Safety instructions for Meltdown and Spectre

From Thomas-Krenn-Wiki
Jump to: navigation, search

The vulnerabilities Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), which affect processors from multiple vendors, can allow normal users and programs running in user space access to kernel memory.[1][2][3] This allows unprivileged users to read arbitrary data in main memory. This includes passwords, private keys, certificates and all other sensitive information. The vulnerabilities can be addressed in part by OS-specific kernel updates, but not for all operating systems updates are available yet. Firmware updates (microcode updates) are also required for affected systems.

We will update this article as soon as new information becomes available.

Security Vulnerabilities

In addition to the security researchers who have discovered the gaps, Google,[4] Intel and AMD have also provided information that we summarize here.

These are a total of three vulnerabilities:

  • Variant 1: bounds check bypass (CVE-2017-5753), (Spectre)
  • Variant 2: branch target injection (CVE-2017-5715), (Spectre)
  • Variant 3: rogue data cache load (CVE-2017-5754), (Meltdown)

The vulnerabilities allow programs that run with normal restricted rights in the so-called user space to access protected areas of the working memory (kernel memory).

FAQs

In the following FAQs we summarize the most important questions and answers to the three security vulnerabilities:

  1. Am I affected by these vulnerabilities?
    Yes, very likely. Nearly all servers and PCs with x86 processors from Intel or AMD are affected by the vulnerability. Most smartphones with ARM chips are also affected.
  2. How can the vulnerabilities be exploited by potential attackers?
    The vulnerabilities can only be exploited if a potential attacker has the ability to execute code on an affected system. In this case, however, a visit to a website with defective JavaScript code could be sufficient to retrieve information from your PC, for example.
  3. Can I protect myself with security updates for my operating system?
    Partly yes. Updates for Windows, Linux, MacOS and other operating systems can reduce the security vulnerabilities. For information about the availability of these updates, see below. In addition to these software updates, firmware/microcode/BIOS updates are required, too.
  4. Can the problems be solved with firmware updates for the processors alone?
    Although it depends on the specific design of a processor whether and which of the three vulnerabilities can be exploited, no firmware (microcode) updates for processors are known to date that could close the vulnerabilities without the use of operating system patches.

Affected systems

At least processors from the following manufacturers are affected by these vulnerabilities:

Vendor Affected CPUs Variant 1
(CVE-2017-5753)
(Spectre)
Variant 2
(CVE-2017-5715)
(Spectre)
Variant 3
(CVE-2017-5754)
(Meltdown)
Vendor
information
AMD Ryzen and Epyc, others will follow. Yes Yes[5] (not affected)[6] [1]
ARM Cortex Series Depending on the CPU, see manufacturer's information for details. [2]
Intel CPUs with Out-Of-Order Execution (CPUs since 1995, except Itanium and Intel Atom before 2013) Yes (see INTEL-OSS-10002) Yes (see INTEL-SA-00088) Yes (see INTEL-OSS-10003) [3]

Problem solving

The problem can be solved at least partially by completely isolating the kernel memory from the user process. This isolation can lead to performance losses.[7][8] Intel has published benchmark results for Meltdown/Spectre, with performance losses of up to 10 percent. Even higher for SSD systems.[9]

BIOS updates

To close the vulnerability, Intel CPUs require microcode updates in addition to operating system updates.[10] Since a CPU itself has no permanent memory, the microcode is stored on the mainboard together with the BIOS/UEFI firmware code.

Below you will find information about systems from Thomas-Krenn.[11][12][13]

Skylake

For the following Skylake-based systems we have tested BIOS updates with updated microcode. On January 17th (US time) Intel published information that some configurations could cause reboots with these updated microcodes.[14] We have not yet detected such reboots in our tested configurations with the updated microcode. In accordance with Intel's recommendation of 18.01.2018, we therefore continue to make these updates available.[15]

In its recommendation published on January, 22 (US time), Intel recommends not to install the microcode updates provided by the manufacturers. The distribution of these versions should be discontinued. Developing on new microcode versions is under way.[16][17]

On February, 20 (US time), Intel announced that a new microcode for Skylake, Kaby Lake and Coffee Lake based systems has been released to OEMs.[18] We will update the table as soon as BIOS updates are available with this new microcode.

Since 13.03.2018 the first updated BIOS versions are available. The table is constantly updated.

