PEM file opened without DIRECT I/O which makes private key readable by attacker exploiting MELTDOWN

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi everyone out there,

I just found out that ssh command doesn't use DIRECT IO to open *.pem,
which means private key goes to page cache, which means attacker may
exploit meltdown to discover user's private key. I may come up with a POC
for that if anybody is interested, I'm basing my work on the tool I created
for checking whether system is vulnerable by exploiting MELTDOWN, follow
it: https://github.com/raphaelsc/Am-I-affected-by-Meltdown

Check strace output when connect to instance via ssh:
open("/home/utroz/.ssh/raphaelsc_aws.pem", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0400, st_size=1696, ...}) = 0
read(4, "-----BEGIN RSA PRIVATE KEY-----\r"..., 4096) = 1696
close(4)

I think we are possibly interested in switching to DIRECT IO (given that it
bypasses any caching system including page cache) when reading *.PEM file
to prevent something like this from ever happening in the future. It turns
out we can't rely on processors anymore to secure our data safely, even
though Linux will be now safe after KAISER patchset, but users may have it
disabled or mistakenly run a unpatched kernel.

I'm interested in writing a patch for that, if you guys want me to. I'd
need directions on where to look at (searching it in the source code
now...) and where to send the patch to. That's going to be my first patch
for the project, and I'd be really happy about doing it.

Regards,
Raphael Carvalho.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux