Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 15 May 2024 10:50:09 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-21823: Intel DSA and Intel IAA advisory

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html
was published yesterday covering OS/Hypervisor mitigations they recommend
to reduce exposure to a bug in certain recent Intel CPUs.

It states:

> Summary: 
> 
> A potential security vulnerability in some Intel® Data Streaming Accelerator
> (Intel® DSA) and Intel® Analytics Accelerator (Intel® IAA) V1.0 for some
> Intel® 4th or 5th generation Xeon® processors may allow denial of service.
> Intel is releasing prescriptive guidance and software updates to mitigate
> this potential vulnerability.
> 
> Vulnerability Details: 
> 
> CVEID:  CVE-2024-21823
> 
> Description: Hardware logic with insecure de-synchronization in Intel® DSA and
> Intel® IAA for some Intel® 4th or 5th generation Xeon® processors may allow an
> authorized user to potentially enable denial of service via local access.
> 
> CVSS Base Score: 6.4 Medium
> 
> CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H
> 
> Recommendation:
> 
> Intel recommends following the steps below to address these issues:
> 
> Restrict untrusted usage of Intel® DSA/IAA devices on impacted Intel® 4th
> Generation and 5th Generation Xeon® scalable processors, from VM guest or
> 3rd party application. Intel has worked with the OS vendor to provide an
> updated Kernel to disallow direct access to Intel® DSA and IAA v1.0 devices
> by untrusted software. Intel recommends using the upstream or LTS Linux kernel
> with the updated driver containing mitigations. Please contact your OS vendor
> for updates.
>  
> 
> In addition, Intel is publishing the following libraries for the updated Kernel
> version and recommends updating the following:
> 
> - Intel® DSA Transparent Offload Library (DTO) to version 1.1 or later. Updates
>   are available for download at this location: https://github.com/intel/DTO
> - OFI Libfabric Shared Memory Provider to version 1.21.1 or later. Updates are
>   available for download at this location:
>   https://github.com/ofiwg/libfabric/releases
> - Intel® MPI Library before version October 2024 later. The library will be
>   updated for Intel OneAPI in October 2024.
> - Intel® Data Mover Library (DML) before version v1.2.0 or later. Updates are
>   available for download at this location: https://github.com/intel/DML
> - Intel® Query Processing Library (QPL) before version v1.6.0. Updates are
>   available for download at this location: https://github.com/intel/qpl
> - SPDK DSA Driver before version v24.9. Updates are available for download at
>   this location: https://github.com/spdk/spdk
[Further details, including a table of affected hardware, is in their advisory.]

https://bugzilla.redhat.com/show_bug.cgi?id=2278989 notes:

> The fix went public today in Linus' tree with the following commits:
> 
> 95feb3160eef ("VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist")
> e11452eb071b ("dmaengine: idxd: add a new security check to deal with a hardware erratum")
> 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")

I don't know if any other open source kernels or hypervisors support this
hardware yet - if so, they will presumably need to publish equivalent
mitigations.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.