Motherboard BIOS Version Status BIOS Update Download-Link
Supermicro X11DPi-N 2.0b (2.0a withdrawn) available BIOS 2.0b
Supermicro X11DPi-NT 2.0b (2.0a withdrawn) available BIOS 2.0b
Supermicro X11DPL-i 2.0b available BIOS 2.0b
Supermicro X11SPL-F 2.0b (2.0a withdrawn) Test at Thomas-Krenn scheduled
Supermicro X11SSH-F 2.1a (2.1 withdrawn) available BIOS 2.1a
Supermicro X11SSH-LN4F 2.1a (2.1 withdrawn) available BIOS 2.1a
Supermicro X11SSH-TF 2.1a (2.1 withdrawn) available BIOS 2.1a
ASUS P10S-I 4301 available BIOS 4301
ASUS P10S-M 4101 beta Microcode and BIOS update withdrawn Microcode check done, new BIOS version pending
ASUS H170M-Plus 3604 BIOS update has not been released
ASUS H270M-Plus 1002 Microcode check in progress
LES network+ n/a under investigation
LES industrial n/a under investigation

(*) BIOS 2.0a is still available for the Supermicro X11SPL-F mainboard, as this BIOS version is used to close the INTEL-SA-00086 security vulnerability. In our tests we could not detect any reboots. If you have any questions about this board, please contact our support team.

Haswell / Broadwell

On January 11th, Navin Shenoy of Intel explained that the microcode updates for Haswell and Broadwell systems had led to increased reboots at some customers.[19] Subsequently, new microcodes were developed. The information provided here already refers to the updated microcode. Corresponding tests of the new BIOS versions are planned from 13.03.2018 at Thomas-Krenn:

Motherboard BIOS Version Status BIOS Update Download-Link
Supermicro X10DRC-LN4+ 3.0a available BIOS 3.0a
Supermicro X10DRG-Q 3.0a available BIOS 3.0a
Supermicro X10DRi 3.0a available BIOS 3.0a
Supermicro X10DRi-T 3.0a available BIOS 3.0a
Supermicro X10DRL-i 3.0a available BIOS 3.0a
Supermicro X10SLH-F 3.1 available BIOS 3.1
Supermicro X10SRA-F 2.1 in development
Supermicro X10SRi-F 3.0a available BIOS 3.0a
ASUS P9D-MV n/a under investigation
ASUS P9D-I n/a under investigation
ASUS Z10PP-D24 n/a under investigation
ASUS Z10PR-D16 n/a under investigation
ASUS H87M-PRO n/a under investigation
ASUS H97M-E n/a under investigation
ASUS X99-WS/IPMI n/a under investigation
ASUS Z10PG-D16 n/a under investigation
LES LI3Z n/a under investigation

Sandy Bridge / Ivy Bridge

BIOS updates for Sandy Bridge / Ivy Bridge Generation systems will be developed as soon as microcode updates are available:[11]

[...] We are awaiting microcode updates for our X9 and X8 Generation Systems from the vendor.
Once these updates are made available we will post those updates here. [...]
Motherboard BIOS Version Status BIOS Update Download-Link
Supermicro X9DBL-IF n/a development in preparation
Supermicro X9DR7-LN4F n/a development in preparation
Supermicro X9DRD-7LN4F-JBOD n/a development in preparation
Supermicro X9DRG-QF n/a development in preparation
Supermicro X9DRT-HF n/a development in preparation
Supermicro X9DRW-3LN4F+ n/a development in preparation
Supermicro X9DRi-F n/a development in preparation
Supermicro X9SCA-F n/a development in preparation
Supermicro X9SCD-F n/a development in preparation
Supermicro X9SCM-F n/a development in preparation
Supermicro X9SRL-F n/a development in preparation
ASUS P8H77-M PRO n/a under investigation
ASUS Z9PR-D12/4L n/a under investigation

Nehalem / Westmere

BIOS updates for Nehalem / Westmere Generation systems will be developed as soon as microcode updates are available:[11]

[...] We are awaiting microcode updates for our X9 and X8 Generation Systems from the vendor.
Once these updates are made available we will post those updates here. [...]
Motherboard BIOS Version Status BIOS Update Download-Link
Supermicro X8DAE n/a development in preparation
Supermicro X8DT3-F n/a development in preparation
Supermicro X8DT3-F (Nexenta) n/a development in preparation
Supermicro X8DT3-LN4F n/a development in preparation
Supermicro X8DTG-QF n/a development in preparation
Supermicro X8DTL-3F n/a development in preparation
Supermicro X8DTT-F n/a development in preparation
Supermicro X8QBE-F n/a development in preparation
Supermicro X8SIL-F n/a development in preparation
Supermicro X8STE n/a development in preparation
Supermicro X8STI n/a development in preparation
Supermicro X8STi-F n/a development in preparation

