FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

kernel -- information disclosure when using HTT

Affected systems
5.4 <= FreeBSD < 5.4_1
5.0 <= FreeBSD < 5.3_15
4.11 <= FreeBSD < 4.11_9
FreeBSD < 4.10_14

Details

VuXML ID 180e9a38-060f-4c16-a6b7-49f3505ff22a
Discovery 2005-05-13
Entry 2005-05-13

Problem description and impact

When running on processors supporting Hyper-Threading Technology, it is possible for a malicious thread to monitor the execution of another thread.

Information may be disclosed to local users, allowing in many cases for privilege escalation. For example, on a multi-user system, it may be possible to steal cryptographic keys used in applications such as OpenSSH or SSL-enabled web servers.

NOTE: Similar problems may exist in other simultaneous multithreading implementations, or even some systems in the absence of simultaneous multithreading. However, current research has only demonstrated this flaw in Hyper-Threading Technology, where shared memory caches are used.

Workaround

Systems not using processors with Hyper-Threading Technology support are not affected by this issue. On systems which are affected, the security flaw can be eliminated by setting the "machdep.hlt_logical_cpus" tunable:

# echo "machdep.hlt_logical_cpus=1" >> /boot/loader.conf

The system must be rebooted in order for tunables to take effect.

Use of this workaround is not recommended on "dual-core" systems, as this workaround will also disable one of the processor cores.

References

CVE Name CVE-2005-0109
FreeBSD Advisory SA-05:09.htt
URL http://www.daemonology.net/hyperthreading-considered-harmful/