Siduction Forum > Upgrade Warnings (DE / EN)

Info about Meltdown and Spectre Bugs

(1/4) > >>

musca:
Hello,
like any other operating system siduction 18.1.0 is affected by the Meltdown and Spectre security issues caused by faulty processor design.
As a rolling release siduction integrates security fixes with its latest dist-upgrades:

MELTDOWN:
Processes can read the page table of other processes and so may gain secret information.
Since version 4.14.11-towo.2 the siduction kernel setsCONFIG_PAGE_TABLE_ISOLATION=yand towo' has integrated the upcoming 4.14.12-rc1 patch in the 4.14.11-towo.3-kernel.


SPECTRE:
The Speculative Execution Side-Channel Attack needs to be mitigated in the application layer, i.e. software developers need to include some mitigation measure in their products. Basically this means the whole world has to be recompiled with a patched compiler.


intel-microcode   3.20171215.1 contains some fixes for CVE-2017-5715 and Spectre variant 2.
Chromium 63.0.3239.84 provides experimental "Strict Site Isolation" (to be enabled on chrome://flags/#enable-site-per-process )
Firefox 57.0.4 contains a mitigation ( https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ )


(list to be continued ...)


greetings
musca


devil:
What is recommended for Chrome also goes for Opera and Vivaldi, as they use the same Engine as Chrome.

Mte90:
Tried right now what is suggested on https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/
what I got it:

--- Code: ---pectre and Meltdown mitigation detection tool v0.19

Checking for vulnerabilities against live running kernel Linux 4.14.12-towo.2-siduction-amd64 #1 SMP PREEMPT siduction 4.14-22 (2018-01-08) x86_64
Will use vmlinux image /boot/vmlinuz-4.14.12-towo.2-siduction-amd64
Will use kconfig /proc/config.gz
Will use System.map file /proc/kallsyms

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO  (only 34 opcodes found, should be >= 70)
> STATUS:  VULNERABLE  (heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
--- End code ---

musca:
Hello Mte90,

thanks for the suggestion.
These results are expected as only Meltdown has been fixed in the kernel yet.

According to Greg's Blog it will take weeks of the kernel comunity to develope the needed counter measures against spectre.

greetings
musca

CCarpenter:

--- Quote from: Mte90 on 2018/01/09, 12:22:37 ---Tried right now what is suggested on https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/

--- End quote ---

Tested my System ...


--- Code: ---Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.14.13-towo.2-siduction-amd64 #1 SMP PREEMPT siduction 4.14-24 (2018-01-15) x86_64
CPU is AMD Ryzen 7 1800X Eight-Core Processor

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable: Minimal AMD ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that your CPU is unaffected)
> STATUS:  NOT VULNERABLE  (Not affected)

A false sense of security is worse than no security at all, see --disclaimer

--- End code ---

Navigation

[0] Message Index

[#] Next page

Go to full version