Meltdown and spectre


#1

not a good news…

https://meltdownattack.com/


https://www.kb.cert.org/vuls/id/584653

https://access.redhat.com/errata/RHSA-2018:0007
https://access.redhat.com/security/vulnerabilities/speculativeexecution

centos:
https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html
https://lists.centos.org/pipermail/centos-announce/2018-January/022697.html
https://lists.centos.org/pipermail/centos-announce/2018-January/022698.html


So, what are you working on? - 8 Jan 18
(Rob Bosch) #2

If a ‘feature’ can be abused it most likely will. So I think, if possible, it is important this gets addressed for NethServer. It can also be a huge pro if NethServer manages as one of the first to fight this. It could make great advocacy if we can flood social media with “NethServer keeps Meltdown and Spectre out”


(Filippo Carletti) #3

CentOS has already released updated packages for 7 that mitigate the problems.
To apply the fix to NethServer 7, go to the Software center and install the kernel and microcode_ctl packages (with all the related firmware).


(Filippo Carletti) #4

Trivia: the author of the kernel fixes for Redhat is Andrea Arcangeli. Those among you who were at the dinner after the first NethServer conference may remember we talked with him about kernel patching and regressions.


(Alessio Fattorini) #5

So we can say that thanks to Andrea: NethServer keeps Meltdown and Spectre out


(Filippo Carletti) #6

No: problems come from hardware design, you can’t fix hardware with software.
The updates mitigate the problems. Some workloads will suffer from reduced performances.
The impact is still being evaluated.


(Michael Kicks) #7

One of the most debated point is the impact that these workarounds will have into virtualization environment.
It’s almost the fourth “big crack” for hardware or software found during last 6 months. Only WannaCry spotted a patch out-of-release schedule.
I’m quite concerned.


#8

some more info on performance impacts:
https://access.redhat.com/articles/3307751

it’s nice the first solution on the page of the cert :grin: :sob:


(Bogdan Costin) #9

Is not required to replace your current CPU by tomorrow… yet… (unless tomorrow will be 6 months from now and you still did not patch your systems)

Depending on the “weight” of the patch you can still manage to do with current infra load. (you did over-provision your resource load I hope… :wink: )

Of course the replacement of the HW will be the solution in the long run (an alternative is not yet available).

in my opinion, this issue does not pose an immediate (read as today/tomorrow) risk since this vulnerability is not easy exploitable. And also keep in mind that there are other factors that keep the exploit in check. (Policies, certified/trusted software, AV etc)

First, a malicious program, will have to get over the usual barriers and then, will be able to deliver the payload to do the seep on the memory pages… (except web content :wink: )

We will see POC and first attempts in the next days but also the patches will arrive, so mostly it will be a game of “who is good at housekeeping” and maintenance.

The most impacted will probably be the hosts like esx and xen etc.
They will need to patch asap because you might not have control on what is run on your guest, if the guest is public service.

And on the fun side, the mass-media started to have a incendiary start reporting this :slight_smile: With lots of headlines (90% related only to Intel :smiley: )


(Rob Bosch) #10

Some more background:
Meltdown vs Spectre: https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/

Linux kernel patches for Meltdown: https://lkml.org/lkml/2017/12/4/709 (patches for kernel 4.15 are available with backports for 4.14.10. (that would be a problem for NS right?)
Microsoft patch for W10: https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
MacOS is patched from version 10.13.2 (according to The Register.

Interesting blogpost from Google’s ProjectZero: https://googleprojectzero.blogspot.be/

I am not that deeply involved in kernel updates, but if there will be an update for the latest kernel version, would it be a good/bad (why) idea to add the elrepo repository to be able to update CentOS/NethServer to a patched kernel version? See https://www.tecmint.com/install-upgrade-kernel-version-in-centos-7/


(Marc) #11

Some benchmarks by Red Hat:


Phoronix has been running some other tests with Redis, Postgresql…

Related to this thread:


(Markus Neuberger) #12

I started patching my ESXis, if someone needs patched images:

https://www.markusneuberger.at/category/software/

Nothing needed, it’s already in upstream:


(Ralf Jeckel) #13

Today my NS6 received the kernel 2.6.32-696.18.7.el6 with is the patched one according to
http://www.linuxsecurity.com/content/view/206190?rdf
https://access.redhat.com/errata/RHSA-2018:0008

It’s not installed until now. I want to explore the so hot discused impact on the system.
I noted down the avg. load values for 2h, 8h, day, week and month. So I can compare them later.
Can some one give me some instructions how to compare the impact directly?

TIA


(Rob Bosch) #14

BTW, remarkable news: https://arstechnica.com/information-technology/2018/01/intel-ceos-sale-of-stock-just-before-security-bug-reveal-raises-questions/
The rats leave the sinking ship first?


(Ralf Jeckel) #15

As you know, information is the gold of today.
Or say it with Goethe: A rogue who thinks bad upon it. (german: Ein Schlem, wer böses dabei denkt.) :wink:


#16

well, it seems that Nehtserver on raspberry pi is not affected… :slight_smile:
(and i suppose also my home firewall on odroid-c2)

if anyone is interested, i suggest this great and amazingly clear article of Eben Upton


(Mark Verlinde) #17

Odroid-C2 has cortex-a53 cores, and thus is not affected…:yum:


(Matthieu Gaillet) #18

Silly question : is it needed to restart the server to apply the patch ?


(James Nesbitt) #19

Any kernel updates requires the server to be restarted.


(Matthieu Gaillet) #20

Thanks. It may sounds obvious, but I wish yum or whatever package manager mentions it.