Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Meltdown and Spectre Vulnerabilities"

From EGIWiki
Jump to navigation Jump to search
(Deprecate page)
Tag: Replaced
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{svg-header}}  
{{svg-header}}  
 
{{DeprecatedAndMovedTo|new_location=https://advisories.egi.eu/Meltdown_and_Spectre_Vulnerabilities.html}}
== Purpose of this page  ==
 
To provide more detailed information about the Meltdown and Spectre vulnerabilities, to complement the advisory, [[SVG:Advisory-SVG-CVE-2017-5753]].
 
We are continuing to add new information when we become aware of it, and the situation continues to change (02nd February 2018).
 
== What are they?  ==
 
These are vulnerabilities in the design of the chip hardware, and cannot be fully resolved by patching operating systems. However patches are available which mitigate these problems.
* Meltdown (CVE-2017-5754) affects most Intel chips.
* Spectre (CVE-2017-5753 and CVE-2017-5715) affects a wide range of chips.
 
For more details, see [https://meltdownattack.com/ https://meltdownattack.com/ ], [https://spectreattack.com/ https://spectreattack.com/] and [https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html]
 
== How to mitigate these vulnerabilities ==
 
Each CVE can be mitigated via different ways:
* Meltdown (CVE-2017-5754) can be mitigated via [https://en.wikipedia.org/wiki/Kernel_page-table_isolation Kernel Page Table Isolation], which is enabled by default in latest linux kernels
* Spectre Variant 1 (CVE-2017-5753) has to be mitigated in each software which can be vulnerable. The latest linux kernel contains fixes to protect itself (does not protect other software).
* Spectre Variant 2 (CVE-2017-5715) can be (at least partially) mitigated via at least two different approach:
** Using new Intel-specific MSR, added via a microcode update, to control indirect branch restricted speculation (IBRS): Both a kernel and a microcode update are required. In addition, in case of virtualization, an update of the virtualization software (e.g. qemu & virt) is required to expose the new MSR to the VM.
** Using "retpoline", a new software construct that can mitigate, on most CPUs, the vulnerability
 
=== RedHat ===
 
As of Feb 2nd 2018, RedHat has [https://access.redhat.com/security/vulnerabilities/speculativeexecution offered new kernel updates that can mitigate Meltdown (CVE-2017-5754), Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715)].
 
However, due to instability issues, it has [https://access.redhat.com/errata/RHSA-2018:0093 removed the microcode updates required for Spectre Variant 2 (CVE-2017-5715)]. Until Intel releases stable microcode or RedHat switches to 'retpoline', no mitigation for Spectre Variant 2 (CVE-2017-5715) is safely usable.
 
It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:
* On RHEL7: Updating the kernel to 3.10.0-693.11.6.el7, see [https://access.redhat.com/errata/RHSA-2018:0007 RHSA-2018:0007]
* On RHEL6: Updating the kernel to 2.6.32-696.18.7.el6, see [https://access.redhat.com/errata/RHSA-2018:0008 RHSA-2018:0008]
 
=== Centos ===
 
Centos is following RedHat (see above).
 
It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:
* On Centos 7: Updating the kernel to 3.10.0-693.11.6.el7, see [https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html CESA-2018:0007]
* On Centos 6: Updating the kernel to 2.6.32-696.18.7.el6, see [https://lists.centos.org/pipermail/centos-announce/2018-January/022701.html CESA-2018:0008]
 
=== Scientific Linux ===
 
Scientific Linux is following RedHat (see above).
 
It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:
* On SL7: Updating the kernel to 3.10.0-693.11.6.el7, see [https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/ SLSA-2018:0007-1]
* On SL6: Updating the kernel to 2.6.32-696.18.7.el6, see [https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/ SLSA-2018:0008-1]
 
Additional details as well as information on other systems and platforms can be found in the next section.
 
== More Information ==
 
=== Relevant Advisories ===
==== CERN ====
 
CERN has compiled information which is useful for many EGI sites:
 
[https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml]
 
==== Intel ====
 
Intel has initially, on January 8th, [https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File released new microcodes] to complement the IBRS kernel patchset. However, these new microcodes are in fact '''unstable''' and Intel has since then recommended to stop deploying them.
 
Intel latest recommendation can be found in their advisory, [https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr INTEL-SA-00088]
 
More updates and information:
* [https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ Jan 3rd: Initial response]
* [https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/ Jan 4th]
* [https://newsroom.intel.com/news/intel-offers-security-issue-update/ Jan 9th: Microcode released]
* [https://newsroom.intel.com/editorials/intel-security-issue-update-initial-performance-data-results-client-systems/ Jan 10th: performance impact analysis]
* [https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/ Jan 11th: Microcode unstability reported]
* [https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/ Jan 17th]
* [https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/ Jan 22th: Instabilities causes found for 2 Intel series]
 
=== Linux Distributions ===
==== RedHat ====
 
'''Important! [as of 17th January]'''
 
RedHat has issued new microcode_ctl packages to rollback the latest updates, see [https://access.redhat.com/errata/RHSA-2018:0093 RHSA-2018:0093].
 
<br>
 
RedHat description:
* [https://access.redhat.com/security/vulnerabilities/speculativeexecution https://access.redhat.com/security/vulnerabilities/speculativeexecution]
* [https://access.redhat.com/articles/3307751 https://access.redhat.com/articles/3307751 (subscription required)]
* [https://access.redhat.com/solutions/3315431 https://access.redhat.com/solutions/3315431 (subscription required)]
 
RedHat CVE info:
* [https://access.redhat.com/security/cve/CVE-2017-5754 CVE-2017-5754]
* [https://access.redhat.com/security/cve/CVE-2017-5753 CVE-2017-5753]
* [https://access.redhat.com/security/cve/CVE-2017-5715 CVE-2017-5715]
 
==== CentOS ====
 
'''Important! [as of 17th January]'''
 
Centos seems to be following Redhat in the revert of the microcode_ctl package, see [https://git.centos.org/blob/rpms!microcode_ctl.git/c7/SOURCES!disclaimer the disclaimer in the sources of the last package]
 
<br>
 
CentOS 7:
 
* kernel Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html CESA-2018:0007]
* microcode_ctl Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022697.html CESA-2018:0012] <br> also needs dracut BugFix Update for AMD: [https://lists.centos.org/pipermail/centos-announce/2018-January/022708.html CEBA-2018:0042]
* linux-firmware Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022698.html CESA-2018:0014]
* qemu-kvm Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022705.html CESA-2018:0023]
* libvirt Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022704.html CESA-2018:0029]
 
CentOS 6:
 
* kernel Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022701.html CESA-2018:0008]
* microcode_ctl Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022700.html CESA-2018:0013]
* qemu-kvm Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022702.html CESA-2018:0024]
* libvirt Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022703.html CESA-2018:0030]
 
See further in the centos-announce Security mails for January
[https://lists.centos.org/pipermail/centos-announce/2018-January/date.html  https://lists.centos.org/pipermail/centos-announce/2018-January/date.html]
 
==== Scientific Linux  ====
 
'''Important! [as of 18th January]'''
 
Scientific Linux is following RedHat in the revert of the microcode_ctl package, see [https://www.scientificlinux.org/category/sl-errata/slsa-20180093-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180093-1/]
 
<br>
 
* SL6: [https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/]
* SL7: [https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/]
 
<br>
 
* SL6:
** qemu-kvm: [http://scientificlinux.org/category/sl-errata/slsa-20180024-1/ http://scientificlinux.org/category/sl-errata/slsa-20180024-1/]
** libvirt: [http://scientificlinux.org/category/sl-errata/slsa-20180030-1/ http://scientificlinux.org/category/sl-errata/slsa-20180030-1/]
* SL7:
** qemu-kvm: [http://scientificlinux.org/category/sl-errata/slsa-20180023-1/ http://scientificlinux.org/category/sl-errata/slsa-20180023-1/]
** libvirt: [http://scientificlinux.org/category/sl-errata/slsa-20180029-1/ http://scientificlinux.org/category/sl-errata/slsa-20180029-1/]
 
==== Ubuntu  ====
 
[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown]
 
==== Debian ====
 
[https://security-tracker.debian.org/tracker/CVE-2017-5715 CVE-2017-5715]
[https://security-tracker.debian.org/tracker/CVE-2017-5753 CVE-2017-5753]
[https://security-tracker.debian.org/tracker/CVE-2017-5754 CVE-2017-5754]
 
=== System Vendors ===
==== Supermicro ====
 
[https://www.supermicro.com/support/security_Intel-SA-00088.cfm https://www.supermicro.com/support/security_Intel-SA-00088.cfm]
 
==== Dell ====
 
'''Important! [as of 23rd January]'''
 
Dell is advising that all customers and partners should not deploy the BIOS update for the Spectre vulnerability at this time due to Intel’s advisory acknowledging reboot issues and unpredictable system behaviour.
 
[http://www.dell.com/support/contents/uk/en/ukbsdt1/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre http://www.dell.com/support/contents/uk/en/ukbsdt1/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre]
 
 
[https://www.dell.com/support/article/uk/en/ukbsdt1/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en https://www.dell.com/support/article/uk/en/ukbsdt1/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en]
 
Note this is changing rather frequently
 
==== HPE ====
 
[as of January 23]
 
HPE has updated their advisory to note that "Marked impacted products with TBD for System ROM updates per Intel's guidance on microcode issues" - so following suit with DELL.
 
[https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=null&docLocale=en_US&docId=emr_na-hpesbhf03805en_us https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=null&docLocale=en_US&docId=emr_na-hpesbhf03805en_us]
 
==== Lenovo ====
 
[as of January 23]
 
Lenovo security advisory
 
 
=== Hypervisors ===
 
[https://support.lenovo.com/gb/en/solutions/len-18282 https://support.lenovo.com/gb/en/solutions/len-18282]
==== Xen  ====
 
 
* [https://xenbits.xen.org/xsa/advisory-254.html https://xenbits.xen.org/xsa/advisory-254.html]
* [https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/ https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/]
* [https://wiki.xenproject.org/wiki/Xen_Project_Meltdown_and_Spectre_Technical_FAQ https://wiki.xenproject.org/wiki/Xen_Project_Meltdown_and_Spectre_Technical_FAQ]
* [https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre]
 
==== QEMU-KVM  ====
 
In order to protect hypervisors from malicious VMs, the kernel, microcode and QEMU must be updated:
 
[https://www.qemu.org/2018/01/04/spectre/ https://www.qemu.org/2018/01/04/spectre/]

Revision as of 11:13, 21 October 2021

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Meltdown and Spectre Vulnerabilities

Alert.png This article is Deprecated and has been moved to https://advisories.egi.eu/Meltdown_and_Spectre_Vulnerabilities.html.


Retrieved from "https://wiki.egi.eu/w/index.php?title=SVG:Meltdown_and_Spectre_Vulnerabilities&oldid=113466"