I updated my CentOS 7 system. Why is Meltdown/Spectre only partially mitigated?

Solution 1:

As noted in https://access.redhat.com/articles/3311301

CVE-2017-5715 (variant #2/Spectre) is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software. This vulnerability requires both updated microcode and kernel patches. Variant #2 behavior is controlled by the ibrs and ibpb tunables (noibrs/ibrs_enabled and noibpb/ibpb_enabled), which work in conjunction with the microcode

...

As noted, installing the microcode update for your hardware, if provided by the hardware vendor, is necessary to protect against variant 2. Please contact your hardware vendor for microcode updates.

It seems that you also need a BIOS update to enable the mitigations for CVE-2017-5715.

I read this elsewhere too earlier but can't find the reference right now.

Solution 2:

UPDATE: it seems the microcode update released with OS updates are binary patches to the running microcode, rather than full-blown microcode replacement. In other words, they require a specific, base ucode version in the BIOS/processor to be able to patch it. For this reason, on all machines I had at hand a BIOS/firmware update is required, and this very BIOS update already bring the patched microcode embedded. For reference, DELL just released the required firmware update for 14/13/12th generation PowerEdge servers, and fix for 11th generation server will be released by the end of the month.

TL;DR: the microcode updates seem very rushed. I think we must wait some days/weeks to fully understand/discover which processors/steppings/models/SKU will receive the correct update.

Long version: of three updated systems, a single one (the older) correctly loaded the new microcode and enabled the relative mitigations:

  • on a Ryzen box the loading failed with a "patch mismatch" error;
  • on a Clarkdale (Core i5) laptop, no new microcode was loaded, yet the correct files are installed on /lib/firmware/
  • a very old PhenomII box correctly loaded the new microcode and enabled all appropriate mitigations.

Solution 3:

I've been using the Spectre Meltdown Checker script to get a quick accounting of my physical and virtual systems' status since I'm dealing with a lot of kernel and platform variants.

See: https://github.com/speed47/spectre-meltdown-checker

The output is showing that a BIOS update is needed on hypervisor hosts and bare-metal servers. This is a vendor issue for the systems I deal with. I wouldn't rely on the microcode patches from RHEL/CentOS.

enter image description here

Tags:

Security

Centos7

Rhel7

Vulnerabilities

Related

Meltdown & Spectre - Does patching the guest kernel of an unpatched hypervisor prevent cross-VM memory leaks? How do I stop my ssh tunnel when it is in the background? linux command found but not found when using sudo curl fails to retrieve HTTPS content: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure How to enable systemd on Amazon Linux AMI Windows 10 cannot access network shared locations or drives Why does AWS recommend against public S3 buckets? NetScaler Gateway for MAC is not connecting correctly: Protocoll shows "AGAS: Failed to initialise ssl vpn plugin" Up-to-date distros supporting 32-bit i586/non-PAE, specifically for ALIX boards (AMD Geode) What is the SHA256 that comes on the sshd entry in auth.log? how to get volume id attached to instance from AWS CLI how to trigger jenkins job via curl command remotely

Recent Posts