Mailinglist Archive: opensuse-security-announce (79 mails)

< Previous Next >
[security-announce] New Intel CPU issues announced - openSUSE fixes coming
Hi folks,

Today Intel and security researchers published a number of security
issues covering various Intel hardware and software components.

These cover half a year of collected fixes, only some of them are
relevant to the Operating System vendors.

Two main relevant security issues are in there:

1. Machine Check Error on Page Size Changes / CVE-2018-12207

A race condition during instruction decoding and extended pagetable
management on Intel CPUs could lead to Machine Check Errors (crashes
of a CPU), a denial of service attack.

This issue could be used by an attacker with full access to a guest
VM to crash the host.

This race condition exists in all current Intel CPUs, except Intel Atom and
Knights Landing.

There is a Intel Whitepaper:
https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change

SUSE provides a software mitigation for this issue in updates to its
Hypervisors, both for KVM in the Linux Kernel and for XEN.

The mitigations are not needed in guests.

The mitigation is enabled by default, our TID
https://www.suse.com/support/kb/doc/?id=7023735 has details on how to check its
status and configuration.

Updated packages are linked from
https://www.suse.com/security/cve/CVE-2018-12207/


2. Transactional Asynchronous Abort (TAA) / CVE-2019-11135

Researchers from TU Graz, KU Leuven, CISPA Helmholtz Center, VUSec group at
VU Amsterdam have identified an additional
CPU based information leak attack, similar to the "Microarchitectural Data
Sampling" (MDS) attack published in May 2019.

They showed that during an asynchronous abort of a Transactional
Execution, various microarchitectural buffers might be speculatively
accessed that could cause side effects similar to the MDS attack,
leaking small amounts of recently or currently used data on the same
CPU core.

Intel has provided Microcode updates, and SUSE provides fixed Kernel
and XEN packages to help mitigate this problem.

Intels whitepaper is available at
https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort

Depending on the environment, administrators also need to consider disabling
Hyperthreading and/or disabling TSX support.
Disabling TSX is only possible with the help of CPU Microcode updates on
Cascade Lake and newer systems.

We have not enabled the TSX disablement and the HT disablement, only the
buffer clearing, to avoid
performance losses.

The options to control the mitigations are available and documented
in our TID https://www.suse.com/support/kb/doc/?id=7024251 .

Updated packages are linked from our
https://www.suse.com/security/cve/CVE-2019-11135/ page

SUSE has supplied online updates for the Linux Kernel, XEN, Intel CPU
Microcode, and qemu
to mitigate these issues.

We will release openSUSE Leap and Tumbleweed fixes for this in the next day(s).

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security-announce+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages