| title | permalink |
|---|---|
Meltdown and Spectre Vulnerabilities |
/Meltdown_and_Spectre_Vulnerabilities |
To provide more detailed information about the Meltdown and Spectre vulnerabilities, to complement the advisory, SVG:Advisory-SVG-CVE-2017-5753.
This was compiled in January and early February 2018
Information including more recent SVG Speculative execution vulnerabilities
These are vulnerabilities in the design of the chip hardware, and cannot be fully resolved by patching operating systems. However patches are available which mitigate these problems.
- Meltdown (CVE-2017-5754) affects most Intel chips.
- Spectre (CVE-2017-5753 and CVE-2017-5715) affects a wide range of chips.
For more details, see Meltdown attack, Spectre attack and Project zero: Reading privileged memory with side
Each CVE can be mitigated via different ways:
- Meltdown (CVE-2017-5754) can be mitigated via Kernel Page Table Isolation, which is enabled by default in latest linux kernels
- Spectre Variant 1 (CVE-2017-5753) has to be mitigated in each software which can be vulnerable. The latest linux kernel contains fixes to protect itself (does not protect other software).
- Spectre Variant 2 (CVE-2017-5715) can be (at least partially) mitigated via at
least two different approach:
- Using new Intel-specific MSR, added via a microcode update, to control indirect branch restricted speculation (IBRS): Both a kernel and a microcode update are required. In addition, in case of virtualization, an update of the virtualization software (e.g. qemu & virt) is required to expose the new MSR to the VM.
- Using "retpoline", a new software construct that can mitigate, on most CPUs, the vulnerability
As of Feb 2nd 2018, RedHat has offered new kernel updates that can mitigate Meltdown (CVE-2017-5754), Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715), see their page on Speculative Execution.
However, due to instability issues, it has removed the microcode updates required for Spectre Variant 2 (CVE-2017-5715). Until Intel releases stable microcode or RedHat switches to 'retpoline', no mitigation for Spectre Variant 2 (CVE-2017-5715) is safely usable.
It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:
- On RHEL7: Updating the kernel to 3.10.0-693.11.6.el7, see RHSA-2018:0007
- On RHEL6: Updating the kernel to 2.6.32-696.18.7.el6, see RHSA-2018:0008
Centos is following RedHat (see above).
It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:
- On Centos 7: Updating the kernel to 3.10.0-693.11.6.el7, see CESA-2018:0007
- On Centos 6: Updating the kernel to 2.6.32-696.18.7.el6, see CESA-2018:0008
Scientific Linux is following RedHat (see above).
It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:
- On SL7: Updating the kernel to 3.10.0-693.11.6.el7, see SLSA-2018:0007-1
- On SL6: Updating the kernel to 2.6.32-696.18.7.el6, see SLSA-2018:0008-1
Additional details as well as information on other systems and platforms can be found in the next section.
CERN has compiled information which is useful for many EGI sites:
Intel has initially, on January 8th, released new microcodes to complement the IBRS kernel patchset. However, these new microcodes are in fact unstable and Intel has since then recommended to stop deploying them.
Intel latest recommendation can be found in their advisory, INTEL-SA-00088
More updates and information:
- Jan 3rd: Initial response
- Jan 4th
- Jan 9th: Microcode released
- Jan 10th: performance impact analysis
- Jan 11th: Microcode unstability reported
- Jan 17th
- Jan 22th: Instabilities causes found for 2 Intel series
Important! [as of 17th January]
RedHat has issued new microcode_ctl packages to rollback the latest updates, see RHSA-2018:0093.
RedHat description:
RedHat CVE info:
Important! [as of 17th January]
Centos seems to be following Redhat in the revert of the microcode_ctl package, see the disclaimer in the sources of the last package
CentOS 7:
- kernel Security Update: CESA-2018:0007
- microcode_ctl Security Update: CESA-2018:0012 also needs dracut BugFix Update for AMD: CEBA-2018:0042
- linux-firmware Security Update: CESA-2018:0014
- qemu-kvm Security Update: CESA-2018:0023
- libvirt Security Update: CESA-2018:0029
CentOS 6:
- kernel Security Update: CESA-2018:0008
- microcode_ctl Security Update: CESA-2018:0013
- qemu-kvm Security Update: CESA-2018:0024
- libvirt Security Update: CESA-2018:0030
See further in the centos-announce Security mails for January
Important! [as of 18th January]
Scientific Linux is following RedHat in the revert of the microcode_ctl package, see SLSA 2018:0093-1
-
SL6: SLSA 2018:0008-1
-
SL7: SLASA 2018:0007-1
-
SL6:
- qemu-kvm: SLSA 2018:0024-1
- libvirt: SLSA 2018:0030-1
-
SL7:
- qemu-kvm: SLSA 2018:0023-1
- libvirt: SLSA 2018:0029-1
Important! [as of 23rd January]
Dell is advising that all customers and partners should not deploy the BIOS update for the Spectre vulnerability at this time due to Intel’s advisory acknowledging reboot issues and unpredictable system behaviour.
DELL: support for meltdown and spectre
DELL: side channel vulnerabilities
Note this is changing rather frequently
[as of January 23]
HPE has updated their advisory to note that "Marked impacted products with TBD for System ROM updates per Intel's guidance on microcode issues" - so following suit with DELL.
[as of January 23]
Lenovo security advisory
- XEN: advisory 254
- XEN: Spectre meltdown FAQ
- XEN: Meltdown and Spectre technical FAQ
- XEN: Respond to Meltdown and Spectre
In order to protect hypervisors from malicious VMs, the kernel, microcode and QEMU must be updated: