To: security-announce@list.sco.com, bugtraq@securityfocus.com,
From: please_reply_to_security@sco.com
Subject: OpenServer 5.0.7 UnixWare 7.1.4 UnixWare 7.1.3 : Hyper-Threading information leakage
Date: Fri, 13 May 2005 09:35:33 -0700
Message-ID: <20050513093533.A2443@caldera.com.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.7 UnixWare 7.1.4 UnixWare 7.1.3 : Hyper-Threading information leakage
Advisory number: SCOSA-2005.24
Issue date: 2005 May 13
Cross reference: sr893223 fz531468 erg712804 sr893224 fz531469 erg712805 CAN-2005-0109
______________________________________________________________________________
1. Problem Description
Hyper-Threading (HT) Technology allows two series of
instructions to run simultaneously and independently on a
single Intel(R) Xeon (TM) or HT-enabled Intel Pentium(R) 4
processor. With Hyper-Threading Technology enabled, the
system treats a physical processor as two "logical"
processors. Each logical processor is allocated a thread
on which to work, as well as a share of execution resources
such as cache memories, execution units, and buses.
In Colin Percival's paper "Cache Missing for Fun and Profit", he
describes the problem of sharing of caches which could provide a
high bandwidth covert channel between threads, and could also
permit a malicious thread operating with limited privileges
to monitor the execution of another thread, allowing
in some cases for theft of cryptographic key data.
This issue affects OpenServer 5.0.7 if SMP is installed and any
Update Pack is applied. It also affects UnixWare 7.1.4 and 7.1.3
if Hyper-Threading is enabled. (Hyper-Threading is disabled in
UnixWare by default.)
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2005-0109 to this issue.
2. Vulnerable Supported Versions
System
----------------------------------------------------------
OpenServer 5.0.7 with SMP and any Update Pack installed
UnixWare 7.1.4 with Hyper-Threading enabled
UnixWare 7.1.3 with Hyper-Threading enabled
3. Solution
The proper solution is to disable Hyper-Threading, unless you
are certain that (1) no authorized users of your system have the
ability to run a malicious program, and (2) it is not possible
for any unauthorized users to access the system.
4. OpenServer 5.0.7
4.1 Workaround
SCO OpenServer supports Hyper-Threading Technology via the
SCO OpenServer Release 5.0.7 Symmetrical Multiprocessing
(SMP) product. When SMP plus any Update Pack is installed,
Hyper-Threading is enabled by default.
To disable Hyper-Threading, update the crllry_hyperthread_enable
kernel variable. This variable is defined in the
/etc/conf/pack.d/crllry/space.c file. Specify a value of "0"
to disable Hyper-Threading. To modify this variable, edit the file,
then relink and reboot the kernel. You can use the "cpuonoff -c"
command to display the processor status.
See the hyperthread(HW) man page for details.
5. UnixWare 7.1.4 / UnixWare 7.1.3
5.1 Workaround
Hyperthreading is supported on UnixWare 7.1.3 and 7.1.4 when
the osmp package is installed. It is disabled by default.
If it has been enabled, remove the ENABLE_JT=Y line from
/stand/boot to disable it. Then use the command
shutdown -i6 -g0 -y
to rebuild the kernel and reboot the system. You can use the
psrinfo(1M) command to display the processor status.
See the ENABLE_JT (Jackson Technology) boot parameter in the
boot(4) man page for details.
6 Location of this security advisory
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.24 and
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.24
7. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0109
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix is tracked by SCO incidents sr893223 fz531468
erg712804 sr893224 fz531469 erg712805.
8. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
9. Acknowledgments
SCO would like to thank Colin Percival.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)
iD8DBQFChNNhaqoBO7ipriERAqqEAKCMIzQemt+9lNCO3AlLOJMks0EdqgCgn6SW
FedwEAYjiPA/qMKHqBdEVaA=
=9KqS
-----END PGP SIGNATURE-----
