ID

VAR-201808-0957

CVE

CVE-2018-3646

TITLE

Intel processors are vulnerable to a speculative execution side-channel attack called L1 Terminal Fault (L1TF)

DESCRIPTION

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. These attacks are known as L1 Terminal Fault: SGX, L1 Terminal Fault: OS/SMM, and L1 Terminal Fault: VMM. Intel Core Systems with microprocessors contain information disclosure vulnerabilities.Information may be obtained. Intel Core i3 processor, etc. are all CPU (central processing unit) products of Intel Corporation of the United States. Security vulnerabilities exist in several Intel products that use speculative execution and address translation. The following products are affected: Intel Core i3 processor; Intel Core i5 processor; Intel Core i7 processor; Intel Core M processor family; 2nd generation Intel Core processors; 3rd generation Intel Core processors; 4th generation Intel Core processors; 5th generation Intel Core processors, etc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: kernel security update Advisory ID: RHSA-2018:2389-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:2389 Issue date: 2018-08-14 CVE Names: CVE-2018-3620 CVE-2018-3646 ==================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support, Red Hat Enterprise Linux 7.2 Telco Extended Update Support, and Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.2) - noarch, x86_64 Red Hat Enterprise Linux Server E4S (v. 7.2) - noarch, ppc64le, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.2) - x86_64 Red Hat Enterprise Linux Server Optional E4S (v. 7.2) - ppc64le, x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 7.2) - x86_64 Red Hat Enterprise Linux Server TUS (v. 7.2) - noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting these issues. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Package List: Red Hat Enterprise Linux Server AUS (v. 7.2): Source: kernel-3.10.0-327.71.4.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-327.71.4.el7.noarch.rpm kernel-doc-3.10.0-327.71.4.el7.noarch.rpm x86_64: kernel-3.10.0-327.71.4.el7.x86_64.rpm kernel-debug-3.10.0-327.71.4.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debug-devel-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.71.4.el7.x86_64.rpm kernel-devel-3.10.0-327.71.4.el7.x86_64.rpm kernel-headers-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-libs-3.10.0-327.71.4.el7.x86_64.rpm perf-3.10.0-327.71.4.el7.x86_64.rpm perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm python-perf-3.10.0-327.71.4.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.2): Source: kernel-3.10.0-327.71.4.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-327.71.4.el7.noarch.rpm kernel-doc-3.10.0-327.71.4.el7.noarch.rpm ppc64le: kernel-3.10.0-327.71.4.el7.ppc64le.rpm kernel-bootwrapper-3.10.0-327.71.4.el7.ppc64le.rpm kernel-debug-3.10.0-327.71.4.el7.ppc64le.rpm kernel-debug-debuginfo-3.10.0-327.71.4.el7.ppc64le.rpm kernel-debuginfo-3.10.0-327.71.4.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-327.71.4.el7.ppc64le.rpm kernel-devel-3.10.0-327.71.4.el7.ppc64le.rpm kernel-headers-3.10.0-327.71.4.el7.ppc64le.rpm kernel-tools-3.10.0-327.71.4.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-327.71.4.el7.ppc64le.rpm kernel-tools-libs-3.10.0-327.71.4.el7.ppc64le.rpm perf-3.10.0-327.71.4.el7.ppc64le.rpm perf-debuginfo-3.10.0-327.71.4.el7.ppc64le.rpm python-perf-3.10.0-327.71.4.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-327.71.4.el7.ppc64le.rpm x86_64: kernel-3.10.0-327.71.4.el7.x86_64.rpm kernel-debug-3.10.0-327.71.4.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debug-devel-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.71.4.el7.x86_64.rpm kernel-devel-3.10.0-327.71.4.el7.x86_64.rpm kernel-headers-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-libs-3.10.0-327.71.4.el7.x86_64.rpm perf-3.10.0-327.71.4.el7.x86_64.rpm perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm python-perf-3.10.0-327.71.4.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.2): Source: kernel-3.10.0-327.71.4.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-327.71.4.el7.noarch.rpm kernel-doc-3.10.0-327.71.4.el7.noarch.rpm x86_64: kernel-3.10.0-327.71.4.el7.x86_64.rpm kernel-debug-3.10.0-327.71.4.