smartos

TPS-2018-008 Insufficient bounds checking in bhyve(8) device model (CVE-2018-17160)

Overview This vulnerability, CVE-2018-17160, was detected and remediated by the FreeBSD community, as detailed in their disclosure. The issue was caused by insufficient bounds checking for one of the emulated virtual devices. The vulnerability could be exploited to permit a guest operating system to overwrite memory in the bhyve(8) processing, making it possible to execute arbitrary code on the host. Actions Taken by Joyent The upstream fix in the FreeBSD bhyve project has been merged into SmartOS and made available for all Triton and SmartOS users in the latest platform image release, 20181206T011455Z.

TPS-2018-007 Intel L1 Terminal Fault Vulnerabilities (CVE-2018-3615, CVE-2018-3620 & CVE-2018-3646)

Overview This advisory covers a series of three different vulnerabilities surrounding Intel hardware, collectively called L1 Terminal Fault (L1TF): CVE-2018-3615 - Specific to Intel Software Guard Extensions (SGX) CVE-2018-3620 - Specific to Operating Systems and System Management Mode (SMM) CVE-2018-3646 - Specific to Virtual Machine Monitors (VMM) / Hypervisors Of these three CVEs, only the latter two apply to Triton public cloud and Triton Enterprise software customers. Joyent customers are not affected by the first CVE.

TPS-2018-006 Intel floating point unit (FPU) register state issue (CVE-2018-3665)

Overview/Description Recently, the embargo has been broken on an Intel microprocessor issue that affects operating systems that lazily save floating point unit (FPU) register state: CVE-2018-3665. While SmartOS is affected by this issue, Intel included Joyent in the embargoed information, with adequate time for us to develop and validate a fix. Actions Taken by Joyent The fix has been made available for upstream inclusion and is in the process of being deployed to the Triton Cloud (public cloud).

TPS-2018-004 Intel Security Findings "Meltdown" and "Spectre"

Overview This notice is to advise Joyent customers of the potential security vulnerabilities surrounding Intel hardware, known as Spectre and Meltdown: CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 Description Details surrounding Intel’s findings regarding Spectre and Meltdown can be reviewed here. Additional information can be reviewed here and here. Actions Taken by Joyent Joyent has created a new Platform Image (PI) containing KPTI (Kernel Page Table Isolation) and PCID (Process Context Identifier). We are in the process of applying this PI across the Triton Cloud (public cloud).

TPS-2018-003 ZDI-CAN-5106

Overview This notice is to advise Triton Cloud (public cloud) users, Triton On-Premises Software operators, and Open Source Triton users of a vulnerability reported by Zero Day Initiative (ZDI). Description The following security vulnerability has been identified by Ben Murphy with Zero Day Initiative: ZDI-CAN-5106. Through ZDI, we have previously been made aware of this vulnerability. Here is a brief description of the issue and its resolution: Issue: A malicious DTrace helper can lead to zone escape via out-of-bounds relocation.

TPS-2018-001 ZDI-CAN-4983 and ZDI-CAN-4984

Overview This notice is to advise Joyent’s Triton Cloud (public cloud) customers, Triton on-premises software customers and Open Source Triton users of two security vulnerabilities. Description The following security vulnerabilities have been identified by Ben with Zero Day Initiative (ZDI): ZDI-CAN-4983 and ZDI-CAN-4984. Through ZDI, we have previously been made aware of these vulnerabilities. Here is a brief description of the issue and its resolution: Issue: A local process can generate a panic by issuing commands to the smb subsystem.

TPS-2017-002 High-Severity "Dirty Cow" Vulnerability (CVE-2016-5195)

Overview This notice is to advise the user groups identified below of CVE-2016-5195, the high-severity “Dirty Cow” vulnerability first announced here (and on other sites) in November 2016. Description This race condition is in mm/gup.c in the Linux kernel 2.x through 4.x (before 4.8.3), and it allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping. The only affected Joyent images are KVM images, so those have been updated accordingly.

TPS-2017-001 /proc Filesystem Permission Vulnerability

Overview This notice is to advise the user groups identified below of a recently-discovered, /proc filesystem permission vulnerability. The issue was reported directly to Joyent Engineering by a security researcher. Description This high-severity vulnerability exists in the core SmartOS platform. The exploit allows non-root users to create objects in the /proc directory within the zone. The validations for filesystem permissions have been hardened to prevent such unauthorized actions. The following user groups are affected Joyent customers using on-premises Triton software All users of SmartOS, including Triton public cloud customers (the fix has already been applied across the entire public cloud) Users of Open Source Triton Actions Taken by Joyent Joyent has created a new Platform Image (PI) containing fixes that address these vulnerabilities.

TPS-2016-012 Four SmartOS IOCTL Vulnerabilities (Eight CVEs)

Overview This notice is to advise Joyent’s Triton Cloud (public cloud) customers, Triton Enterprise software customers and Open Source Triton users of four SmartOS/file system vulnerabilities reported by Cisco Talos. Description On 13-December-2016, Cisco Talos reported three privilege escalation vulnerabilities that result from exploits on the ioctl() function. Based on our investigation, the exploits are actually not possible as either a regular user or as root from within a zone.

TPS-2016-011 Arbitrary Kernel-Mode Code Execution Vulnerabilities

Overview This notice is to advise the user groups identified below of recently-discovered, arbitrary kernel-mode code execution vulnerabilities. These issues were reported directly to Joyent Engineering by an individual user. Description These high-severity vulnerabilities exist in the core SmartOS platform, and have been present since (at least) OpenSolaris times. Attackers can potentially exploit certain system calls to obtain root privileges. Input validations for the system calls involved have been hardened to prevent such malicious attempts.