A few weeks ago, Julian Stecklina (Amazon.de), Thomas Prescher (cyberus-technology.de), and Zdenek Sojka (sysgo.com) reported a vulnerability in Intel Core-based CPUs, very similar to the recent Meltdown exploits. For those not familiar, the CPU is the piece of hardware that handles the processing for an entire computer system. Thus, a vulnerability in that component puts the whole system in peril.
Before we jump in to the vulnerability, we’ll need to go over a few details about CPU architecture. First, a CPU stores information in something referred to as a “register”, which is a set of values and pointers to be used during computation. These values can range from certain instructions to memory locations or bit sequences. Certain computations require the use of decimal placements, called “floating points” in numbers, which gives way to floating point unit registers. To maximize the use of multi-core CPUs core, CPUs perform context switching to take advantage of free clock cycles by switching between active process/threads. When this happens, if an FPU is handled via the lazy method, then that register stack retains the information until acted upon, if at all. On the flip side, the eager method immediately restores that register for use. For a more thorough explanation on how this works, visit this link.
Any Linux kernel that follows the “Lazy FPU Restore” scheme is vulnerable to the information leakage issue, filed as CVE-2018-3665. In short, an attacker could use this flaw to read FPU state bits by targeting side-channel attacks, potentially obtaining information about other applications and encryption operations. This vulnerability affects most flavors of Linux, including RedHat and Debian/Ubuntu. An article by redhat.com covers some information for the resolution in RHEL 7 and onward, whereas RHEL 6 and earlier are to expect a patch at some point in the future. RHEL 7 defaults to use the safer “eager” option for floating point register restores for Sandy Bridge (2011) Intel processors and onward. Other processors can mitigate this by booting the kernel with “eagerfpu=on” (read more here), which saves and restores the FPU state for every switch regardless if FPU instructions are invoked or not. To add to this benefit, there are no performance impacts nor adverse effects in processors not affected.
Intel has already confirmed the flaw, and affected vendors are either working on or have already released security patches. Intel has published further technical detail about this vulnerability and provided some recommendations, as noted here. Keep your Linux installations updated with the latest security patches to resolve this flaw, especially if you’re not sure which FPU restore method you are using.. – Emil Hozan
Note: No WatchGuard products are affected by this vulnerability. The Linux kernels used in all WatchGuard operating systems are compiled to use safe floating point restores.
Intel.com contributors. LAZY FP STATE RSTORE. Retrieved from https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html
Mitre.org contributors. CVE-2018-3665. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3665
Redhat.com contributors. CVE-2018-3665. Retrieved from https://access.redhat.com/security/cve/cve-2018-3665
Redhat.com contributors. Lazy FPU Save/Restore (CVE-2018-3665). Retrieved from https://access.redhat.com/solutions/3485131