Difference between revisions of "SVG:Meltdown and Spectre Vulnerabilities"
Line 24: | Line 24: | ||
** Using "retpoline", a new software construct that can mitigate, on most CPUs, the vulnerability | ** Using "retpoline", a new software construct that can mitigate, on most CPUs, the vulnerability | ||
=== | === RedHat === | ||
As of Feb 2nd 2018, RedHat has offered new kernel updates that can mitigate Meltdown (CVE-2017-5754), Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715). | As of Feb 2nd 2018, RedHat has offered new kernel updates that can mitigate Meltdown (CVE-2017-5754), Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715). |
Revision as of 09:32, 2 February 2018
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Meltdown and Spectre Vulnerabilities
Purpose of this page
To provide more detailed information about the Meltdown and Spectre vulnerabilities, to complement the advisory, SVG:Advisory-SVG-CVE-2017-5753.
We are continuing to add new information when we become aware of it, and the situation continues to change (02nd February 2018).
What are they?
These are vulnerabilities in the design of the chip hardware, and cannot be fully resolved by patching operating systems. However patches are available which mitigate these problems.
- Meltdown (CVE-2017-5754) affects most Intel chips.
- Spectre (CVE-2017-5753 and CVE-2017-5715) affects a wide range of chips.
For more details, see https://meltdownattack.com/ , https://spectreattack.com/ and https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html
How to mitigate these vulnerabilities
Each CVE can be mitigated via different ways:
- Meltdown (CVE-2017-5754) can be mitigated via Kernel Page Table Isolation, which is enabled by default in latest linux kernels
- Spectre Variant 1 (CVE-2017-5753) has to be mitigated in each software which can be vulnerable. The latest linux kernel contains fixes to protect itself (does not protect other software).
- Spectre Variant 2 (CVE-2017-5715) can be (at least partially) mitigated via at least two different approach:
- Using new Intel-specific MSR, added via a microcode update, to control indirect branch restricted speculation (IBRS): Both a kernel and a microcode update are required
- Using "retpoline", a new software construct that can mitigate, on most CPUs, the vulnerability
RedHat
As of Feb 2nd 2018, RedHat has offered new kernel updates that can mitigate Meltdown (CVE-2017-5754), Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715). However, due to instability issues, it has removed the microcode updates required for Spectre Variant 2 (CVE-2017-5715)
In order to patch RedHat systems, one needs to:
- On RHEL7: Update the kernel to
More Information
CERN information
CERN has compiled information which is useful for many EGI sites
https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml
Intel Information
Product patches:
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File
Revised recommendations from 17th January 2018:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Update regarding progress on reboot issue for some platforms [as of January 22nd]:
RedHat Information
Important! [as of 17th January]
RedHat has issued new microcode_ctl packages to rollback the latest updates, see https://access.redhat.com/errata/RHSA-2018:0093.
RedHat description:
https://access.redhat.com/security/vulnerabilities/speculativeexecution
https://access.redhat.com/articles/3307751 (subscription required)
https://access.redhat.com/solutions/3315431 (subscription required)
RedHat CVE info: [1]
https://access.redhat.com/security/cve/CVE-2017-5754
https://access.redhat.com/security/cve/CVE-2017-5753
https://access.redhat.com/security/cve/CVE-2017-5715
RHEL6:
kernel-2.6.32-696.18.7.el6: https://access.redhat.com/errata/RHSA-2018:0008
microcode_ctl-1.17-25.2.el6_9: https://access.redhat.com/errata/RHSA-2018:0013
Important! [as of 13th January]
There appears to be a bug with the microcode_ctl update for Intel model 79 processors (Intel(R) Xeon(R) CPU E5-2637 v4 @ 3.50GHz, Intel(R) Xeon(R) CPU E5-2643 v4 @ 3.40GHz, Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.20GHz and Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.50GHz). The system fails to boot due to udev rules. There is no solution to the problem but to downgrade the microcode_ctl package. For more information, see: https://bugzilla.redhat.com/show_bug.cgi?id=1532283
https://access.redhat.com/solutions/3314661
RHEL7:
kernel-3.10.0-693.11.6.el7: https://access.redhat.com/errata/RHSA-2018:0007
microcode_ctl-2.1-22.2.el7: https://access.redhat.com/errata/RHSA-2018:0012
linux-firmware-20170606-57.gitc990aae.el7_4: https://access.redhat.com/errata/RHSA-2018:0014
qemu-kvm:
RHEL6:
qemu-kvm: https://access.redhat.com/errata/RHSA-2018:0024
libvirt: https://access.redhat.com/errata/RHSA-2018:0030
RHEL7:
qemu-kvm: https://access.redhat.com/errata/RHSA-2018:0023
libvirt: https://access.redhat.com/errata/RHSA-2018:0029
CentOS Information
Important! [as of 17th January]
Centos seems to be following Redhat in the revert of the microcode_ctl package, see the disclaimer in the sources of the last package:
This update supersedes microcode provided by Red Hat with the CVE-2017-5715 (“Spectre”) CPU branch injection vulnerability mitigation. (HIstorically, Red Hat has provided updated microcode, developed by our microprocessor partners, as a customer convenience.) Further testing has uncovered problems with the microcode provided along with the “Spectre” mitigation that could lead to system instabilities. As a result, Red Hat is providing an microcode update that reverts to the last known good microcode version dated before 03 January 2018. Red Hat strongly recommends that customers contact their hardware provider for the latest microcode updates. IMPORTANT: Customers using Intel Skylake-, Broadwell-, and Haswell-based platforms must obtain and install updated microcode from their hardware vendor immediately. The "Spectre" mitigation requires both an updated kernel from Red Hat and updated microcode from your hardware vendor.