Celeron N/J based Systems

Mainboard BIOS Version Status BIOS Update Download-Link
LES v2 (Celeron N2930) n/a under investigation
LES v3 (Celeron N3160) n/a under investigation
LES network (Celeron J1900) n/a under investigation

Atom-based Systems

Motherboard BIOS Version Status BIOS Update Download-Link
ASUS P9A-I/C2530/2L n/a under investigation
ASUS P9A-I/C2550/4L n/a under investigation
ASUS P9A-I/C2550/SAS/4L n/a under investigation
ASUS P9A-I/C2750/4L n/a under investigation
ASUS P9A-I/C2750/SAS/4L n/a under investigation

AMD-based Systems

For AMD-based systems the following update has been made available yet:[11]

Mainboard BIOS Version Status BIOS Update Download-Link
ASUS Prime B350M-A n/a under investigation
Supermciro H11DSi-NT 1.0c available BIOS 1.0c
Supermicro H8SCM-F n/a under investigation
Supermicro H8DG6-F n/a under investigation
Supermicro H8QGL-6F n/a under investigation

Other Hardware

Reactions from other hardware manufacturers to the topic of Meltdown and Spectre:

Security updates for operating systems

The following patch information is currently available:

OS Version Security update
Debian GNU/Linux Fix for CVE-2017-5754 (Meltdown) for Wheezy, Jessie, Stretch and Sid available, more updates under way (see [4], [5], [6])
FreeBSD Fix for CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre Variant 2) under way (see [7], [8] and [9])
Linux vanilla Kernel 4.14 4.14.11[20] (Solution for CVE-2017-5754 (Meltdown) through Kernel page-table isolation[21])
4.14.14[22] (Solution for CVE-2017-5715 (Spectre Variant 2, through retpoline)
4.14.18[23] (Solution for CVE-2017-5753 (Spectre Variant 1, through Array index speculation blocker) and CVE-2017-5715 (Spectre Variant 2, via new processor flags IBRS, STIBP und IBPB)
4.15 4.15-rc6[24] (Solution for CVE-2017-5754 (Meltdown) through Kernel page-table isolation)
4.15.2[25] (Solutions for CVE-2017-5753 (Spectre Variant 1, through Array index speculation blocker) and CVE-2017-5715 (Spectre Variant 2, via new processor flags IBRS, STIBP und IBPB)
Microsoft Windows Windows Server 2008 R2, 2012 R2, 2016
Windows 10
  • Updates available (see [10] and [11])[26][27]
  • Update disables protection against Spectre Variant 2[28]
Proxmox ([12]) Proxmox VE 5.x pve-kernel (4.13.13-34)
Proxmox VE 4.x pve-kernel (4.4.98-102)
Red Hat Enterprise Linux RHEL 5, 6, 7 Kernel-Updates available, libvirt/qemu-kvm/... under way (see [13])
SUSE ([14]) SLES 11, 12
  • Kernel updates for SLES 12 SP1/SP2/SP3, SLES 12 GA and SLES 11 SP4 available
  • Kernel updates for SLES 11 SP3 partly available
  • (see [15], [16], [17])
Ubuntu Linux Updates available (see [18] and [19])
VMware ESXi 5.5, 6.0, 6.5 Updates available (VMSA-2018-0002, 2.1, 04, 04.1, 4.2)
Xen (all versions) Updates under way ([20], [21])
Xenserver ([22]) 7.0, 7.1 LTSR CU1, 7.2, 7.3 Updates for CVE-2017-5715 available (Citrix XenServer Multiple Security Updates, 7.0, 7.1, 7.2, 7.3)

(Table last updated on 09.02.2018 at 15:25h)

