danielson
Posts: 213
Joined: Sun Dec 27, 2015 10:33 am
Location: AR

What to do about Intel, AMD and ARM security flaws?

Thu Jan 04, 2018 6:13 pm

https://www.bleepingcomputer.com/news/s ... d-updates/

Surprised to have no thread yet here on this critical issue.

danielson
Posts: 213
Joined: Sun Dec 27, 2015 10:33 am
Location: AR

Re: What to do about Intel, AMD and ARM security flaws?

Thu Jan 04, 2018 7:42 pm

Copied from Adguard forum thread:

If you're using Windows 7/8.1/10, make sure you install the Windows Update for Meltdown mitigation via KPTI (which will cause a performance hit, depending on what Intel CPU you're using and the workload). If you're on macOS and you're running macOS High Sierra 10.13.2, it's already got KPTI integrated to mitigate Meltdown (with more to come in 10.13.3). If you're using a Linux distro, make sure you're using at least 4.14.11 or the latest 4.15-rc6 kernel since they both have KPTI. For example, Ubuntu hasn't pushed out a patched kernel yet, but Arch Linux and other rolling release distros have. KPTI integration is going to cause a performance hit for Intel CPUs across all OSes.

Spectre is the one that can be exploited via Javascript in a web browser. If you're using Google Chrome, until Google Chrome v64 (which has mitigation measure(s) in place) is released on January 23rd copy and paste chrome://flags/#enable-site-per-process into the address bar and ENABLE Site Isolation (and restart the browser). If you're using Firefox 57 or above, it already has mitigation measures. If you're using Edge/Internet Explorer, I believe Microsoft either already released patches for Edge/IE or are shortly.

P.S. AMD is only vulnerable to Spectre v1. AMD isn't vulnerable to Meltdown and likely isn't vulnerable to Spectre v2. Looks like AMD's Spectre v1 vulnerability can be mitigated in software.

User avatar
ycrawler
Posts: 152
Joined: Thu Aug 10, 2017 8:23 pm

Re: What to do about Intel, AMD and ARM security flaws?

Thu Jan 04, 2018 8:44 pm

would be good to hear from the solus guys on this. but i expect a new kernel with the fix tomorrow hopefully

ubuntu seems to be aiming for the 9th january (or sooner if possible) according to this https://insights.ubuntu.com/2018/01/04/ ... abilities/

User avatar
kyrios
Posts: 2286
Joined: Thu Sep 22, 2016 4:20 pm

Re: What to do about Intel, AMD and ARM security flaws?

Thu Jan 04, 2018 9:28 pm

ycrawler wrote:
Thu Jan 04, 2018 8:44 pm
would be good to hear from the solus guys on this. but i expect a new kernel with the fix tomorrow hopefully
Just follow the activity on the bug tracker. Here is the commit you are looking for.

danielson
Posts: 213
Joined: Sun Dec 27, 2015 10:33 am
Location: AR

Re: What to do about Intel, AMD and ARM security flaws?

Sat Jan 06, 2018 4:19 am

Pardon my ignorance, but will this update (when ready) come via regular software channel ?

User avatar
kyrios
Posts: 2286
Joined: Thu Sep 22, 2016 4:20 pm

Re: What to do about Intel, AMD and ARM security flaws?

Sat Jan 06, 2018 8:40 am

danielson wrote:
Sat Jan 06, 2018 4:19 am
Pardon my ignorance, but will this update (when ready) come via regular software channel ?
It's already available in the software center :)

danielson
Posts: 213
Joined: Sun Dec 27, 2015 10:33 am
Location: AR

Re: What to do about Intel, AMD and ARM security flaws?

Sat Jan 06, 2018 12:21 pm

Had checked updates just before posting and then, lo and behold, they came in just after posting!

So, we're good! :)

danielson
Posts: 213
Joined: Sun Dec 27, 2015 10:33 am
Location: AR

Re: What to do about Intel, AMD and ARM security flaws?

Thu Jan 11, 2018 2:09 pm

GHacks has a good tip https://www.ghacks.net/2018/01/11/check ... erability/ to check your computer for Meltdown or Spectre vulnerabilities. Here's the result for mine (even after latest Solus update):


Spectre and Meltdown mitigation detection tool v0.26

Checking for vulnerabilities against live running kernel Linux 4.14.12-44.current #1 SMP Sat Jan 6 01:12:08 UTC 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: UNKNOWN
> STATUS: UNKNOWN (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: UNKNOWN (couldn't read your kernel configuration)
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

User avatar
Lorien
Posts: 61
Joined: Wed May 03, 2017 2:05 am

Re: What to do about Intel, AMD and ARM security flaws?

Thu Jan 11, 2018 2:53 pm

Thought this article was good: http://www.zdnet.com/article/the-linux- ... RSSbaffb68

"Spectre is a different story. There are no Spectre patches available yet. That's because, as Kroah-Hartman explained, "Spectre issues were the last to be addressed by the kernel developers. All of us were working on the Meltdown issue, and we had no real information on exactly what the Spectre problem was at all, and what patches were floating around were in even worse shape than what have been publicly posted."

Regarding kernel 4.14.13 & 4.9.76 : http://news.softpedia.com/news/linux-ke ... 9321.shtml

"more such kernel updates will be available in the coming weeks and months, so you need to make sure you update your distributions as soon they are released."

And even if i were fully patched up by now, i still need new microcode from my motherboard vendor (which has not happened yet), to have the best possible mitigation as i understand it. I think a little patience is needed here.

danielson
Posts: 213
Joined: Sun Dec 27, 2015 10:33 am
Location: AR

Re: What to do about Intel, AMD and ARM security flaws?

Thu Jan 11, 2018 3:15 pm

"... a little patience is needed here" indeed!

Comments and articles i've read so far point to a very complex problem.

Return to “General Chit-Chat”