Multiple vulnerabilities in IBM Power Systems

1) Side-channel attack

EUVDB-ID: #VU15723

Risk: Low

CVSSv3.1: 4.2 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-5407

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

Exploit availability: Yes

Description

The vulnerability allows a physical attacker to obtain potentially sensitive information.

The vulnerability exists due to due to execution of engine sharing on SMT (e.g.Hyper-Threading) architectures when improper handling of information by the processor. A physical attacker can construct a timing side channel to hijack information from processes that are running in the same core.

Note: the vulnerability has been dubbed as PortSmash microarchitecture bug.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerVM Hypervisor: before FW950.60

External links

http://www.ibm.com/support/pages/node/6845419

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Input validation error

EUVDB-ID: #VU77191

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2009-3245

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to OpenSSL does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerVM Hypervisor: before FW950.60

External links

http://www.ibm.com/support/pages/node/6845419

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cryptographic issues

EUVDB-ID: #VU77192

Risk: Low

CVSSv3.1: 2.6 [CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-0076

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to montgomery ladder implementation in OpenSSL does not ensure that certain swap operations have a constant-time behavior. A local attacker can obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerVM Hypervisor: before FW950.60

External links

http://www.ibm.com/support/pages/node/6845419

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.