References

  1. Meltdown and Spectre - Bugs in modern computers leak passwords and sensitive data (meltdownattack.com)
  2. Today's CPU vulnerability: what you need to know (security.googleblog.com, 03.01.2018)
  3. 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign (www.theregister.co.uk, 02.01.2018): [...] At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory. Suffice to say, this is not great. The kernel's memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data. [...]
  4. Project Zero: Reading privileged memory with a side-channel (googleprojectzero.blogspot.com, 03.01.2018)
  5. AMD Processor Security (amd.com, 11.01.2018) AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week. We expect to make updates available for our previous generation products over the coming weeks.
  6. (PATCH) x86/cpu, x86/pti: Do not enable PTI on AMD processors (lkml.org, 26.12.2017): AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. [...]
  7. KAISER: hiding the kernel from user space (lwn.net, 15.11.2017): Since the beginning, Linux has mapped the kernel's memory into the address space of every running process. There are solid performance reasons for doing this, and the processor's memory-management unit can ordinarily be trusted to prevent user space from accessing that memory. More recently, though, some more subtle security issues related to this mapping have come to light, leading to the rapid development of a new patch set that ends this longstanding practice for the x86 architecture. [...] KAISER will affect performance for anything that does system calls or interrupts: everything. Just the new instructions (CR3 manipulation) add a few hundred cycles to a syscall or interrupt. Most workloads that we have run show single-digit regressions. 5% is a good round number for what is typical. The worst we have seen is a roughly 30% regression on a loopback networking test that did a ton of syscalls and context switches.
  8. Initial Benchmarks Of The Performance Impact Resulting From Linux's x86 Security Changes (www.phoronix.com, 02.01.2018)
  9. Intel-Benchmarks zu Meltdown/Spectre: Performance sackt um bis zu 10 Prozent ab, SSD-I/O deutlich mehr (heise.de, 11.01.2017)
  10. Facts about The New Security Research Findings and Intel Products (www.intel.com): We have begun providing software and firmware updates to mitigate these exploits. End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any updates as soon as they are available.
  11. 11.0 11.1 11.2 11.3 Security Vulnerabilities Regarding Side Channel Speculative Execution and Indirect Branch Prediction Information Disclosure (www.supermicro.com)
  12. ASUS Motherboards Microcode Update for Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method (asus.com)
  13. ASUS Servers and Workstations Microcode Update for Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method (asus.com)
  14. Firmware Updates and Initial Performance Data for Data Center Systems (newsroom.intel.com, 17.01.2018) [...] As I noted in my blog post last week, while the firmware updates are effective at mitigating exposure to the security issues, customers have reported more frequent reboots on firmware updated systems. As part of this, we have determined that similar behavior occurs on other products in some configurations, including Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms. We have reproduced these issues internally and are making progress toward identifying the root cause. In parallel, we will be providing beta microcode to vendors for validation by next week. [...]
  15. Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method (security-center.intel.com, retrieved on 18.01.2018) Intel recommends that these partners maintain availability of existing microcode updates already released to end users. Intel does not recommend pulling back any updates already made available to end users.
  16. Microcode Revision Guidance January 22 2018 (newsroom.intel.com, 22.01.2018)
  17. Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners (newsroom.intel.com, 22.01.2018)
  18. Latest Intel Security News: Updated Firmware Available for 6th, 7th and 8th Generation Intel Core Processors, Intel Xeon Scalable Processors and More (newsroom.intel.com, 20.02.2018)
  19. Intel Security Issue Update: Addressing Reboot Issues (newsroom.intel.com, 11.01.2018)
  20. ChangeLog-4.14.11 (cdn.kernel.org) [...] x86/mm/pti: Add Kconfig [...] Finally allow CONFIG_PAGE_TABLE_ISOLATION to be enabled. [...]
  21. Kernel page-table isolation (en.wikipedia.org)
  22. ChangeLog-4.14.14 (cdn.kernel.org)
  23. ChangeLog-4.14.18 (cdn.kernel.org)
  24. Linux 4.15-rc6 (lwn.net)
  25. ChangeLog-4.15.2
  26. Gravierende Prozessor-Sicherheitslücke: Nicht nur Intel-CPUs betroffen, erste Details und Updates (heise.de, 04.01.2018) [...] Außerdem will Microsoft wohl noch am heutigen Donnerstag ein Security-Update für Windows veröffentlichen. [...]
  27. Windows 17035 Kernel ASLR/VA Isolation In Practice (like Linux KAISER) (twitter.com)
  28. Update to Disable Mitigation against Spectre, Variant 2 (support.microsoft.com)

Further information

Changelog

  • Version 1.0, 03.01.2018: Initial version with first information based on the articles of heise.de and theregister.co.uk.
  • Version 2.0, 04.01.2018: Extensive updates have been carried out and initial information on operating system updates completed. References to official Intel statements supplemented, Update Notes for Microsoft Windows added, possibility of required firmware updates supplemented.
  • Version 2.1,05.01.2018: Updated information on operating system updates, added information on Microcode Update.
  • Version 2.2, 08.01.2018: Updated information on operating system updates, list of affected motherboards announced for Microcode Update.
  • Version 3.0, 09.01.2018: Table with motherboards added, updated information on FreeBSD.
  • Version 3.1, 09.01.2018: Information about further hardware and Proxmox added.
  • Version 3.4, 10.01.2018: Information about updates for Ubuntu (fix for CVE-2017-5754 available), VMware and Debian updated.
  • Version 3.5, 11.01.2018: Information about updates for Xenserver updated.
  • Version 3.6, 11.01.2018: Information about performance benchmark results of Intel systems added.
  • Version 3.7, 11.01.2018: Information about AMD CPUs and updated information about BIOS Updates (X11DPi-N(T) available, LES Systems added, ASUS Server-Systems updated).
  • Version 3.8, 15.01.2018: Information about updates for Ubuntu updated (fix for Spectre for Ubuntu 17.10 artful-proposed available).
  • Version 3.9, 15.01.2018: Information about AMD-based Systems updated.
  • Version 3.10, 16.01.2018: Updated information about BIOS Updates (ASUS P10S-I available).
  • Version 3.11, 16.01.2018: Table for AMD-based Systems added.
  • Version 3.12, 16.01.2018: Information about BIOS Updates updated (ASUS H270M-Plus available).
  • Version 3.13, 17.01.2018: Updated information about BIOS Updates (ASUS P10S-M available).
  • Version 3.14, 18.01.2018: Information about BIOS Updates updated (Supermicro X11SSH-F, X11SSH-LN4F and X11SSH-TF available), updated operating system information. For ARM CPUs referred to manufacturer information, information on updates from Ubuntu updated, reaction of Open-E supplemented, information on Skylake BIOS updates supplemented.
  • Version 4.0, 23.01.2018: Do not install currently available BIOS updates according to the current recommendation of Intel, notes on BIOS downloads added, Microcode check is running.
  • Version 4.1, 23.01.2018: Extended information on the current Intel recommendation.
  • Version 4.2, 24.01.2018: Updated information about operating system updates
  • Version 4.3, 25.01.2018: Updated information on the current Intel recommendation, BIOS updates withdrawn.
  • Version 4.4, 29.01.2018: Updated information about Windows, update disables protection against Spectre Variant 2
  • Version 4.5, 09.02.2018: Updated information about Linux Vanilla Kernel, Protection against Spectre Variant 1 and 2 introduced or refined.
  • Version 4.6, 21.02.2018: Intel has released Microcode for Skylake / Kaby Lake / Coffee Lake to OEMs.
  • Version 5.0, 28.02.2018: Information about BIOS Updates for AMD EPYC systems updated (Supermicro H11DSi-NT available).
  • Version 5.1, 08.03.2018: Information about Supermicro X11SPL-F and H11DSi-NT updated.
  • Version 5.2, 08.03.2018: Hint for Supermicro X11SPL-F no longer valid.
  • Version 5.3, 13.03.2018: Information about BIOS updates with renewed microcode added, first BIOS at Thomas-Krenn in test.
  • Version 5.4, 14.03.2018: BIOS update information updated (X11DPi-N and X11DPi-NT available).
  • Version 5.5, 19.03.2018: BIOS update information updated (X10SRi-F, X10DRi, X10DRL-i and X11DPL-i available).
  • Version 5.6, 21.03.2018: BIOS update information updated (X10DRG-Q and X10DRi-T available).
  • Version 5.7, 10.04.2018: BIOS update information updated (P10S-I available).
  • Version 5.8, 12.04.2018: BIOS update information updated (X11S* Tests scheduled).
  • Version 5.9, 18.04.2018: BIOS update information updated (X11SSH-F, X11SSH-LN4F und X11SSH-TF available).
  • Version 5.10, 20.04.2018: BIOS update information updated (X10SLH-F available).
  • Version 5.11, 16.05.2018: BIOS update information updated (X10DRC-LN4+ available).


Foto Werner Fischer.jpg

Author: Werner Fischer

Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.


Related articles

Enable Intel 10 Gigabit Network Cards PXE Boot
Intel Ethernet Server Adapter I350
Processor P-states and C-states