-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
______________________________________________________________________________ SCO Security Advisory Subject: OpenServer 5.0.7 UnixWare 7.1.4 UnixWare 7.1.3 : Hyper-Threading information leakage Advisory number: SCOSA-2005.24 Issue date: 2005 May 13 Cross reference: sr893223 fz531468 erg712804 sr893224 fz531469 erg712805 CAN-2005-0109 ______________________________________________________________________________ 1. Problem Description Hyper-Threading (HT) Technology allows two series of instructions to run simultaneously and independently on a single Intel(R) Xeon (TM) or HT-enabled Intel Pentium(R) 4 processor. With Hyper-Threading Technology enabled, the system treats a physical processor as two "logical" processors. Each logical processor is allocated a thread on which to work, as well as a share of execution resources such as cache memories, execution units, and buses. In Colin Percival's paper "Cache Missing for Fun and Profit", he describes the problem of sharing of caches which could provide a high bandwidth covert channel between threads, and could also permit a malicious thread operating with limited privileges to monitor the execution of another thread, allowing in some cases for theft of cryptographic key data. This issue affects OpenServer 5.0.7 if SMP is installed and any Update Pack is applied. It also affects UnixWare 7.1.4 and 7.1.3 if Hyper-Threading is enabled. (Hyper-Threading is disabled in UnixWare by default.) The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0109 to this issue. 2. Vulnerable Supported Versions System ---------------------------------------------------------- OpenServer 5.0.7 with SMP and any Update Pack installed UnixWare 7.1.4 with Hyper-Threading enabled UnixWare 7.1.3 with Hyper-Threading enabled 3. Solution The proper solution is to disable Hyper-Threading, unless you are certain that (1) no authorized users of your system have the ability to run a malicious program, and (2) it is not possible for any unauthorized users to access the system. 4. OpenServer 5.0.7 4.1 Workaround SCO OpenServer supports Hyper-Threading Technology via the SCO OpenServer Release 5.0.7 Symmetrical Multiprocessing (SMP) product. When SMP plus any Update Pack is installed, Hyper-Threading is enabled by default. To disable Hyper-Threading, update the crllry_hyperthread_enable kernel variable. This variable is defined in the /etc/conf/pack.d/crllry/space.c file. Specify a value of "0" to disable Hyper-Threading. To modify this variable, edit the file, then relink and reboot the kernel. You can use the "cpuonoff -c" command to display the processor status. See the hyperthread(HW) man page for details. 5. UnixWare 7.1.4 / UnixWare 7.1.3 5.1 Workaround Hyperthreading is supported on UnixWare 7.1.3 and 7.1.4 when the osmp package is installed. It is disabled by default. If it has been enabled, remove the ENABLE_JT=Y line from /stand/boot to disable it. Then use the command shutdown -i6 -g0 -y to rebuild the kernel and reboot the system. You can use the psrinfo(1M) command to display the processor status. See the ENABLE_JT (Jackson Technology) boot parameter in the boot(4) man page for details. 6 Location of this security advisory ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.24 and ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.24 7. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0109 SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix is tracked by SCO incidents sr893223 fz531468 erg712804 sr893224 fz531469 erg712805. 8. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 9. Acknowledgments SCO would like to thank Colin Percival. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (SCO/SYSV) iD8DBQFChNNhaqoBO7ipriERAqqEAKCMIzQemt+9lNCO3AlLOJMks0EdqgCgn6SW FedwEAYjiPA/qMKHqBdEVaA= =9KqS -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/