PortSmash: A New Side-Channel Vulnerability Affecting SMT/HT Processors (CVE-2018-5407)
Written by Michael Larabel in Security on 2 November 2018 at 03:55 PM EDT. 47 Comments
SECURITY --
A new CPU side-channel vulnerability made public today that's unrelated to Spectre and Meltdown speculative execution vulnerabilities is dubbed "PortSmash" but more formerly referred to as CVE-2018-5407.

University researchers discovered this side-channel vulnerability that results in data leakage due to execution engine sharing on processors with Simultaneous Multi-Threading, like Hyper Threading on Intel CPUs. This can lead to stealing a private key from a TLS server in a reported example. PortSmash can leak encrypted data from the CPU. Most of the research thus far has been around Intel processors with Hyper Threading but it's believed other CPUs with SMT like IBM POWER and AMD CPUs are also potentially affected.

Proof of concept code was posted today to GitHub while more technical details can be found via oss-security. The workaround to avoid the side-channel vulnerability is to disable SMT/HT from the BIOS.

Update: The statement Intel provided on PortSmash sent over is: "Intel received notice of the research. This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices. Protecting our customers' data and ensuring the security of our products is a top priority for Intel and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified."
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Security News
Popular News This Week