SVG:Meltdown and Spectre Vulnerabilities

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template RAT/Membership Documents Assessment Secure Coding Info for SVG members

Contents

Meltdown and Spectre Vulnerabilities


Purpose of this page

To provide more detailed information about the Meltdown and Spectre vulnerabilities, to complement the advisory, SVG:Advisory-SVG-CVE-2017-5753.

This was compiled in January and early February 2018

Information including more recent SVG Speculative execution vulnerabilities

What are they?

These are vulnerabilities in the design of the chip hardware, and cannot be fully resolved by patching operating systems. However patches are available which mitigate these problems.

For more details, see https://meltdownattack.com/ , https://spectreattack.com/ and https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html

How to mitigate these vulnerabilities

Each CVE can be mitigated via different ways:

RedHat

As of Feb 2nd 2018, RedHat has offered new kernel updates that can mitigate Meltdown (CVE-2017-5754), Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715).

However, due to instability issues, it has removed the microcode updates required for Spectre Variant 2 (CVE-2017-5715). Until Intel releases stable microcode or RedHat switches to 'retpoline', no mitigation for Spectre Variant 2 (CVE-2017-5715) is safely usable.

It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:

Centos

Centos is following RedHat (see above).

It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:

Scientific Linux

Scientific Linux is following RedHat (see above).

It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:

Additional details as well as information on other systems and platforms can be found in the next section.

More Information

Relevant Advisories

CERN

CERN has compiled information which is useful for many EGI sites:

https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml

Intel

Intel has initially, on January 8th, released new microcodes to complement the IBRS kernel patchset. However, these new microcodes are in fact unstable and Intel has since then recommended to stop deploying them.

Intel latest recommendation can be found in their advisory, INTEL-SA-00088

More updates and information:

Linux Distributions

RedHat

Important! [as of 17th January]

RedHat has issued new microcode_ctl packages to rollback the latest updates, see RHSA-2018:0093.


RedHat description:

RedHat CVE info:

CentOS

Important! [as of 17th January]

Centos seems to be following Redhat in the revert of the microcode_ctl package, see the disclaimer in the sources of the last package


CentOS 7:

CentOS 6:

See further in the centos-announce Security mails for January https://lists.centos.org/pipermail/centos-announce/2018-January/date.html

Scientific Linux

Important! [as of 18th January]

Scientific Linux is following RedHat in the revert of the microcode_ctl package, see https://www.scientificlinux.org/category/sl-errata/slsa-20180093-1/



Ubuntu

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Debian

CVE-2017-5715 CVE-2017-5753 CVE-2017-5754

System Vendors

Supermicro

https://www.supermicro.com/support/security_Intel-SA-00088.cfm

Dell

Important! [as of 23rd January]

Dell is advising that all customers and partners should not deploy the BIOS update for the Spectre vulnerability at this time due to Intel’s advisory acknowledging reboot issues and unpredictable system behaviour.

http://www.dell.com/support/contents/uk/en/ukbsdt1/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre


https://www.dell.com/support/article/uk/en/ukbsdt1/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en

Note this is changing rather frequently

HPE

[as of January 23]

HPE has updated their advisory to note that "Marked impacted products with TBD for System ROM updates per Intel's guidance on microcode issues" - so following suit with DELL.

https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=null&docLocale=en_US&docId=emr_na-hpesbhf03805en_us

Lenovo

[as of January 23]

Lenovo security advisory


Hypervisors

https://support.lenovo.com/gb/en/solutions/len-18282

Xen

QEMU-KVM

In order to protect hypervisors from malicious VMs, the kernel, microcode and QEMU must be updated:

https://www.qemu.org/2018/01/04/spectre/

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export