So what is Coinbase doing to protect your funds and personal data and what can you do to protect yourself?Ĭoinbase maintains an aggressive vulnerability management program. In the case of Spectre, this means untrusted code running in a sandbox (such as JavaScript) could gain access to the memory of its parent process (in the case of JavaScript, that would mean it could read all data in the browser process). In the case of Meltdown, this means a piece of malicious software could gain access to kernel or, in the case of some virtualization schemes, host memory. The impact of these vulnerabilities is an attacker who can run code on a computer can potentially gain access to memory space outside the bounds of it’s normal authorization. Two specific attacks were released: Meltdown and Spectre. Ubuntu has a similar page for those using that Debian derivative.Yesterday a new class of attacks against modern CPU microarchitectures was disclosed. Xen project has made an advisory on how to handle these issues in a Xen virtualization environment. Most information in this article is applicable to Debian as well. Red Hat has released good information that describe the issue further. sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: _user pointer sanitization sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI sys/devices/system/cpu/vulnerabilities/* ![]() For example, this is the output after a successful kernel update in Debian stretch: Sudo apt install -t stretch-backports spectre-meltdown-checkerįurthermore, kernel-level mitigation strategies are visible from userspace in the /sys/devices/system/cpu/vulnerabilities/ directory. In stretch-backports, buster and sid there is a package spectre-meltdown-checker which can be used to help determine ones vulnerability status. In particular, qemu and other hypervisors need to pass through certain CPU features to allow guest operating systems to correctly configuration mitigation mechanisms.ĪMD processors are believed not to be affected by Meltdown, and no mitigation is applied to them by default. Subscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. Fixes require CPU microcode/firmware to activate. Spectre Variant 2 can be exploited both locally (within the same OS) and through the virtualization guest boundary. ![]() The compiler updates were still required to provide fixes for the Linux kernel. No archive rebuild is planned at this point so user-space fixes (particularly for Spectre v1) vary according to the affected binary package, as the fix is basically per-program. ![]() The gcc compiler toolchain was updated in Debian buster/unstable (gcc 7.3), stretch (gcc 6) through DSA-4121 and jessie (gcc 4.9) through DSA-4117. Kernel updates have been shipped for Debian stable/stretch and later. ![]() This article will be updated periodically with new information as it becomes available, until the issues have been resolved. The Spectre and Meltdown vulnerabilities have varying impacts in different environments, and the mitigations available can be difficult to understand. There are three separate vulnerabilities involved:ĬVE-2017-5753 Spectre Variant 1, Bounds Check BypassĬVE-2017-5715 Spectre Variant 2, Branch Target InjectionĬVE-2017-5754 Meltdown Variant 3, Rogue Data Cache Load These updates are being announced in Debian Security Announcements and Debian LTS Announcements as they become available. To address the issue in Debian, updates to the kernel, processor microcode, hypervisor, and various other userspace packages will be needed. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory. In January 2018, security researchers announced a new class of side channel attacks that impact most processors, including processors from Intel, AMD, ARM, IBM, and MIPS.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |