[opensuse-security] patch openSUSE-2019-1806 fails to mitigate CVE-2018-12126/CVE-2018-12130/CVE-2018-12127/CVE-2019-11091 ?
This security update https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html addresses Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331) - CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS) - CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) These updates contain the CPU Microcode adjustments for the software mitigations. to be installed with zypper in -t patch openSUSE-2019-1806=1 here, running lsb_release -rd Description: openSUSE Leap 15.1 Release: 15.1 uname -rm 5.5.2-25.g994cf1f-default x86_64 rpm -qa | egrep "ucode-intel|firmware-intel" ucode-intel-20191115-lp151.3.9.x86_64 kernel-firmware-intel-20200122-36.2.noarch on an old, but otherwise functional, laptop, cat /proc/cpuinfo | grep -i "model name" model name : Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz with mitigations enabled with, cat /proc/cmdline BOOT_IMAGE=/vmlinuz-5.5.2-25.g994cf1f-default ... mitigations=auto,nosmt ... and zypper in -t patch openSUSE-2019-1806=1 Loading repository data... Reading installed packages... 'patch:openSUSE-2019-1806 = 1' is already installed. Resolving package dependencies... Nothing to do. a check with spectre-meltdown-checker.sh --version Spectre and Meltdown mitigation detection tool v0.43 returns ... CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) ... and cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled what additional mitigation, &/or specific microcode update is required to complete the mitigations? -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hi, On Wed, Feb 12, 2020 at 08:29:53PM -0800, PGNet Dev wrote:
This security update
https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html
addresses
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS) - CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the CPU Microcode adjustments for the software mitigations.
to be installed with
zypper in -t patch openSUSE-2019-1806=1
here, running
lsb_release -rd Description: openSUSE Leap 15.1 Release: 15.1
uname -rm 5.5.2-25.g994cf1f-default x86_64
rpm -qa | egrep "ucode-intel|firmware-intel" ucode-intel-20191115-lp151.3.9.x86_64 kernel-firmware-intel-20200122-36.2.noarch
on an old, but otherwise functional, laptop,
cat /proc/cpuinfo | grep -i "model name" model name : Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz
with mitigations enabled with,
cat /proc/cmdline BOOT_IMAGE=/vmlinuz-5.5.2-25.g994cf1f-default ... mitigations=auto,nosmt ...
and
zypper in -t patch openSUSE-2019-1806=1 Loading repository data... Reading installed packages... 'patch:openSUSE-2019-1806 = 1' is already installed. Resolving package dependencies...
Nothing to do.
a check with
spectre-meltdown-checker.sh --version Spectre and Meltdown mitigation detection tool v0.43
returns
... CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES
STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES
STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES
STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES
STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) ...
and
cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
what additional mitigation, &/or specific microcode update is required to complete the mitigations?
A newer processor. :/ Sadly, Intel does not provide updated microcode for older processors. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 13/02/2020 08.30, Marcus Meissner wrote:
Hi,
On Wed, Feb 12, 2020 at 08:29:53PM -0800, PGNet Dev wrote:
This security update
https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html
addresses
...
on an old, but otherwise functional, laptop,
cat /proc/cpuinfo | grep -i "model name" model name : Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz
...
a check with
spectre-meltdown-checker.sh --version Spectre and Meltdown mitigation detection tool v0.43
returns
...
and
cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
what additional mitigation, &/or specific microcode update is required to complete the mitigations?
A newer processor. :/
Sadly, Intel does not provide updated microcode for older processors.
Doesn't the Linux kernel include other mitigations besides Intel provided microcode? If only new processors are covered by them, we are doomed. :-( -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
On Thu, Feb 13, 2020 at 11:41:16AM +0100, Carlos E. R. wrote:
On 13/02/2020 08.30, Marcus Meissner wrote:
Hi,
On Wed, Feb 12, 2020 at 08:29:53PM -0800, PGNet Dev wrote:
This security update
https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html
addresses
...
on an old, but otherwise functional, laptop,
cat /proc/cpuinfo | grep -i "model name" model name : Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz
...
a check with
spectre-meltdown-checker.sh --version Spectre and Meltdown mitigation detection tool v0.43
returns
...
and
cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
what additional mitigation, &/or specific microcode update is required to complete the mitigations?
A newer processor. :/
Sadly, Intel does not provide updated microcode for older processors.
Doesn't the Linux kernel include other mitigations besides Intel provided microcode?
If only new processors are covered by them, we are doomed. :-(
Some of the processor mitigations can be done in software, like retpolines or spectre v1 and v3 like fixes, or L1TF baremetal fixes. Others need CPU Microcode help, and yes, these are then problematic. The major ones like Meltdown, SPectre v1, v2 are covered by software only solutions, the rest has a smaller impact. If you are just using this as your home machine or laptop, no need to worry. Realistic attack scenarios include multiuser servers, either with untrusted users or untrusted VMs. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 13/02/2020 11.54, Marcus Meissner wrote:
On Thu, Feb 13, 2020 at 11:41:16AM +0100, Carlos E. R. wrote:
On 13/02/2020 08.30, Marcus Meissner wrote:
Hi,
On Wed, Feb 12, 2020 at 08:29:53PM -0800, PGNet Dev wrote:
This security update
https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html
addresses
...
on an old, but otherwise functional, laptop,
cat /proc/cpuinfo | grep -i "model name" model name : Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz
...
a check with
spectre-meltdown-checker.sh --version Spectre and Meltdown mitigation detection tool v0.43
returns
...
and
cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
what additional mitigation, &/or specific microcode update is required to complete the mitigations?
A newer processor. :/
Sadly, Intel does not provide updated microcode for older processors.
Doesn't the Linux kernel include other mitigations besides Intel provided microcode?
If only new processors are covered by them, we are doomed. :-(
Some of the processor mitigations can be done in software, like retpolines or spectre v1 and v3 like fixes, or L1TF baremetal fixes.
Others need CPU Microcode help, and yes, these are then problematic.
The major ones like Meltdown, SPectre v1, v2 are covered by software only solutions, the rest has a smaller impact.
If you are just using this as your home machine or laptop, no need to worry.
Thanks. Well, I'm replacing my main desktop machine (because of other reasons), but the new CPU will be a AMD Ryzen, because of these problems. Intel now scares me. And the mitigations make them slower. But I have other machines I can not replace, and one of them is reachable from Internet via ssh: Intel(R) Pentium(R) CPU N3710 @ 1.60GHz
Realistic attack scenarios include multiuser servers, either with untrusted users or untrusted VMs.
No, nothing like that. Unless we consider Apache to be vulnerable, as the users are unknown. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
On 2/12/20 11:30 PM, Marcus Meissner wrote:
A newer processor. :/
Sadly, Intel does not provide updated microcode for older processors.
shame. i'd _thought_ there were software-only mitigations for these. time to re-read. it's a perfectly functional, fully up-to-date (except for these mitigations) laptop, that STILL runs more reliably than off-the-shelf M$. Intel's certainly selling a lot of Ryzens. Think they get a $cut ? -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Carlos E. R. -
Marcus Meissner -
PGNet Dev