SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15
The Synchronous Multithreading concept used in modern processors allows to run multiple execution threads on the same CPU core, sharing various resources like caches and compute resources.
Due to the lightweight nature of this synchronous multithreading, the processor has insufficient boundaries between those threads, which can lead to side channel information leak attacks.
Examples of such attacks and research on it has been published before, up to and including the "L1 Terminal Fault" security issue from August 2018.
Recently security researchers have published a working attack that does use computational saturation of vector units to gleam information from other threads, codenamed "PortSmash" ( CVE-2018-5407 ).
While this attack specifically targets parts of the vectorized elliptic curve computation code in openssl, it could be adapted to other code places or code patterns.
As this kind of side channel is known for several years, cryptographic code has been adapted over the last years not to be susceptible to such attacks by using "constant time" operations or so called "blinding", making its operations less observable.
Parts of cryptographic code that are not operating in constant time are considered bugs, and will be getting fixed place by place.
The attack targets a specific piece of code in openssl's Elliptic Curve Point multiplication routines which were not operating in constant time.
Mitigations for this issue are :
- The programmatic solution is to adjust cryptographic routines to operate in constant time.
SUSE will be providing fixed openssl packages mitigating the openssl elliptic curve multiplication in the coming days.
- To be safe against future variants of this attack, disabling Synchronous Multi Threading, or only turning this on in "safe" scenarios, should be considered.
The SUSE guidance for 'trusted' vs 'untrusted' guests is the same as our guidance on the L1 Terminal Fault issue.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.