that fix speculative execution have increased his build times from 4 minutes to 21 minutes.

      Windows Impacts

      Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

      https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

      OSX Impacts
      Report: Intel CPUs suffer from major security flaw, fix could bring notable performance hit to macOS

      Web Browser and JavaScript Impacts

      General

      Here’s what every Chrome user should do in the wake of #Spectre

      http://mashable.com/2018/01/04/google-chrome-spectre-precaution-meltdown/

      Microsoft reveals how Spectre updates can slow your PC down

      https://www.theverge.com/2018/1/9/16868290/microsoft-meltdown-spectre-firmware-updates-pc-slowdown

      Microsoft halts AMD Meltdown and Spectre patches after reports of unbootable PCs

      Review: https://twitter.com/search?q=spectre%20meltdown

      Viewing the Change log of updatable packages

      View the change log of updatable packages for a certain Cve.

      sudo apt-get update

      sudo apt-get changelog ntp | grep CVE-2017-5715

      The output will show matches of updatable packages that match.

      Ubuntu Cloud Tips

      Read my guide on Useful Linux Terminal Commands https://fearby.com/article/useful-linux-terminal-commands/

      Read my guide on how to setting up a Vultr VM (Ubuntu) and configuring it https://fearby.com/article/setting-vultr-vm-configuring/

      Good luck.

      Scott Manleys breakdown of Spectre and Meltdown

      More Reading

      Anandtech – Understanding Meltdown & Spectre: What To Know About New Exploits That Affect Virtually All CPUs.

      More Fearby.com Reading

      Donate and make this blog better

      Ask a question or recommend an article

      [contact-form-7 404 "Not Found"]

      Revision History

      v1.4 Scott Manleys link

      v1.3 Added Anandtech article.

      v1.2 Wired link.

      v1.1 view the changelog of updatable packages.

      v1.0 Initial Copy.

      Hope this helps someone.

      Flaw in WPA2 protocol (KRACK) is a reminder of the limited life of all technology.

      by

      The recent KRACK flaw in the WPA2 protocol is a reminder of the limited life of all technology. All technology has a finite lifespan (intended or not) and you should not bet on a piece of technology being around long.

      Advertisement:



      Wireless Broken (Again)

      WEP wireless security was launched in 1997 and lasted until 2004, WPA and WPA2 replaced WEP but the recent flaw in WPA2 (originated from WEP) will forge an update to WPA2 or launch a WPA3. WPA2 was just a certified WPA.

      WPA wireless encryption uses TKIP and AES encryption subsets, TKIP is similar to WEP and should not be used. AES subset is a more rigorous encryption subset available in WPA2 (and is used by the US Government. AES’s main weakness is a brute force attack to find the wireless password so ALL of your passwords must be unique and strong. Do not use common or shared passwords and make sure passwords are as strong as allowed.  I personally use the 1Password Password Manager to generate strong passwords and if you are feeling nerdy you can use the GRC Password Generatorhttps://howsecureismypassword.net/ is a good site that allows you to see how secure a password is (how long a brute force attack would take to obtain your password by brute force).

      What can you do to fix wifi

      1. If you are using TKIP in WPA use AES instead.
      2. Check your WiFi routers manufacturer and ask for a new firmware that will fix the KRACK attack.

      @TPLINK @TPLINKHelp When will new firmware be available for the TD-W8961N fo fix krackattacks.com ?

      It is up to you to know the rick for each technology you use and when you stop using it.

      Support Windows

      Most operating systems and web browsers have support windows but security protocols, encryption and cyphers do not? why?

      Not just Wifi is Broken

      As a developer always assume things are insecure and always prepare for the worst, you should ensure brute force attacks are blocked by setting up a firewall on your serves, run a security audit and install software level plugins to ban IP’s when brute force attacks happen.  Don’t forget to set up an SSL certificate (read my Lets Encrypt guide here) and if you want extra security read here on SSL certificate Public Key Pinning.

      You can deploy a server in the cloud for as low as $2.5 a month (guide here) on Vultr or set up a server on Digital Ocean (first 2 months are free) read my setup guide here.

      Depreciation of libraries and code

      Software developers are all too familiar with the depreciation of libraries and code, recently I had to switch from mysql_connect routines that was deprecated in PHP 5.5, luckily a mysqli_connect was available so not a real problem.

      Having to switch technology to a faster and or more secure version is a win-win IMHO.

       

      Backup

      Whats your backup plan? Don’t forget you can easily backup with RSync. There is no excuse for backing up your data.

      Git

      You should also use source code repositories like GitHub or BitBucket to manage code versions and restore environments when things go bad.

      Social Media

      Security-related twitter followers I personally follow to keep up to date with security news.
       
      GFDI Foundation:
       
      0xDUDE
       
      Security Now Podcaster:
       
      Australian Security Researcher Troy Hunt:

      Hashtags are also a great way to stay up to date on exploits (#KRACK, #vuln, #CVE etc).

      Handy links

      Read more on hackers Tactics, Techniques & Common Knowledge.

      Read the OWASP guide to pick up software security best practices.

      Stay safe: Research, Secure and Backup.

      More Soon..

       

      Donate and make this blog better




      Ask a question or recommend an article

      [contact-form-7 404 "Not Found"]

      Revision History

      v1.1 Added support windows..

      etc

      Update OpenSSL on a Digital Ocean VM

      by

      You may be reading this after reading my guide here https://fearby.com/article/adding-a-commercial-ssl-certificate-to-a-digital-ocean-vm

      Advertisement:



      Related Guide:  How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.

      Having strong SSL and security is a constant battle.  Recently a bug  OpenSSL Padding Oracle vulnerability (CVE-2016-2107) in OpenSSL. More information here.

      You can check your websites SSL security here https://www.ssllabs.com/ssltest/ and this this tool https://filippo.io/CVE-2016-2107/.

      Hopefully you do not see this:

      oraclecve

      How to Fix (1/2) – Update Misc.

      sudo apt-get update
sudo apt-get dist-upgrade

      How to Fix (2/2) – Manual Update OpenSSL

      Head on over to ftp://ftp.openssl.org/source/ and check the filename of the latest update.

      Run the following commands in a terminal.

      wget ftp://ftp.openssl.org/source/openssl-1.0.2h.tar.gz
tar -xvzf openssl-1.0.1g.tar.gz 
cd openssl-1.0.1g 
./config --prefix=/usr/ 
make 
sudo make install

      You can verify you are running the latest OpenSSL by typing:

      [email protected]:~/temp/openssl-1.0.2h# openssl version
OpenSSL 1.0.2h  3 May 2016

      You may also need to restart your web server:

      sudo service nginx restart

      Review more security advice here: https://wiki.ubuntu.com/Security/Upgrades

      Re test your website with https://filippo.io/CVE-2016-2107/.

      Security

      Cheap may not be good (hosting or DIY), do check your website often in https://www.shodan.io and see if it has open software or is known to hackers. 

      I hope this helps.

      Donate and make this blog better





      Ask a question or recommend an article
      [contact-form-7 404 "Not Found"]