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debug-devel-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.71.4.el7.x86_64.rpm kernel-devel-3.10.0-327.71.4.el7.x86_64.rpm kernel-headers-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-libs-3.10.0-327.71.4.el7.x86_64.rpm perf-3.10.0-327.71.4.el7.x86_64.rpm perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm python-perf-3.10.0-327.71.4.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.2): x86_64: kernel-debug-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-327.71.4.el7.x86_64.rpm perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional E4S (v. 7.2): ppc64le: kernel-debug-debuginfo-3.10.0-327.71.4.el7.ppc64le.rpm kernel-debug-devel-3.10.0-327.71.4.el7.ppc64le.rpm kernel-debuginfo-3.10.0-327.71.4.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-327.71.4.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-327.71.4.el7.ppc64le.rpm kernel-tools-libs-devel-3.10.0-327.71.4.el7.ppc64le.rpm perf-debuginfo-3.10.0-327.71.4.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-327.71.4.el7.ppc64le.rpm x86_64: kernel-debug-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-327.71.4.el7.x86_64.rpm perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional TUS (v. 7.2): x86_64: kernel-debug-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-327.71.4.el7.x86_64.rpm perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.71.4.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-3620 https://access.redhat.com/security/cve/CVE-2018-3646 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/L1TF 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW3M6OtzjgjWX9erEAQgXsA//fUjJD9ABgMqdEY1I+4Y28+aCtz++Rn0O lQaHCnxzStUHT401003DNrka0StFmfCSLZ7fYQF5iss9bE0dFyQaJ+UxWqEMiiJ5 eBRWolwaQjovLOs/W0ihbiOgDa4IiBmaXzJ6V2CTXC6PMFtsc5qo7fcUroQ72Exa gdXUxO4z3Ei4TTZpwLL/5xfphENXoOk0BMGw5ouAhfsiGyY/q5VWICqoKYqXvgSB S6qI85FlHVHTiMpZa7DjFygFfGsraOYkUF9Svokw2d46mzAdFHBfsY4l3esvOth0 HVdIXBhN9xoKnKI6907vGrDhNshm6E029vhLoc+R6cJIa6nFXDxIlb/PsYhGDmvE N7WVbb1ItaZn2b6RAmkhw4XSMJlGXtsbR0qQghXL0h0RB70a+DKQOrpLuJZFaxHE ETzp+i5p0xRLgyNMUHgDtSSCgb+y+ctSrCyB6ls5hV/TIuYKV3L3UhRYGaWlCWIk Ki9Iou3E8NCmHNgJlaG4g7EVnv5bXrDoww5UU79W5TDIapQXohXwSYH5TJMfyj5U 786wYzOtx1ubSM+AnJ3yXWaHgxOUv/o0NjYruO+SuXlqKw7CnlAyYJJj5kro3Yhu QuJU1xNPPhTV+608bCy/lthONMfTRZ534be+RcLw8gd1v6/WtGcZxdvNtCJ1nQ5e xxvWT3L+dPQ1KA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Description: The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. (CVE-2018-3620, CVE-2018-3646) * A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. Issue date: 2018-08-14 Updated on: 2018-08-14 (Initial Advisory) CVE number: CVE-2018-3646 1. Summary VMware vSphere, Workstation, and Fusion updates enable Hypervisor- Specific Mitigations for L1 Terminal Fault - VMM vulnerability. The mitigations in this advisory are categorized as Hypervisor- Specific Mitigations described by VMware Knowledge Base article 55636. Relevant Products VMware vCenter Server (VC) VMware vSphere ESXi (ESXi) VMware Workstation Pro / Player (WS) VMware Fusion Pro / Fusion (Fusion) 3. Problem Description vCenter Server, ESXi, Workstation, and Fusion updates include Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM. This issue may allow a malicious VM running on a given CPU core to effectively read the hypervisoras or another VMas privileged information that resides sequentially or concurrently in the same coreas L1 Data cache. CVE-2018-3646 has two currently known attack vectors which will be referred to as "Sequential-Context" and "Concurrent-Context." Attack Vector Summary Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core. Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading-enabled processor core. Mitigation Summary The Sequential-context attack vector is mitigated by a vSphere update to the product versions listed in table below. This mitigation is dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) also listed in the table below. This mitigation is enabled by default and does not impose a significant performance impact. The Concurrent-context attack vector is mitigated through enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. This feature may impose a non-trivial performance impact and is not enabled by default. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply Patch Workaround ======= ======= ======= ========= ===================== ========== VC 6.7 Any Important 6.7.0d None VC 6.5 Any Important 6.5u2c None VC 6.0 Any Important 6.0u3h None VC 5.5 Any Important 5.5u3j None ESXi 6.7 Any Important ESXi670-201808401-BG* None ESXi670-201808402-BG** None ESXi670-201808403-BG* None ESXi 6.5 Any Important ESXi650-201808401-BG* None ESXi650-201808402-BG** None ESXi650-201808403-BG* None ESXi 6.0 Any Important ESXi600-201808401-BG* None ESXi600-201808402-BG** None ESXi600-201808403-BG* None ESXi 5.5 Any Important ESXi550-201808401-BG* None ESXi550-201808402-BG** None ESXi550-201808403-BG* None WS 14.x Any Important 14.1.3* None Fusion 10.x Any Important 10.1.3* None *These patches DO NOT mitigate the Concurrent-context attack vector previously described by default. For details on the three-phase vSphere mitigation process please see KB55806 and for the mitigation process for Workstation and Fusion please see KB57138. **These patches include microcode updates required for mitigation of the Sequential-context attack vector. This microcode may also be obtained from your hardware OEM in the form of a BIOS or firmware update. Details on microcode that has been provided by Intel and packaged by VMware is enumerated in the patch KBs found in the Solution section of this document. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter 6.7.0d Downloads: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7 Documentation: https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-670d-release-notes.html vCenter 6.5u2c Downloads: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5 Documentation: https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u2c-release-notes.html vCenter 6.0u3h Downloads: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_0 Documentation: https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3h-release-notes.html vCenter 5.5u3j Downloads: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_5 Documentation: https://docs.vmware.com/en/VMware-vSphere/5.5/rn/vsphere-vcenter-server-55u3j-release-notes.html ESXi 6.7 Downloads: https://my.vmware.com/group/vmware/patch Documentation: ESXi670-201808401-BG (esx-base): https://kb.vmware.com/kb/56537 ESXi670-201808402-BG (microcode): https://kb.vmware.com/kb/56538 ESXi670-201808403-BG (esx-ui):(https://kb.vmware.com/kb/56897 ESXi 6.5 Downloads: https://my.vmware.com/group/vmware/patch Documentation: ESXi650-201808401-BG (esx-base): https://kb.vmware.com/kb/56547 ESXi650-201808402-BG (microcode): https://kb.vmware.com/kb/56563 ESXi650-201808403-BG (esx-ui): https://kb.vmware.com/kb/56896 ESXi 6.0 Downloads: https://my.vmware.com/group/vmware/patch Documentation: ESXi600-201808401-BG (esx-base): https://kb.vmware.com/kb/56552 ESXi600-201808402-BG (microcode): https://kb.vmware.com/kb/56553 ESXi600-201808403-BG (esx-ui): https://kb.vmware.com/kb/56895 ESXi 5.5 Downloads: https://my.vmware.com/group/vmware/patch Documentation: ESXi550-201808401-BG (esx-base): https://kb.vmware.com/kb/56557 ESXi550-201808402-BG (microcode): https://kb.vmware.com/kb/56558 ESXi550-201808403-BG (esx-ui): https://kb.vmware.com/kb/56894 VMware Workstation Pro 14.1.3 Downloads: https://www.vmware.com/go/downloadworkstation Documentation: https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 14.1.3 Downloads: https://www.vmware.com/go/downloadplayer Documentation: https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion Pro / Fusion 10.1.3 Downloads: https://www.vmware.com/go/downloadfusion Documentation: https://docs.vmware.com/en/VMware-Fusion/index.html 5. Change log 2018-08-14: Initial security advisory in conjunction with vSphere, Workstation, and Fusion updates and patches released on 2018-08-14. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2018 VMware Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-10-30-9 Additional information for APPLE-SA-2018-9-24-1 macOS Mojave 10.14 macOS Mojave 10.14 addresses the following: Bluetooth Available for: iMac (21.5-inch, Late 2012), iMac (27-inch, Late 2012) , iMac (21.5-inch, Late 2013), iMac (21.5-inch, Mid 2014), iMac (Retina 5K, 27-inch, Late 2014), iMac (21.5-inch, Late 2015), Mac mini (Mid 2011), Mac mini Server (Mid 2011), Mac mini (Late 2012) , Mac mini Server (Late 2012), Mac mini (Late 2014), Mac Pro (Late 2013), MacBook Air (11-inch, Mid 2011), MacBook Air (13-inch, Mid 2011), MacBook Air (11-inch, Mid 2012), MacBook Air (13-inch, Mid 2012), MacBook Air (11-inch, Mid 2013), MacBook Air (13-inch, Mid 2013), MacBook Air (11-inch, Early 2015), MacBook Air (13-inch, Early 2015), MacBook Pro (13-inch, Mid 2012), MacBook Pro (15-inch, Mid 2012), MacBook Pro (Retina, 13-inch, Early 2013), MacBook Pro (Retina, 15-inch, Early 2013), MacBook Pro (Retina, 13-inch, Late 2013), and MacBook Pro (Retina, 15-inch, Late 2013) Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation. CVE-2018-5383: Lior Neumann and Eli Biham The updates below are available for these Mac models: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013, Mid 2010, and Mid 2012 models with recommended Metal-capable graphics processor, including MSI Gaming Radeon RX 560 and Sapphire Radeon PULSE RX 580) afpserver Impact: A remote attacker may be able to attack AFP servers through HTTP clients Description: An input validation issue was addressed with improved input validation. CVE-2018-4295: Jianjun Chen (@whucjj) from Tsinghua University and UC Berkeley Entry added October 30, 2018 App Store Impact: A malicious application may be able to determine the Apple ID of the owner of the computer Description: A permissions issue existed in the handling of the Apple ID. This issue was addressed with improved access controls. CVE-2018-4324: Sergii Kryvoblotskyi of MacPaw Inc. AppleGraphicsControl Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4417: Lee of the Information Security Lab Yonsei University working with Trend Micro's Zero Day Initiative Entry added October 30, 2018 Application Firewall Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A configuration issue was addressed with additional restrictions. CVE-2018-4353: Abhinav Bansal of LinkedIn Inc. APR Impact: Multiple buffer overflow issues existed in Perl Description: Multiple issues in Perl were addressed with improved memory handling. CVE-2017-12613: Craig Young of Tripwire VERT CVE-2017-12618: Craig Young of Tripwire VERT Entry added October 30, 2018 ATS Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4411: lilang wu moony Li of Trend Micro working with Trend Micro's Zero Day Initiative Entry added October 30, 2018 ATS Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2018-4308: Mohamed Ghannam (@_simo36) Entry added October 30, 2018 Auto Unlock Impact: A malicious application may be able to access local users AppleIDs Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement. CVE-2018-4321: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. CFNetwork Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4126: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative Entry added October 30, 2018 CoreFoundation Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4412: The UK's National Cyber Security Centre (NCSC) Entry added October 30, 2018 CoreFoundation Impact: An application may be able to gain elevated privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4414: The UK's National Cyber Security Centre (NCSC) Entry added October 30, 2018 CoreText Impact: Processing a maliciously crafted text file may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2018-4347: an anonymous researcher Entry added October 30, 2018 Crash Reporter Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4333: Brandon Azad CUPS Impact: In certain configurations, a remote attacker may be able to replace the message content from the print server with arbitrary content Description: An injection issue was addressed with improved validation. CVE-2018-4153: Michael Hanselmann of hansmi.ch Entry added October 30, 2018 CUPS Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2018-4406: Michael Hanselmann of hansmi.ch Entry added October 30, 2018 Dictionary Impact: Parsing a maliciously crafted dictionary file may lead to disclosure of user information Description: A validation issue existed which allowed local file access. This was addressed with input sanitization. CVE-2018-4346: Wojciech ReguAa (@_r3ggi) of SecuRing Entry added October 30, 2018 Grand Central Dispatch Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4426: Brandon Azad Entry added October 30, 2018 Heimdal Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-3646: Baris Kasikci, Daniel Genkin, Ofir Weisse, and Thomas F. Wenisch of University of Michigan, Mark Silberstein and Marina Minkin of Technion, Raoul Strackx, Jo Van Bulck, and Frank Piessens of KU Leuven, Rodrigo Branco, Henrique Kawakami, Ke Sun, and Kekai Hu of Intel Corporation, Yuval Yarom of The University of Adelaide Entry added October 30, 2018 iBooks Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information Description: A configuration issue was addressed with additional restrictions. CVE-2018-4355: evi1m0 of bilibili security team Entry added October 30, 2018 Intel Graphics Driver Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4396: Yu Wang of Didi Research America CVE-2018-4418: Yu Wang of Didi Research America Entry added October 30, 2018 Intel Graphics Driver Impact: An application may be able to read restricted memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2018-4351: Appology Team @ Theori working with Trend Micro's Zero Day Initiative Entry added October 30, 2018 Intel Graphics Driver Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4350: Yu Wang of Didi Research America Entry added October 30, 2018 Intel Graphics Driver Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4334: Ian Beer of Google Project Zero Entry added October 30, 2018 IOHIDFamily Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation CVE-2018-4408: Ian Beer of Google Project Zero Entry added October 30, 2018 IOKit Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4341: Ian Beer of Google Project Zero CVE-2018-4354: Ian Beer of Google Project Zero Entry added October 30, 2018 IOKit Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2018-4383: Apple Entry added October 30, 2018 IOUserEthernet Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4401: Apple Entry added October 30, 2018 Kernel Impact: A malicious application may be able to leak sensitive user information Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions. CVE-2018-4399: Fabiano Anemone (@anoane) Entry added October 30, 2018 Kernel Impact: An attacker in a privileged network position may be able to execute arbitrary code Description: A memory corruption issue was addressed with improved validation. CVE-2018-4407: Kevin Backhouse of Semmle Ltd. Entry added October 30, 2018 Kernel Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4336: Brandon Azad CVE-2018-4337: Ian Beer of Google Project Zero CVE-2018-4340: Mohamed Ghannam (@_simo36) CVE-2018-4344: The UK's National Cyber Security Centre (NCSC) CVE-2018-4425: cc working with Trend Micro's Zero Day Initiative, Juwei Lin (@panicaII) of Trend Micro working with Trend Micro's Zero Day Initiative Entry added October 30, 2018 LibreSSL Impact: Multiple issues in libressl were addressed in this update Description: Multiple issues were addressed by updating to libressl version 2.6.4. CVE-2015-3194 CVE-2015-5333 CVE-2015-5334 CVE-2016-702 Entry added October 30, 2018 Login Window Impact: A local user may be able to cause a denial of service Description: A validation issue was addressed with improved logic. CVE-2018-4348: Ken Gannon of MWR InfoSecurity and Christian Demko of MWR InfoSecurity Entry added October 30, 2018 mDNSOffloadUserClient Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4326: an anonymous researcher working with Trend Micro's Zero Day Initiative, Zhuo Liang of Qihoo 360 Nirvan Team Entry added October 30, 2018 MediaRemote Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: An access issue was addressed with additional sandbox restrictions. This ensures that older data read from recently-written-to addresses cannot be read via a speculative side-channel. CVE-2018-3639: Jann Horn (@tehjh) of Google Project Zero (GPZ), Ken Johnson of the Microsoft Security Response Center (MSRC) Entry added October 30, 2018 Security Impact: A local user may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2018-4395: Patrick Wardle of Digita Security Entry added October 30, 2018 Security Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm Description: This issue was addressed by removing RC4. CVE-2016-1777: Pepi Zawodsky Spotlight Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4393: Lufeng Li Entry added October 30, 2018 Symptom Framework Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2018-4203: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative Entry added October 30, 2018 Text Impact: Processing a maliciously crafted text file may lead to a denial of service Description: A denial of service issue was addressed with improved validation. CVE-2018-4304: jianan.huang (@Sevck) Entry added October 30, 2018 Wi-Fi Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4338: Lee @ SECLAB, Yonsei University working with Trend Micro's Zero Day Initiative Entry added October 30, 2018 Additional recognition Accessibility Framework We would like to acknowledge Ryan Govostes for their assistance. Core Data We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance. CoreDAV We would like to acknowledge an anonymous researcher for their assistance. CoreGraphics We would like to acknowledge Nitin Arya of Roblox Corporation for their assistance. CoreSymbolication We would like to acknowledge Brandon Azad for their assistance. IOUSBHostFamily We would like to acknowledge an anonymous researcher for their assistance. Kernel We would like to acknowledge Brandon Azad for their assistance. Mail We would like to acknowledge Alessandro Avagliano of Rocket Internet SE, John Whitehead of The New York Times, Kelvin Delbarre of Omicron Software Systems, and Zbyszek A>>A3Akiewski for their assistance. Quick Look We would like to acknowledge Wojciech ReguAa (@_r3ggi) of SecuRing and Patrick Wardle of Digita Security and lokihardt of Google Project Zero for their assistance. Security We would like to acknowledge Christoph Sinai, Daniel Dudek (@dannysapples) of The Irish Times and Filip KlubiAka (@lemoncloak) of ADAPT Centre, Dublin Institute of Technology, Istvan Csanady of Shapr3D, Omar Barkawi of ITG Software, Inc., Phil Caleno, Wilson Ding, and an anonymous researcher for their assistance. SQLite We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance. Terminal We would like to acknowledge an anonymous researcher for their assistance. WindowServer We would like to acknowledge Patrick Wardle of Digita Security for their assistance. Installation note: macOS Mojave 10.14 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlvYkgYpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3GrtxAA iVBcAdusz88zFzkT05EIxb9nSp4CGOlhKlChK4N7Db17o2fNT0hNpQixEAC0wC/A zqIzsXEzZlPobI4OnwiEVs7lVBsvCW+IarrRZ8pgSllKs1VlbNfOO3z9vB5BqJMr d9PjPvtHyG3jZmWqQPIjvJb3l3ZjHAt+HAvTItNMkhIUjqV80JI8wP3erzIf3tAt VoLIw5iL5w4HAYcWsn9DYcecXZdv39MnKL5UGzMX3bkee2U7kGYtgskU+mdPa1Wl WzquIPlLeKL2KNSXEfbkPtcKM/fvkURsNzEDvg+PBQLdI3JeR1bOeN24aiTEtiEL TecGm/kKMMJWmDdhPhFvZVD+SIdZd4LgbTawR1UE1JJg7jnEZKCvZ45mXd2eBwn/ rpEKCLBsgA59GILs3ZjZSIWskRJPzZrt463AKcN2wukkTUUkY1rhRVdOf6LZMs9Z w9iJOua3vt+HzCCxTEaH53WUeM6fn/Yeq+DGIS5Fk0G09pU7tsyJVwj3o1nJn0dl e2mcrXBJeSmi6bvvkJX45y/Y8E8Qr+ovS4uN8wG6DOWcCBQkDkugabng8vNh8GST 1wNnV9JY/CmYbU0ZIwKbbSDkcQLQuIl7kKaZMHnU74EytcKscUqqx1VqINz1tssu 1wZZGLtg3VubrZOsnUZzumD+0nI8c6QAnQK3P2PSZ0k= =i9YR -----END PGP SIGNATURE----- . ========================================================================= Ubuntu Security Notice USN-3742-2 August 14, 2018 linux-lts-trusty vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 ESM Summary: Several security issues were fixed in the Linux kernel. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 for Ubuntu 12.04 ESM. A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3620) Andrey Konovalov discovered an out-of-bounds read in the POSIX timers subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. A remote attacker could use this to cause a denial of service. (CVE-2018-5390) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 ESM: linux-image-3.13.0-155-generic 3.13.0-155.206~precise1 linux-image-3.13.0-155-generic-lpae 3.13.0-155.206~precise1 linux-image-generic-lpae-lts-trusty 3.13.0.155.145 linux-image-generic-lts-trusty 3.13.0.155.145 Please note that the recommended mitigation for CVE-2018-3646 involves updating processor microcode in addition to updating the kernel; however, the kernel includes a fallback for processors that have not received microcode updates. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. Corrected: 2018-08-14 17:51:12 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) CVE Name: CVE-2018-3620, CVE-2018-3646 Special Note: Speculative execution vulnerability mitigation remains a work in progress. This advisory addresses the issue in FreeBSD 11.1 and later. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. Background When a program accesses data in memory via a logical address it is translated to a physical address in RAM by the CPU. Accessing an unmapped logical address results in what is known as a terminal fault. II. The CPU may speculatively access the level 1 data cache (L1D). Data which would otherwise be protected may then be determined by using side channel methods. This issue affects bhyve on FreeBSD/amd64 systems. III. Impact An attacker executing user code, or kernel code inside of a virtual machine, may be able to read secret data from the kernel or from another virtual machine. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch.asc # gpg --verify l1tf-11.2.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch.asc # gpg --verify l1tf-11.1.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details CVE-2018-3620 (L1 Terminal Fault-OS) - ------------------------------------ FreeBSD reserves the the memory page at physical address 0, so it will not contain secret data. FreeBSD zeros the paging data structures for unmapped addresses, so that speculatively executed L1 Terminal Faults will access only the reserved, unused page. The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/11/ r337794 releng/11.1/ r337828 releng/11.2/ r337828 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. Unfortunately, the update introduced regressions that caused kernel panics when booting in some environments as well as preventing Java applications from starting. This update fixes the problems. We apologize for the inconvenience. Relevant releases/architectures: RHEL 7-based RHEV-H ELS - noarch RHEV Hypervisor for RHEL-6 ELS - noarch 3. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201810-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Xen: Multiple vulnerabilities Date: October 30, 2018 Bugs: #643350, #655188, #655544, #659442 ID: 201810-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Xen, the worst of which could cause a Denial of Service condition. Background ========== Xen is a bare-metal hypervisor. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/xen < 4.10.1-r2 >= 4.10.1-r2 2 app-emulation/xen-tools < 4.10.1-r2 >= 4.10.1-r2 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Resolution ========== All Xen users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.10.1-r2" All Xen tools users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.10.1-r2" References ========== [ 1 ] CVE-2017-5715 https://nvd.nist.gov/vuln/detail/CVE-2017-5715 [ 2 ] CVE-2017-5753 https://nvd.nist.gov/vuln/detail/CVE-2017-5753 [ 3 ] CVE-2017-5754 https://nvd.nist.gov/vuln/detail/CVE-2017-5754 [ 4 ] CVE-2018-10471 https://nvd.nist.gov/vuln/detail/CVE-2018-10471 [ 5 ] CVE-2018-10472 https://nvd.nist.gov/vuln/detail/CVE-2018-10472 [ 6 ] CVE-2018-10981 https://nvd.nist.gov/vuln/detail/CVE-2018-10981 [ 7 ] CVE-2018-10982 https://nvd.nist.gov/vuln/detail/CVE-2018-10982 [ 8 ] CVE-2018-12891 https://nvd.nist.gov/vuln/detail/CVE-2018-12891 [ 9 ] CVE-2018-12892 https://nvd.nist.gov/vuln/detail/CVE-2018-12892 [ 10 ] CVE-2018-12893 https://nvd.nist.gov/vuln/detail/CVE-2018-12893 [ 11 ] CVE-2018-15468 https://nvd.nist.gov/vuln/detail/CVE-2018-15468 [ 12 ] CVE-2018-15469 https://nvd.nist.gov/vuln/detail/CVE-2018-15469 [ 13 ] CVE-2018-15470 https://nvd.nist.gov/vuln/detail/CVE-2018-15470 [ 14 ] CVE-2018-3620 https://nvd.nist.gov/vuln/detail/CVE-2018-3620 [ 15 ] CVE-2018-3646 https://nvd.nist.gov/vuln/detail/CVE-2018-3646 [ 16 ] CVE-2018-5244 https://nvd.nist.gov/vuln/detail/CVE-2018-5244 [ 17 ] CVE-2018-7540 https://nvd.nist.gov/vuln/detail/CVE-2018-7540 [ 18 ] CVE-2018-7541 https://nvd.nist.gov/vuln/detail/CVE-2018-7541 [ 19 ] CVE-2018-7542 https://nvd.nist.gov/vuln/detail/CVE-2018-7542 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201810-06 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2018 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . This flaw is known as Spectre Variant 4. (CVE-2018-3639) Zdenek Sojka, Rudolf Marek, Alex Zuepke, and Innokentiy Sennovskiy discovered that microprocessors that perform speculative reads of system registers may allow unauthorized disclosure of system parameters via a sidechannel attack

AFFECTED PRODUCTS