Lucene search

K
f5F5F5:K49711130
HistoryNov 30, 2018 - 12:00 a.m.

K49711130 : OpenSSL and Intel processor SMT side-channel vulnerability (PortSmash) CVE-2018-5407

2018-11-3000:00:00
my.f5.com
25

4.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

5.7 Medium

AI Score

Confidence

High

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

24.0%

Security Advisory Description

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on ‘port contention.’ (CVE-2018-5407 also known as PortSmash)

Impact

The vulnerability allows an attacker who can provide and run binary code of their choosing on the F5 platform to steal secret cryptographic information.

Processes running on hyperthread-enabled cores are subject to a side-channel attack by other processes running on the same core, if their program control flow is impacted by private data. A common case for this behavior is encryption, where the secret key can influence program flow. While high-security contexts typically guard against this known behavior, a flaw in OpenSSL’s protection of elliptic curve processing is vulnerable to this class of attack. Other encryption algorithms (RSA) are not affected, so configurations that do not install EC keys are not impacted.

Note: Hyper-threading is Intel’s implementation of SMT.

4.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

5.7 Medium

AI Score

Confidence

High

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

24.0%