Security Vulnerability In VIOS, AIX, And Maybe IBM i
November 23, 2020 Timothy Prickett Morgan
IBM i shops that use the Virtual I/O Server, which is a cut-down version of the AIX implementation of Unix created by Big Blue, have to be aware that there is a security vulnerability that affects recent releases of AIX and VIOS.
The vulnerability, announced in Security Vulnerability CVE-2020-4788, affects Power9 machinery running VIOS 3.1 or AIX 7.1 and AIX 7.2, and under what are called “extenuating circumstances” the vulnerability could allow a local user on the system to obtain sensitive information stored on the L1 cache on the Power9 cores.
The vulnerability was reported on November 18, and the Openwall security site published a more detailed, English language description of the issue at this link. The vulnerability appears to be in the same class as other speculative execution vulnerabilities that are part of most modern processors and labelled under the Spectre and Meltdown vulnerabilities that came to light out of Google a few years back. Here is the description from Openwall:
“IBM Power9 processors can speculatively operate on data in the L1 cache before it has been completely validated, via a way-prediction mechanism. It is not possible for an attacker to determine the contents of impermissible memory using this method, since these systems implement a combination of hardware and software security measures to prevent scenarios where protected data could be leaked. However, these measures don’t address the scenario where an attacker induces the operating system to speculatively execute instructions using data that the attacker controls. This can be used for example to speculatively bypass “kernel user access prevention” techniques, as discovered by Anthony Steinhauser of Google’s Safeside Project. This is not an attack by itself, but there is a possibility it could be used in conjunction with side-channels or other weaknesses in the privileged code to construct an attack. This issue can be mitigated by flushing the L1 cache between privilege boundaries of concern.”
IBM’s own page describing the fixes for AIX and VIOS is at this link. The patches were turned around fast and were available on November 20. The Linux community has also been notified and pushed some fixes upstream to the Linux kernel developers in the open source community. IBM is also researching what impact, if any, might affect IBM i itself and we will be keeping an eye on that. Check the IBM i PTF Guide in the coming days for more on that.
As far as we know, no one has created a malware exploit that takes advantage of this vulnerability on any of the IBM platforms mentioned above.