OpenServer 5.0.7 UnixWare 7.1.4 UnixWare 7.1.3 : Hyper-Threading information leakage

To: security-announce@xxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: OpenServer 5.0.7 UnixWare 7.1.4 UnixWare 7.1.3 : Hyper-Threading information leakage
From: please_reply_to_security@xxxxxxx
Date: Fri, 13 May 2005 09:35:33 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: please_reply_to_security@xxxxxxx
User-agent: Mutt/1.2.5i

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenServer 5.0.7 UnixWare 7.1.4 UnixWare 7.1.3 : 
Hyper-Threading information leakage
Advisory number:        SCOSA-2005.24
Issue date:             2005 May 13
Cross reference:        sr893223 fz531468 erg712804 sr893224 fz531469 erg712805 
CAN-2005-0109
______________________________________________________________________________


1. Problem Description

        Hyper-Threading (HT) Technology allows two series of
        instructions to run simultaneously and independently on a
        single Intel(R) Xeon (TM) or HT-enabled Intel Pentium(R) 4
        processor. With Hyper-Threading Technology enabled, the
        system treats a physical processor as two "logical"
        processors. Each logical processor is allocated a thread
        on which to work, as well as a share of execution resources
        such as cache memories, execution units, and buses. 

        In Colin Percival's paper "Cache Missing for Fun and Profit", he 
        describes the problem of sharing of caches which could provide a
        high bandwidth covert channel between threads, and could also 
        permit a malicious thread operating with limited privileges 
        to monitor the execution of another thread, allowing 
        in some cases for theft of cryptographic key data.
        
        This issue affects OpenServer 5.0.7 if SMP is installed and any
        Update Pack is applied.  It also affects UnixWare 7.1.4 and 7.1.3 
        if Hyper-Threading is enabled.  (Hyper-Threading is disabled in
        UnixWare by default.) 

        The Common Vulnerabilities and Exposures project (cve.mitre.org) 
        has assigned the name CAN-2005-0109 to this issue.


2. Vulnerable Supported Versions

        System                  
        ----------------------------------------------------------
        OpenServer 5.0.7 with SMP and any Update Pack installed
        UnixWare 7.1.4 with Hyper-Threading enabled
        UnixWare 7.1.3 with Hyper-Threading enabled


3. Solution

        The proper solution is to disable Hyper-Threading, unless you 
        are certain that (1) no authorized users of your system have the 
        ability to run a malicious program, and (2) it is not possible 
        for any unauthorized users to access the system.  

4. OpenServer 5.0.7

        4.1 Workaround

        SCO OpenServer supports Hyper-Threading Technology via the
        SCO OpenServer Release 5.0.7 Symmetrical Multiprocessing
        (SMP) product. When SMP plus any Update Pack is installed, 
        Hyper-Threading is enabled by default.

        To disable Hyper-Threading, update the crllry_hyperthread_enable 
        kernel variable. This variable is defined in the 
        /etc/conf/pack.d/crllry/space.c file. Specify a value of "0" 
        to disable Hyper-Threading. To modify this variable, edit the file, 
        then relink and reboot the kernel.  You can use the "cpuonoff -c"
        command to display the processor status.

        See the hyperthread(HW) man page for details.


5. UnixWare 7.1.4 / UnixWare 7.1.3

        5.1 Workaround

        Hyperthreading is supported on UnixWare 7.1.3 and 7.1.4 when
        the osmp package is installed.  It is disabled by default. 
        If it has been enabled, remove the ENABLE_JT=Y line from 
        /stand/boot to disable it.  Then use the command

                shutdown -i6 -g0 -y

        to rebuild the kernel and reboot the system.  You can use the 
        psrinfo(1M) command to display the processor status.  

        See the ENABLE_JT (Jackson Technology) boot parameter in the 
        boot(4) man page for details.
        
6  Location of this security advisory

        ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.24 and
        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.24

7. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0109

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix is tracked by SCO incidents sr893223 fz531468
        erg712804 sr893224 fz531469 erg712805.


8. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.


9. Acknowledgments

        SCO would like to thank Colin Percival.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)

iD8DBQFChNNhaqoBO7ipriERAqqEAKCMIzQemt+9lNCO3AlLOJMks0EdqgCgn6SW
FedwEAYjiPA/qMKHqBdEVaA=
=9KqS
-----END PGP SIGNATURE-----

Prev by Date: Ultimate PHP Board (UPB) Security Advisory
Next by Date: Netvault Remote Heap Overflow (another one)
Previous by thread: Ultimate PHP Board (UPB) Security Advisory
Next by thread: Netvault Remote Heap Overflow (another one)
Index(es):
- Date
- Thread