Meltdown and spectre

Beware, apart of CentOS patches, some systems need a firmware update to mitigate the vulnerabilities, so remember to check if manufacturer has released patches… as @filippo_carletti pointed out.

some updates from centos:

#CentOS users need to look at: http://red.ht/2DHia30 @RedHatSoftware has removed the latest microcode.dat file from the latest RPMs. Users must get their own microcode from their hardware vendors. This is from Intel: http://intel.ly/2CJTVQr

from centos announce:
https://lists.centos.org/pipermail/centos-announce/2018-January/022709.html
https://lists.centos.org/pipermail/centos-announce/2018-January/022710.html
https://lists.centos.org/pipermail/centos-announce/2018-January/022711.html

and a nice howto:

3 Likes

Really interesting, thank you for sharing!

Do I understand correctly that RedHat is taking its hands off from vulnerable code and leaves it to the hardware vendors tos solve? Understandable from RedHat point of view, but it feels like sticking the neck in the sand and point to someone else…

I just ran the test on my OpenSuSE laptop (new install with latest updates):

linux-3r35:/tmp/spectre-meltdown-checker # sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.4.104-39-default #1 SMP Thu Jan 4 08:11:03 UTC 2018 (7db1912) x86_64
CPU is Intel(R) Core™ i5-4200M CPU @ 2.50GHz

CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’

  • Checking count of LFENCE opcodes in kernel: YES

STATUS: NOT VULNERABLE (92 opcodes found, which is >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’

  • Mitigation 1
  • Hardware (CPU microcode) support for mitigation
  • The SPEC_CTRL MSR is available:  YES 
    
  • The SPEC_CTRL CPUID feature bit is set:  YES 
    
  • Kernel support for IBRS: NO
  • IBRS enabled for Kernel space: NO
  • IBRS enabled for User space: NO
  • Mitigation 2
  • Kernel compiled with retpoline option: NO
  • Kernel compiled with a retpoline-aware compiler: NO

STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’

  • Kernel supports Page Table Isolation (PTI): YES
  • PTI enabled and active: YES
  • Checking if we’re running under Xen PV (64 bits): NO
    STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

2 Likes

It’s a hardware problem to be solved by hardware vendors.
Redhat (and others) is mitigating the issue.

1 Like

I ran this scrip on my NS 6.9 with a Xeon E3 v2 proc. Kernel 2.6.32-696.18.7
Similar to @robb 's results.
Vulnerable to Spectre Variant 2, not vulnerable to V1 and V3.

I installed the patched kernel on 05.01.2018 and wrote down the load values for
day, week and month. And funny enough, the load is decreasing intead of increasing.

Before the patch they were
day 0,36/0,34/0,28
week 0,37/0,36/0,33
month 0,37/0,36/0,33

after 2 weeks they are

day 0,30/0,29/0,26
week 0,33/0,32/0,29
month 0,35/0,34/0,31

They decreased continously. I wrote them down on several days.
Not that high, but definitely not 30 to 50% higher, as reported.

This is not vulnerable to Meltdown and Spectre :rofl:

https://commons.wikimedia.org/wiki/File:Mechanical-calculator-Brunsviga-15-01.jpg

8 Likes

It hardly support speculative execution…

most of Nethserver installation are service- oriented and not computational oriented. IMO the lack of performance coming from these patches will be showed in ERP environment and in calculation environment.

4 Likes

skyfallattack.com

Skyfall and Solace are two speculative attacks based on the work highlighted by Meltdown and Spectre.

Full details are still under embargo and will be published soon when chip manufacturers and Operating System vendors have prepared patches.

Note: not yet clear if true or hoax.

Edit: confirmed hoax.

2 Likes

And Mr Torvalds “Enjoys a lot” Intel patches…

And the main-stream media likes to inflate, provide misinformation and are not prepared to do robust research.

1 Like

Mainstream media are for people, not for technicians. That’s not a news.
Currently people enjoy a more colorful discourse, not facts and implications. Again, not something new.
Mr Torvalds communication lacked several time of measure, politeness, respect for people or capacity to fit other shoes. Sometimes Torvalds seems to forget that a lot of money was put into Linux project by companies and projects who gain advantage from linux… Third which is not a news.

Therefore: i don’t know if Linus right or not, i can support him telling “good patches are needed”. But good patches costs money and must fulfill internal rules of companies. Google choose to make public it’s solution and i liked that, but i would also see a concurrent approach for mitigate security issue without killing CPU/system performances, just for avoid any kind of wrong way while blindly apply of the Google workaround proposal.

A performance issue brought by the security mitigation could help a lot revenues for the hardware branch of the market for next three years, and after at least a decade of lacking revenues many companies looks at this bug as a way for improve their status.
Also, software development, test and backport is made by people who sometimes receives money for their knowledge.

Therefore: who’s gonna make the cheapest way?

A good patch?
A lot of hardware change?
A better and more expensive patch?

When it will be clear to some boards of hardware management, the “right solution” will rise from specialistic and main-stream media. But i don’t know, at the moment, if it will be a good solution.

1 Like

Just wondering about the reactions of companies such as Red Hat, Novell and Canonical when releasing (or not releasing) similar patches and how their future “patch” releases (or lack of) will impact the overall open-source OS community?

I have some concerns about how these issues are going to not only affect the CPU, motherboard and “bare bone” computing market but also how these issues are going to impact the VM, VPS, hosting and other releated markets, as well the newer SBC markets (especially the releated Intel based SBC / IoT device markets).

Note: My main concerns are not with Meltdown or Spectre per-se but are with the issues surrounding Intel’s implementation of their Management Engine / Active Management Technology.

For further information about concerns surrounding Intel’s ME, I am providing the following URL to a recent FSF article:

https://www.fsf.org/blogs/sysadmin/the-management-engine-an-attack-on-computer-users-freedom

1 Like

Interesting topic but…

You’re sensationally OT :slight_smile: Intel and vulnerabilites are the glue between AMT and these two defective designes… :wink:

A question:

Unless the servers hostings VMs by “pigs and dogs”, how much impact have these vulnerabilities on servers closed under a under-stair closet, where the access to they are controlled and nobody but the admin can install software/applications?

@saitobenkei & @pike,
You both might be correct and maybe I was overly sensationalising the Intel issues but I was considering the surrounding problems with inaccurate reporting by various “news” outlets, poorly deployed / administrated infrastructure that is supported by some hosting providers and the perceptions that some CTO, CEOs and MIS / tech support departments would have gained from these reports.

As we have seen over the last month, there have been a number hoaxes and poorly reported / researched stories (which further reinforces @pike’s comment about
"Currently people enjoy a more colorful discourse, not facts and implications").

Also, over the last month I have had quite a few non-technical end-users and fairly adept MS Windows users acting like Chicken Licken (ie. suffering from “falling sky” syndrome) after reading some of these reports.

Also note that I wrote my previous comment last thing at night (whilst I was tired) and may not have communicated my thoughts as succinctly as I would have liked. :sleepy:

2 Likes

Good question. A not connected server is not useful, but the under-stair closet still have some connections with another tool. Which could be vulnerable or not, therefore some data will be received from this installation, sooner or later… Therefore, still sooner or later but “not patch it’s not an option”, for me.
Recently my “toyphone” Xiaomi received update for KRACK, i hope it will receive also Spectre and Meltdown patches, when they will available. I’m quite confident that it wont’ happen but… who knows? :wink:

@medworthy, you’re teasing me for Ot :smiley:
Don’t forget budget restrains and owners management on the scenarios. Sometimes a not good tech or a not good IT manager is far better for an upper level manager to manage and route to not good choices far more easier to understand or implement into infrastructure.

Dont’ forget the “so-called-groupware” named Exchange, which quietly sweeped into networks when Windows 2003 SBS was spreading around. Which also “gifted” client (Outlook) for using and poor IT mans were trying to install and make it work. After 5 years of yelling and blood spitting, with a not working server the poor IT man said “we have to upgrade” and the management/owner answer was “make it work at no cost”…

When Office 365 was announced it seems that Microsoft was telling to customers “Hey guys, just a joke, not enough money for server licence and CAL. Now you have to pay us every year, not only on upgrades”.
Believe me, i’m still laughing. But not for fun…

1 Like

WSH tells that Intel warned chinese hardware producers before U.S. Government


If confirmed, this could be an huge hook for current USA politics to raise duties and techs embargo.

I don’t like to remember “export cryptography” of IE4 times…

Linus Torvalds commented on Intel’s fix: Complete and Utter Garbage!

1 Like