Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-5407

Опубликовано: 30 окт. 2018
Источник: redhat
CVSS3: 4.8
EPSS Низкий

Описание

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.

A microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information.

Отчет

This is a timing side-channel flaw on processors which implement SMT/Hyper-Threading architectures. It can result in leakage of secret data in applications such as OpenSSL that has secret dependent control flow at any granularity level. In order to exploit this flaw, the attacker needs to run a malicious process on the same core of the processor as the victim process.

Меры по смягчению последствий

At this time Red Hat Engineering is working on patches for openssl package in Red Hat Enterprise Linux 7 to address this issue. Until fixes are available, users are advised to review the guidance supplied in the L1 Terminal Fault vulnerability article: https://access.redhat.com/security/vulnerabilities/L1TF and decide what their exposure across shared CPU threads are and act accordingly.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5opensslWill not fix
Red Hat Enterprise Linux 5openssl097aWill not fix
Red Hat Enterprise Linux 6opensslWill not fix
Red Hat Enterprise Linux 6openssl098eWill not fix
Red Hat Enterprise Linux 7openssl098eWill not fix
Red Hat Enterprise Linux 8compat-openssl10Will not fix
Red Hat Enterprise Linux 8opensslNot affected
Red Hat JBoss Enterprise Application Platform 5opensslWill not fix
Red Hat JBoss Enterprise Application Platform 6opensslWill not fix
Red Hat JBoss Enterprise Web Server 2opensslWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1645695openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)

EPSS

Процентиль: 73%
0.00778
Низкий

4.8 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-5407

CVSS3: 4.7
ubuntu
больше 6 лет назад

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.

nvd логотип

CVE-2018-5407

CVSS3: 4.7
nvd
больше 6 лет назад

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.

debian логотип

CVE-2018-5407

CVSS3: 4.7
debian
больше 6 лет назад

Simultaneous Multi-threading (SMT) in processors can enable local user ...

github логотип

GHSA-3rjg-j575-7f6p

CVSS3: 4.7
github
около 3 лет назад

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.

oracle-oval логотип

ELSA-2019-0483

oracle-oval
больше 6 лет назад

ELSA-2019-0483: openssl security and bug fix update (MODERATE)

EPSS

Процентиль: 73%
0.00778
Низкий

4.8 Medium

CVSS3