Spectre/Meltdown Spec store bypass: vulnerable

Welches Modul/Treiber für welche Hardware, Kernel compilieren...
Xela69
Beiträge: 29
Registriert: 08.06.2022 18:59:27
Lizenz eigener Beiträge: MIT Lizenz

Re: Spectre/Meltdown Spec store bypass: vulnerable

Beitrag von Xela69 » 03.04.2023 14:25:56

From CERT-EU Services on 2023-03-24 16:23

Dear Researcher,

Once again we would like to extend our gratitude for reporting your findings to us. It really helps us carry out our tasks and fulfill our mandate towards our constituents.

After examining the plausibility of the reported vulnerability and its effects, we followed due process in establishing contact with the relevant vendor, as per our vulnerability disclosure policy.

CERT-EU escalated the potential security issues related to CVE-2018-3639 to the ...Cloud support a few times. After a number of interactions with them, the ...Cloud team informed us that they are not concerned by CVE-2018-3639 because the CPUs in use for this service are not affected by this vulnerability.

Unfortunately, we are not in a position to have the vendor share with us more technical details explaining the reason why Speculative Store Bypass Disable (SSBD) option is not exposed to the guest virtual Debian-based machines.

Nevertheless, please be informed that in addition to SSBD there are other mitigation options available like process isolation or LFENCE option to control speculative load execution [1,2].

Finally, as a customer, you could request access to ...Cloud certifications, reports or on-site audits in order to check if the service meets your requirements, different compliance and security standards [3].

1. https://www.intel.com/content/www/us/en ... software-s[..]
2. https://msrc.microsoft.com/blog/2018/05 ... eculative-[..]
3. ...

We sincerely hope you find this information useful.

Kind regards,

--
CERT-EU (https://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: services@cert.europa.eu
PGP KeyID 0x5DDA8E13
FP: C9B2 0BAB 2C37 35AD FF79 7949 AFBD 579A 5DDA 8E13
Privacy statement: https://cert.europa.eu/cert/plaineditio ... ivacy.html

Xela69
Beiträge: 29
Registriert: 08.06.2022 18:59:27
Lizenz eigener Beiträge: MIT Lizenz

Re: Spectre/Meltdown Spec store bypass: vulnerable

Beitrag von Xela69 » 03.04.2023 14:26:34

Email from 2023-03-26 16:41

Dear CERT-EU Team,

many thanks for the efforts so far but doubts now arise.

Are we pulling together in the same direction?

As an European and one of the largest cloud provider in Europe, he should represent the values of Europe. Especially privacy, without which a democracy cannot survive and therefore neither can European values.

Cloud instances at xxx are not only affected by CVE-2018-3639 (https://nvd.nist.gov/vuln/detail/CVE-2018-3639).

In the meantime a shell-script exists which assesses a system's resilience against the several transient execution CVEs that were published since early 2018, and it gives guidance as to how to mitigate them.

You can find that shell script at following link: https://github.com/speed47/spectre-meltdown-checker

The xxx-VPS instances are currently vulnerable with:

CVE-2018-3640 https://nvd.nist.gov/vuln/detail/CVE-2018-3640 [5.6 MEDIUM]
CVE-2018-3639 https://nvd.nist.gov/vuln/detail/CVE-2018-3639 [5.3 MEDIUM]
CVE-2018-12126 https://nvd.nist.gov/vuln/detail/CVE-2018-12126 [5.6 MEDIUM]
CVE-2018-12130 https://nvd.nist.gov/vuln/detail/CVE-2018-12130 [5.6 MEDIUM]
CVE-2018-12127 https://nvd.nist.gov/vuln/detail/CVE-2018-19127 [9.8 CRITICAL]
CVE-2019-11091 https://nvd.nist.gov/vuln/detail/CVE-2019-11091 [5.6 MEDIUM]
CVE-2020-0543 https://nvd.nist.gov/vuln/detail/CVE-2020-0543 [5.5 MEDIUM]

THERE IS NO PRIVACY!

All these vulnerabilities can now be mitigated with the help of microcode and correctly set kernel parameters. Yes, performance intrusions can occur. However, the observance of privacy has a higher priority here.

Whether there is an intention here is secondary, the privacy must be guaranteed. Cloud provider xxx is a publicly traded company whose shareholders are unknown. Are there possibly Russian, Chinese or other shareholders?

I politely ask the experts from CERT-EU to definitely take a closer look at this.

I am looking forward.

Best regards
Zuletzt geändert von Xela69 am 13.05.2024 20:32:57, insgesamt 2-mal geändert.

Benutzeravatar
Tintom
Moderator
Beiträge: 3064
Registriert: 14.04.2006 20:55:15
Wohnort: Göttingen

Re: Spectre/Meltdown Spec store bypass: vulnerable

Beitrag von Tintom » 03.04.2023 22:11:22

Ich möchte deine Euphorie ja nicht bremsen, aber aus gegebenem Anlass einmal nachfragen: Hast du die Damen und Herren davon in Kenntnis gesetzt (und die Zustimmung erhalten?), dass du sämtliche Kommunikation hier veröffentlichst?

Benutzeravatar
towo
Beiträge: 4541
Registriert: 27.02.2007 19:49:44
Lizenz eigener Beiträge: GNU Free Documentation License

Re: Spectre/Meltdown Spec store bypass: vulnerable

Beitrag von towo » 03.04.2023 22:16:45

Kann man diesen Unsinn nicht beenden und den Thread zu machen?

Benutzeravatar
TRex
Moderator
Beiträge: 8314
Registriert: 23.11.2006 12:23:54
Wohnort: KA

Re: Spectre/Meltdown Spec store bypass: vulnerable

Beitrag von TRex » 06.04.2023 12:43:17

Xela69 hat geschrieben: ↑ zum Beitrag ↑
05.04.2023 16:31:36
Seid Ihr schon Up2Date?

https://internet.nl/
Hat der Link einen Zweck? Und: was hat das mit dem Rest des Threads zu tun? Ich finde die Frage von Tintom viel interessanter. Magst du darauf eingehen?
Jesus saves. Buddha does incremental backups.
Windows ist doof, Linux funktioniert nichtDon't break debian!Wie man widerspricht

Xela69
Beiträge: 29
Registriert: 08.06.2022 18:59:27
Lizenz eigener Beiträge: MIT Lizenz

Re: Spectre/Meltdown Spec store bypass: vulnerable

Beitrag von Xela69 » 27.04.2024 16:19:51

Nein! Über 150.000 Zugriffe sprechen für sich!

Benutzeravatar
Livingston
Beiträge: 1813
Registriert: 04.02.2007 22:52:25
Lizenz eigener Beiträge: MIT Lizenz
Wohnort: 127.0.0.1

Re: Spectre/Meltdown Spec store bypass: vulnerable

Beitrag von Livingston » 27.04.2024 19:43:47

Ja, ja, 150.000 Fliegen können nicht irren.
Der Hauptunterschied zwischen etwas, was möglicherweise kaputtgehen könnte und etwas, was unmöglich kaputtgehen kann, besteht darin, dass sich bei allem, was unmöglich kaputtgehen kann, falls es doch kaputtgeht, normalerweise herausstellt, dass es unmöglich zerlegt oder repariert werden kann.
Douglas Adams

Antworten