IBM Power9 processors beset by Cardiac Osprey data-leaking flaw as Spectre still haunts speculative chips

Patch if you can: Fix available

Updated IBM Power9 processors, intended for data centers and mainframes, are potentially vulnerable to abuse of their speculative execution capability. The security shortcoming could allow a local user to access privileged information.

On Thursday IBM published a security advisory that explains, "IBM Power9 processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances."

The vulnerability has a base score of 5.1 on the Common Vulnerability Scoring System (CVSS).

Speculative execution is a technique to improve processing speed by which processors anticipate future instructions and execute them in advance, keeping the results if the guess is correct and throwing them out if not.

The problem with this approach, as demonstrated by the Spectre and Meltdown flaws disclosed in 2018, is that these transient calculations can be spied upon through side channels, possibly providing a way to bypass memory and confidentiality protections.

Since the Spectre and Meltdown disclosures, security researchers have revealed similar techniques for compromising sensitive data data through side channel attacks. Though the Power9 flaw is not as serious as its predecessors, it adds yet another example of the challenges chip designers face when trying to create processors that are both fast and secure.

In a post to security mailing list, Linux kernel contributor Daniel Axtens said while hardware and software security mechanisms for Power9 systems prevent an attacker from directly accessing protected memory, these built-in protections fail to deal with an scenario in which an attacker induces the operating system to speculatively execute instructions using data the attacker controls.

"This can be used for example to speculatively bypass 'kernel user access prevention' techniques, as discovered by Anthony Steinhauser of Google's Safeside Project," explained Axtens.

"This is not an attack by itself, but there is a possibility it could be used in conjunction with side-channels or other weaknesses in the privileged code to construct an attack."

The CVE designation for the flaw, CVE-2020-4788, has been dubbed Cardiac Osprey by the Vulnonym bot.

There's a fix, available in Linux patches and from IBM: Flushing the L1 cache across privilege boundaries – between kernel access and user access.

The only potential problem is that this may affect performance. Benchmarks for the impact of the cache flushing patch have yet to be published.

Even as issues like this get addressed, there are more waiting to be explored and exploited. Not only has there been a steady stream of techniques to attack CPUs through structures like branch predictors, caches, and random number generators, among others, but boffins believe System-on-Chip (SoC) cross-component attacks could yield new attack paths.

In a working paper [PDF] published via ArXiv on Thursday, computer scientists at University of California at Riverside, Binghamton University, and Pacific Northwest National Laboratory outline how an integrated GPU can be used to attack an associated CPU, or vice versa. ®

Updated to add

Preliminary benchmark tests show little to no performance hit from installing the patches on a Power9 Linux system.

Other stories you might like

  • HCL to end all support for old versions of Notes and Domino in 2024
    As if users needed any more reminders they’re stuck on a dying platform

    HCL has given users of versions 9.x and 10.x of its Domino groupware platform two years warning that they'll have to upgrade or live without support.

    Domino started life as Lotus Notes before IBM bought the company and milked the groupware platform for decades then offloaded it to India's HCL in 2018. HCL has since released two major upgrades: 2020's version 11 and 2021's version 12.

    Now it looks like HCL wants to maximize the ROI on those efforts – a suggestion The Register makes as the company today emailed Domino users warning them that versions 9.x and 10.x won't be sold as of December 1, 2022, and won't receive any support as of June 1, 2024.

    Continue reading
  • IBM buys Randori to address multicloud security messes
    Big Blue joins the hot market for infosec investment

    RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.

    Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.

    IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading
  • Apple gets lawsuit over Meltdown and Spectre dismissed
    Judge finds security is not a central feature of iDevices

    A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.

    The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.

    Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."

    Continue reading

Biting the hand that feeds IT © 1998–2022