[Dev] [News] Hyperbola users are now mitigated against Microarchitectural Data Sampling (MDS) vulnerabilities

André Silva emulatorman at hyperbola.info
Fri May 17 03:41:51 EEST 2019


As part of our commitment to provide a fully free (as in freedom)
operating system that is stable, simple and "SECURE"; we hereby announce
Hyperbola users are now mitigated against recently published
Microarchitectural Data Sampling (MDS) vulnerabilities also labelled as
Zombieland (CVE-2018-12130), RIDL (Rogue In-Flight Data Load)
(CVE-2018-12127 and CVE-2019-11091), and Fallout (CVE-2018-12126) which
controversially Intel has considered of "Moderate" severity. These
flaws, if exploited by an attacker with local shell access to a system,
could allow data in the CPU's cache to be exposed to unauthorized
processes. While difficult to execute, a skilled attacker could use
these flaws to read memory from a virtual or containerized instance, or
the underlying host system. The vulnerabilities can be exploited using
malware planted on the targeted devices, but some of them can also be
exploited remotely from the internet via JavaScript code and malicious
websites. Even a rogue website running Javascript in the target's
browser—could trick the CPU into revealing data that should be protected
from untrusted code running on that machine. That data can include
information like what website the user is browsing, their passwords, or
the secret keys to decrypt their encrypted hard drive. At this point of
time, these specific flaws are only known to affect Intel-based
processors. Hyperbola users are highly recommended to update their
systems immediately using # pacman -Syu to perform the upgrade.

Additionally, since it is not possible to fully prevent cross-thread
attacks, complete mitigation of MDS may require that users disable the
Intel Hyper-Threading Technology at their own discretion and evaluation
if disabling SMT/HT and the tradeoff between performance over security
is what they wish to have. Hyper-Threading (Intel HT) is Intel's
implementation of simultaneous multithreading (SMT), which is a
technique for splitting a single physical processor core into two
virtual cores which are known as hardware threads. It's supposed to
improve performance by allowing two software threads to run
simultaneously through each physical core, sharing available resources
on the silicon chip as needed. This means one physical core can juggle
two threads, either in the same application or two separate
applications, at the same time, improving throughput. However, one thing
it does bring into the mix is the risk that side-channel surveillance
techniques, such as MDS, may be able to break hardware thread isolation,
and access sensitive data it shouldn't be able to see. In other words,
one thread can snoop on the memory accesses of another thread sharing
the same physical CPU core, and lift passwords, keys, and other secrets,
potentially. In this case, part of the mitigation advice is to specify a
kernel command line option mds=full,nosmt.

We recommend users not to use nonfree JavaScript code, and to use
firejail to sandbox their browsers.

As part of our solutions we are providing an updated kernel which is
patched against the vulnerabilities and we will ship fresh live images
shortly.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.hyperbola.info/pipermail/dev/attachments/20190516/e4a727dc/attachment.bin>


More information about the Dev mailing list