{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/283803#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview ###\r\nSome platforms with integrated GPUs, such as smartphones, may allow both side-channel and rowhammer attacks via WebGL, which may allow a remote attacker to compromise the browser on an affected platform. An attack technique that leverages these vulnerabilities is called \"GLitch.\"\r\n\r\n### Description ###\r\n<p>An academic paper describes an attack called \"GLitch,\" which leverages two different techniques to achieve a compromise of a web browser using WebGL. The attack is only feasible on platforms where the CPU and GPU share the same memory, such as a smartphone or similar device. The two components of the attack are:</p><ul></ul><ol type=\"1\"><li>A Side-channel attack to determine physical memory layout</li><li>A Rowhammer attack to flip the value of one or more bits in physical memory</li></ol><br/><b>The side-channel attack</b><br/><br/>The precise timing capabilities provided by WebGL can allow an attacker to determine the difference between cached DRAM accesses and uncached DRAM accesses. This can allow an attacker to determine contiguous areas of physical DRAM memory. Knowledge of contiguous memory regions are used in a number of microarchitectural attacks, such as rowhammer.<br/><br/><b>The rowhammer attack</b><br/><br/>The<a href=\"https://en.wikipedia.org/wiki/Row_hammer\"> rowhammer attack</a> targets the design of DRAM memory. On a system where the DRAM is insufficiently refreshed, targeted operations on a row of DRAM memory may be able to influence the memory values on neighboring rows. Protections against the rowhammer attack include the use of ECC DRAM, as well as increased refresh rates. The LPDDR4 mobile memory standard also has optional hardware support for target row refresh, which can mitigate the rowhammer attack.<br/><br/><b>Combining the attacks with WebGL</b><br/><br/>The GLitch attack leverages both a side-channel attack to determine contiguous memory, as well as rowhammer. With the knowledge of contiguous memory, an attacker may be able to determine relative physical addresses. This knowledge of relative physical addresses can let the attacker know what memory locations to target with the rowhammer attack. The use of WebGL with precise timers is important in the GLitch attack for these reasons:<br/><ul><ul type=\"disc\"><li>Precise WebGL timers allow a side-channel to leak memory addresses.</li><li>GPU capabilities exposed via WebGL allow for fast double-sided DRAM access, enabling the rowhammer attack.<br/></li></ul></ul>The impact of combining both the side-channel attack and rowhammer attack has been demonstrated to bypass the Firefox sandbox on the Android platform.<br/><br/><b>GLitch success rates in testing</b><br/><br/>It is important to realize that the GLitch attack has only successfully been demonstrated on the Nexus 5 phone, which was released in 2013. The Nexus 5 phone received its last software security update in October, 2015, and is therefore an already unsafe device to use. Several other phones released in 2013 were tested, but were not able to successfully be attacked with the GLitch attack. Success rates on phones newer than 2013 models were not provided. Non-Android devices were not tested as well.\r\n\r\n### Impact ###\r\n<p>Upon visiting a malicious or compromised website with a vulnerable device, an attacker may be able to bypass security features provided by the web browser.</p>\r\n\r\n### Solution ###\r\n<p><b>Apply an update</b><br/><br/>Google Chrome and Mozilla Firefox have released updates which disable high precision timers in the browser.<br/>Other browsers do not appear to be affected.</p>\r\n\r\n### Acknowledgements ###\r\n<p>This issue was reported by Pietro Frigo, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi of the Vrije Universiteit Amsterdam.</p><p>This document was written by Will Dormann and Trent Novelly.</p>","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from ARM Limited"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on ARM Limited notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/283803"},{"url":"https://en.wikipedia.org/wiki/Row_hammer","summary":"https://en.wikipedia.org/wiki/Row_hammer"},{"url":"https://www.vusec.net/wp-content/uploads/2018/05/glitch.pdf","summary":"https://www.vusec.net/wp-content/uploads/2018/05/glitch.pdf"}],"title":"Integrated GPUs may allow side-channel and rowhammer attacks using WebGL (\"Glitch\")","tracking":{"current_release_date":"2022-01-07T18:22:33+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#283803","initial_release_date":"2018-05-03 00:00:00+00:00","revision_history":[{"date":"2022-01-07T18:22:33+00:00","number":"1.20220107182233.46","summary":"Released on 2022-01-07T18:22:33+00:00"}],"status":"final","version":"1.20220107182233.46"}},"vulnerabilities":[{"title":"A hardware vulnerability in GPU memory modules allows attackers to accelerate micro-architectural attacks through the use of the JavaScript WebGL API.","notes":[{"category":"summary","text":"A hardware vulnerability in GPU memory modules allows attackers to accelerate micro-architectural attacks through the use of the JavaScript WebGL API."}],"cve":"CVE-2018-10229","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#283803"}],"product_status":{"known_affected":["CSAFPID-bf55d5f6-3a87-11f1-a172-0afffb3ee71d","CSAFPID-bf5772da-3a87-11f1-a172-0afffb3ee71d"],"known_not_affected":["CSAFPID-bf57e684-3a87-11f1-a172-0afffb3ee71d"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Qualcomm","product":{"name":"Qualcomm Products","product_id":"CSAFPID-bf54a726-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-bf54f1fe-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Samsung Mobile","product":{"name":"Samsung Mobile Products","product_id":"CSAFPID-bf5541ea-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-bf557f70-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Mozilla","product":{"name":"Mozilla Products","product_id":"CSAFPID-bf55d5f6-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Broadcom","product":{"name":"Broadcom Products","product_id":"CSAFPID-bf562b28-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Vivaldi","product":{"name":"Vivaldi Products","product_id":"CSAFPID-bf566e9e-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Apple","product":{"name":"Apple Products","product_id":"CSAFPID-bf56af80-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"UC Browser for Android","product":{"name":"UC Browser for Android Products","product_id":"CSAFPID-bf56f1fc-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"IBM","product":{"name":"IBM Products","product_id":"CSAFPID-bf572ee2-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Google","product":{"name":"Google Products","product_id":"CSAFPID-bf5772da-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Opera Software","product":{"name":"Opera Software Products","product_id":"CSAFPID-bf57a9a8-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-bf57e684-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Imagination Technologies","product":{"name":"Imagination Technologies Products","product_id":"CSAFPID-bf582c0c-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Sailfish OS","product":{"name":"Sailfish OS Products","product_id":"CSAFPID-bf586942-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Brave Software","product":{"name":"Brave Software Products","product_id":"CSAFPID-bf58ea7a-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"NVIDIA","product":{"name":"NVIDIA Products","product_id":"CSAFPID-bf59222e-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"BlackBerry","product":{"name":"BlackBerry Products","product_id":"CSAFPID-bf5966bc-3a87-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Silicon Intgrated Systems Corp.","product":{"name":"Silicon Intgrated Systems Corp. Products","product_id":"CSAFPID-bf59b216-3a87-11f1-a172-0afffb3ee71d"}}]}}