CLD-412 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-3640 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s) Spectre v3a

Basic Information:

Affected Package(s) linux
Deficiency Type SECURITY
Date Created 2018-05-22 09:01:32
Date Last Modified 2018-05-22 12:15:08

Version Specific Information:

Cucumber 1.0 i686waiting for upstream to publish patch
Cucumber 1.0 x86_64waiting for upstream to publish patch

Cucumber 1.1 i686 waiting for upstream to publish patch
Cucumber 1.1 x86_64 waiting for upstream to publish patch

Details:

=================================== Overview ===================================

From
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html:

CVE-2018-3640 - Rogue System Register Read (RSRE) - also known as Variant 3a

Systems with microprocessors utilizing speculative execution and that perform
speculative reads of system registers may allow unauthorized disclosure of
system parameters to an attacker with local user access via a side-channel
analysis.

4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

================================ Initial Report ================================

The original report can be found at:
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

The full white paper can be found at:
https://software.intel.com/sites/default/files/managed/b9/f9/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf

The reports are too long to post here.

================================= Our Analysis =================================

See our blog post for additional information:
https://sourceforge.net/p/cucumber-linux/blog/2018/05/here-we-go-again-spectre-v3a-cve-2018-3640-and-spectre-v4-cve-2018-3639/

----- Affected Products -----
All versions of the 4.9 series Linux kernel up to and including 4.9.101 are
vulnerable to this. As of this writing (Tue May 22 12:39:14 EDT 2018), 4.9.101
is the latest 4.9 release available; future releases may or may not be
affected.

The Linux kernel as originally packaged on both Cucumber Linux 1.0 and 1.1 is
vulnerable.

----- Scope and Impact of this Vulnerability -----
The full impact of this vulnerability has not been sufficiently verified yet;
however, Intel has indicated that it "may allow unauthorized disclosure of
information to an attacker with local user access."

----- Fix for this Vulnerability -----
As of Tue May 22 12:39:14 EDT 2018, there are no publicly available fixes for
this vulnerability.

================================= Our Solution =================================

We are waiting for the upstream kernel developers and Intel to publish patches.