CentOS 7:
- kernel Security Update: CESA-2018:0007
- microcode_ctl Security Update: CESA-2018:0012
also needs dracut BugFix Update for AMD: CEBA-2018:0042 - linux-firmware Security Update: CESA-2018:0014
- qemu-kvm Security Update: CESA-2018:0023
- libvirt Security Update: CESA-2018:0029
CentOS 6:
- kernel Security Update: CESA-2018:0008
- microcode_ctl Security Update: CESA-2018:0013
- qemu-kvm Security Update: CESA-2018:0024
- libvirt Security Update: CESA-2018:0030
See further in the centos-announce Security mails for January https://lists.centos.org/pipermail/centos-announce/2018-January/date.html
A serious bug in the microcode updates for some Intel CPUs (model 79) as distributed by Redhat (at least for RHEL 6 and derivatives) was found by one site and reported to us. This update rendered systems unbootable.
https://bugzilla.redhat.com/show_bug.cgi?id=1532283
https://access.redhat.com/solutions/3314661
RedHat info on performance:--
https://access.redhat.com/articles/3311301
Scientific Linux
Important! [as of 18th January]
Scientific Linux is following RedHat in the revert of the microcode_ctl package, see https://www.scientificlinux.org/category/sl-errata/slsa-20180093-1/:
This update supersedes the previous microcode update provided with the CVE-2017-5715 (Spectre) CPU branch injection vulnerability mitigation. Further testing has uncovered problems with the microcode provided along with the Spectre mitigation that could lead to system instabilities. As a result, this microcode update reverts to the last known good microcode version dated before 03 January 2018. You should contact your hardware provider for the latest microcode updates. IMPORTANT: If you are using Intel Skylake-, Broadwell-, and Haswell-based platforms, obtain and install updated microcode from your hardware vendor immediately. The "Spectre" mitigation requires both an updated kernel and updated microcode from your hardware vendor.
SL6:
https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/
SL7:
https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/
qemu-kvn:
SL6:
qemu-kvm: http://scientificlinux.org/category/sl-errata/slsa-20180024-1/
libvirt: http://scientificlinux.org/category/sl-errata/slsa-20180030-1/
SL7:
qemu-kvm: http://scientificlinux.org/category/sl-errata/slsa-20180023-1/
libvirt: http://scientificlinux.org/category/sl-errata/slsa-20180029-1/
Ubuntu
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
Supermicro
https://www.supermicro.com/support/security_Intel-SA-00088.cfm
Dell products
Important! [as of 23rd January]
Dell is advising that all customers and partners should not deploy the BIOS update for the Spectre vulnerability at this time due to Intel’s advisory acknowledging reboot issues and unpredictable system behaviour.
Note this is changing rather frequently
HPE products
[as of January 23]
HPE has updated their advisory to note that "Marked impacted products with TBD for System ROM updates per Intel's guidance on microcode issues" - so following suit with DELL.
Lenovo products
[as of January 23]
Lenovo security advisory
https://support.lenovo.com/gb/en/solutions/len-18282
Xen
- https://xenbits.xen.org/xsa/advisory-254.html
- https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/
- https://wiki.xenproject.org/wiki/Xen_Project_Meltdown_and_Spectre_Technical_FAQ
- https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre
In order to protect hypervisors from malicious VMs, the kernel, microcode and QEMU must be updated: