patch openSUSE-2019-1806 fails to mitigate CVE-2018-12126/CVE-2018-12130/CVE-2018-12127/CVE-2019-11091 ?

This security update

        https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html

addresses

        Four new speculative execution information leak issues have been
        identified in Intel CPUs. (bsc#1111331)

        - CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
        - CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
        - CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
        - CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory
        (MDSUM)

        These updates contain the CPU Microcode adjustments for the software
        mitigations.

to be installed with

        zypper in -t patch openSUSE-2019-1806=1

here, running

        lsb_release -rd
                Description:    openSUSE Leap 15.1
                Release:        15.1

        uname -rm
                5.5.2-25.g994cf1f-default x86_64

        rpm -qa | egrep "ucode-intel|firmware-intel"
                ucode-intel-20191115-lp151.3.9.x86_64
                kernel-firmware-intel-20200122-36.2.noarch

on an old, but otherwise functional, laptop,

        cat /proc/cpuinfo | grep -i "model name"
                model name : Intel(R) Core(TM) i3 CPU M 370  @ 2.40GHz

with mitigations enabled with,

        cat /proc/cmdline
                BOOT_IMAGE=/vmlinuz-5.5.2-25.g994cf1f-default ... mitigations=auto,nosmt ...

and

        zypper in -t patch openSUSE-2019-1806=1
                Loading repository data...
                Reading installed packages...
                'patch:openSUSE-2019-1806 = 1' is already installed.
                Resolving package dependencies...

                Nothing to do.

a check with

        spectre-meltdown-checker.sh --version
                Spectre and Meltdown mitigation detection tool v0.43

returns

        ...
        CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
        * Mitigated according to the /sys interface:  NO  (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
        * Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image)
        * Kernel mitigation is enabled and active:  NO
        * SMT is either mitigated or disabled:  YES
        > STATUS:  VULNERABLE  (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)

        CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
        * Mitigated according to the /sys interface:  NO  (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
        * Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image)
        * Kernel mitigation is enabled and active:  NO
        * SMT is either mitigated or disabled:  YES
        > STATUS:  VULNERABLE  (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)

        CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
        * Mitigated according to the /sys interface:  NO  (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
        * Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image)
        * Kernel mitigation is enabled and active:  NO
        * SMT is either mitigated or disabled:  YES
        > STATUS:  VULNERABLE  (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)

        CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
        * Mitigated according to the /sys interface:  NO  (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
        * Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image)
        * Kernel mitigation is enabled and active:  NO
        * SMT is either mitigated or disabled:  YES
        > STATUS:  VULNERABLE  (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
        ...

and

        cat /sys/devices/system/cpu/vulnerabilities/mds
                Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled

what additional mitigation, &/or specific microcode update is required to complete the mitigations?

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Hi,

On Wed, Feb 12, 2020 at 08:29:53PM -0800, PGNet Dev wrote:
A newer processor. :/

Sadly, Intel does not provide updated microcode for older processors.

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

On 13/02/2020 08.30, Marcus Meissner wrote:
 > Hi,
 >
 > On Wed, Feb 12, 2020 at 08:29:53PM -0800, PGNet Dev wrote:
 >> This security update
 >>
 >>
https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html
 >>
 >>
 >>
addresses

...

 >> on an old, but otherwise functional, laptop,
 >>
 >> cat /proc/cpuinfo | grep -i "model name" model name : Intel(R)
 >> Core(TM) i3 CPU M 370  @ 2.40GHz

...

 >> a check with
 >>
 >> spectre-meltdown-checker.sh --version Spectre and Meltdown
 >> mitigation detection tool v0.43
 >>
 >> returns

...

 >> and
 >>
 >> cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable: Clear
 >> CPU buffers attempted, no microcode; SMT disabled
 >>
 >> what additional mitigation, &/or specific microcode update is
 >> required to complete the mitigations?
 >
 > A newer processor. :/
 >
 > Sadly, Intel does not provide updated microcode for older
 > processors.

Doesn't the Linux kernel include other mitigations besides Intel
provided microcode?

If only new processors are covered by them, we are doomed. :-(

--
Cheers / Saludos,

                Carlos E. R.
                (from 15.1 x86_64 at Telcontar)

On Thu, Feb 13, 2020 at 11:41:16AM +0100, Carlos E. R. wrote:
Some of the processor mitigations can be done in software, like retpolines
or spectre v1 and v3 like fixes, or L1TF baremetal fixes.

Others need CPU Microcode help, and yes, these are then problematic.

The major ones like Meltdown, SPectre v1, v2 are covered by software only solutions,
the rest has a smaller impact.

If you are just using this as your home machine or laptop, no need to worry.


Realistic attack scenarios include multiuser servers, either with untrusted users or untrusted
VMs.

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

On 13/02/2020 11.54, Marcus Meissner wrote:
 > On Thu, Feb 13, 2020 at 11:41:16AM +0100, Carlos E. R. wrote:
 >> On 13/02/2020 08.30, Marcus Meissner wrote:
 >>> Hi,
 >>>
 >>> On Wed, Feb 12, 2020 at 08:29:53PM -0800, PGNet Dev wrote:
 >>>> This security update
 >>>>
 >>>>
 >>
https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html
 >>>>
 >>>>
 >>>>
 >>
 >>
addresses
 >>
 >> ...
 >>
 >>>> on an old, but otherwise functional, laptop,
 >>>>
 >>>> cat /proc/cpuinfo | grep -i "model name" model name :
 >>>> Intel(R) Core(TM) i3 CPU M 370  @ 2.40GHz
 >>
 >> ...
 >>
 >>>> a check with
 >>>>
 >>>> spectre-meltdown-checker.sh --version Spectre and Meltdown
 >>>> mitigation detection tool v0.43
 >>>>
 >>>> returns
 >>
 >> ...
 >>
 >>>> and
 >>>>
 >>>> cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable:
 >>>> Clear CPU buffers attempted, no microcode; SMT disabled
 >>>>
 >>>> what additional mitigation, &/or specific microcode update is
 >>>> required to complete the mitigations?
 >>>
 >>> A newer processor. :/
 >>>
 >>> Sadly, Intel does not provide updated microcode for older
 >>> processors.
 >>
 >> Doesn't the Linux kernel include other mitigations besides Intel
 >> provided microcode?
 >>
 >> If only new processors are covered by them, we are doomed. :-(
 >
 > Some of the processor mitigations can be done in software, like
 > retpolines or spectre v1 and v3 like fixes, or L1TF baremetal
 > fixes.
 >
 > Others need CPU Microcode help, and yes, these are then
 > problematic.
 >
 > The major ones like Meltdown, SPectre v1, v2 are covered by
 > software only solutions, the rest has a smaller impact.
 >
 > If you are just using this as your home machine or laptop, no need
 > to worry.

Thanks.

Well, I'm replacing my main desktop machine (because of other
reasons), but the new CPU will be a AMD Ryzen, because of these
problems. Intel now scares me. And the mitigations make them slower.

But I have other machines I can not replace, and one of them is
reachable from Internet via ssh:

Intel(R) Pentium(R) CPU  N3710  @ 1.60GHz



 > Realistic attack scenarios include multiuser servers, either with
 > untrusted users or untrusted VMs.

No, nothing like that. Unless we consider Apache to be vulnerable, as
the users are unknown.

--
Cheers / Saludos,

                Carlos E. R.
                (from 15.1 x86_64 at Telcontar)

On 2/12/20 11:30 PM, Marcus Meissner wrote:
> A newer processor. :/
>
> Sadly, Intel does not provide updated microcode for older processors.

shame.


i'd _thought_ there were software-only mitigations for these.  time to re-read.

it's a perfectly functional, fully up-to-date (except for these mitigations) laptop, that STILL runs more reliably than off-the-shelf M$.

Intel's certainly selling a lot of Ryzens.  Think they get a $cut ?

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]