Posts Tagged ‘security’

No Comments

How to check your CPU is vulnerable for Retbleed?

Friday, December 16th, 2022

On Linux checking for known vulnerabilities is quite easy.

grep -r . /sys/devices/system/cpu/vulnerabilities

On a Zen2 processor  you’ll get these results:


/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:Not affected
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/retbleed:Mitigation: untrained return thunk; SMT enabled with STIBP protection
/sys/devices/system/cpu/vulnerabilities/srbds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected

On a Zen3 processor you’ll get these results:

/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Retpolines, IBPB: conditional, IBRS_FW, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:Not affected
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/retbleed:Not affected
/sys/devices/system/cpu/vulnerabilities/srbds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected

As you can see a Zen2 (Ryzen <5000 series) is vulnerable for Retbleed, why the newer generations are not (Ryzen >=5000 series).

No Comments

Security by design: following the right principle

Friday, April 6th, 2018

Since there was some attention to a CSS driven keylogger, it’s good again to point out the security risks of third party content. That risk is huge.

When a third party CSS Stylesheet can steal your password, it would be a piece of cake for any Javascript script to do the same.

If you follow this blog, it will not surprise you that we’re skeptical to all the JavaScript driven frameworks that are fashionable. In general Javascript is bad for security, privacy, and the planet 🙂 : battery usage. It’s good for tracking, fingerprinting and advertisements, and visual eye-candy.

Yes, JavaScript can be nice, but please adhere to these old principles: graceful degradation and progressive enhancement. And it’s fashionable not to follow those principles.

Don’t force JavaScript, because you’re trying to sell adds, or track users.

Don’t overdo JavaScript: an URL with your contact info should have your contact info (in HTML). Otherwise you should point to another URL. Don’t hide this information behind Javascript and in JSON somewhere. You’re breaking the internet. Keep information accessible.

It’s important to underline again. Every script that is loaded with <script> has access to the DOM, and if the page is a login page, it has access to the password and username.

So a simple principle can be deducted, and it’s a shame that we have to repeat it here.

Never add any (third party) script to a login page. NEVER.

Nobody should be authorized to have access to a plain password, except for the user. Nobody. Limit access by design, not by trust.

(more…)

1 Comment

Major Android vulnerability for Samsung Galaxy phones (and others)

Wednesday, September 26th, 2012

There is a major risk to lose all your data when you’re using the internet with your Samsung Galaxy phone. Your phone will reset.

You can test here to see if your vulnerable: USSD-Android-vulnerability.html It will show your IMEI number on the phone, when you’re vulnerable. Just open the page with your mobile phone.

Contrary to what you have read somewhere else, the vulnerability doesn’t need you to click anything, loading a page (with malicious advertisements) can be enough. Some advice say that you should read all links carefully. Nonsense, that won’t help.

This bug is also called the Android Reset bug or Android Wipe bug.

Workaround / Solution

Please install this app to secure yourself ASAP.

`TelStop` will do nothing, just ask you what to do, and prevent the default dangerous handling.

Details

The vulnerability is caused by automatic handling of so called USSD `tel` URI by the dialer system. USSD (Unstructured Supplementary Service Data) can display certain information, like your IMEI number or perform specific special features like a Factory Reset (loss of all your data).

Just adding this code to any website can trigger the bug:


<iframe src="tel:123"></iframe>

It isn’t limited to the `tel` URI, also `callto:123` can be used in some browsers, e.g. Opera browsers.

With JavaScript any link can be infected, so it’s a real danger.

It isn’t a browser or Android bug, it’s a bug in TouchWizz, Samsungs own interface layer. Apparently HTC and Motorola made the same mistake.

On a Samsung Galaxy S 2.3.6 phone all tested browsers were vulnerable, stock browser, Firefox, Dolphin, Opera Mobile, Opera Mini.

In the latest firmware (4.0.4) for the Samsung Galaxy III the bug was patched, apparently Samsung was aware of the bug for some time.

Reported Vulnerable phones

(This list is incomplete, sometimes it depends of firmware version)

  • Samsung Galaxy S (Android 2.3.6)
  • Samsung Galaxy S II
  • Samsung Galaxy S III (any firmware below 4.0.4)
  • Samsung Galaxy Gio
  • Samsung Galaxy Advance
  • HTC One X (HTC Sense 4.0 on Android 4.0.3)
  • HTC Desire
  • Motorola Defy (Android 2.3.5)
  • Sony Xperia Active
  • Sony Xperia Arc S

Please add a comment with your phone model if your experience this bug too, and don’t forget to install the workaround.

updated 27/9  sony phones added