ZombieLand / RIDL / Fallout (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091)

[BloodyIron]

Hey so ZombieLoad was announced today : https://www.zdnet.com/article/patch-status-for-the-new-mds-attacks-against-intel-cpus/

No, I'm talking about the new speculative CVEs, not the movie.

What's the response from Proxmox devs as to when we can see patches for this?

 

[ds(ds)]

ZombieLoad... Load!!!

 

[BloodyIron]

omfg and this is why editable titles should be a thing d'oh

 

[t.lamprecht]

What's the response from Proxmox devs as to when we can see patches for this?

We started yesterday evening (UTC+2) into backporting, sent those out for review today morning, and now switched over to the just now pushed ubuntu-kernel fixes, where we base our own kernel on, to profit both from using the exact same approach.

Packages are being under testing, and will be released to our public infrastructure soon.

NOTE: It's still required and recommended to get the intel-microdcode update from stretch-backports (3.20190514.1~deb9u1), which is too not yet released, but will be hopefully soon.
The kernel fixes are just best-effort ones without those updates. But also note that this attack is quite hard to execute, so there is no need to panic.

 

[t.lamprecht]

Kernels with currently available mitigations are available for PVE, and PMG in the public available test repo with pve-kernel-4.15.18-14-pve in version 4.15.18-39

 

[t.lamprecht]

After some further testing we uploaded the kernel to the pve-no-subscription and pmg-no-subscription repository.
Further, intel-microcode updates are now available via the intel-microcode Debian package, distributed through non-free security update.

If you do not get it ensure that you have a line with non-free similar to:

deb http://security.debian.org stretch/updates main contrib non-free

in /etc/apt/sources.list or a sources.list.d/ list file and run

apt update
apt full-upgrade

After rebooting you can check your vulnerability and mitigation state with

# cat /sys/devices/system/cpu/vulnerabilities/mds

See: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#mds-system-information for possible values here.

 

[javii]

Hi, I updated the kernel, however I don't get the microcode update.

I have the following line in my sources.list:
deb http://security.debian.org stretch/updates main contrib

I tried to add 'non-free' to the end of the line, and issue apt-get full-upgrade but I don't get the new microcode package.

# cat /sys/devices/system/cpu/vulnerabilities/mds
Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable

 

[t.lamprecht]

I tried to add 'non-free' to the end of the line, and issue apt-get full-upgrade but I don't get the new microcode package.

also an "apt update" before hand?

 

[t.lamprecht]

Also, as this is non-free it's not installed by default, so you must have it installed it manually at least once:

apt install intel-microcode

 

[javii]

"apt install intel-microcode" solved the problem. Now:

# cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable

So, this would be the right the way to mitigate Zombieload?
Update kernel and add "non-free" to the debian security updates repo and install intel-microcode package?

Or are you planning adding intel-microcode package to pve repositories?

Thank you in advance. Regards

 

[t.lamprecht]

So, this would be the right the way to mitigate Zombieload?
Update kernel and add "non-free" to the debian security updates repo and install intel-microcode package?

Yes, exactly, as save as it currently gets. The "best-effort" mechanisms the kernel employs could be even enough, but we, nor anybody else without access to internal CPU design documents really can tell this for sure...

Or are you planning adding intel-microcode package to pve repositories?

no,
1. some do not use this way to get the microcode but employ bios/uefi/firmware updates from there Hardware vendor and
2. we're not to sure about shipping non-free binary blobs per default, I know this may not seem ideal for some as they need to make extra steps to ensure they run a secure(er) setup, but I hope you direct any resentment in the direction of the ones causing this issue in the first place and having such proprietary, intransparent, methods of updating such critical components afterwards - even if they knew about this issue for almost a year...

 

[javii]

Thank you Thomas, I understand your point.

 

[BloodyIron]

Thanks for the info! I'll have to go roll this out real soon.

 

[guletz]

So, this would be the right the way to mitigate Zombieload?

It is very simple, use a AMD cpu

 

[BloodyIron]

That presumes you are in the buying phase of kit.

It is very simple, use a AMD cpu

 

[oX9ke]

So i ran

apt install intel-microcode

and I also added

non-free

to

deb http://security.debian.org stretch/updates main contrib non-free

.

When I run

apt update

I get the following output:

Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://ftp.us.debian.org/debian stretch InRelease                         
Hit:3 http://ftp.us.debian.org/debian stretch-updates InRelease                 
Hit:4 http://ftp.us.debian.org/debian stretch Release
Ign:5 https://enterprise.proxmox.com/debian/pve stretch InRelease
Err:6 https://enterprise.proxmox.com/debian/pve stretch Release
  401  Unauthorized
Reading package lists... Done
E: The repository 'https://enterprise.proxmox.com/debian/pve stretch Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

And when I run

apt full-upgrade

I get the output:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

running

cat /sys/devices/system/cpu/vulnerabilities/mds

returns

cat: /sys/devices/system/cpu/vulnerabilities/mds: No such file or directory

Does that look correct?

 

[t.lamprecht]

Err:6 https://enterprise.proxmox.com/debian/pve stretch Release 401 Unauthorized Reading package lists... Done

You do not have a valid support subscription, or do not have it setup, so you cannot access the Enterprise Repository. Either buy and setup a Support Subscription, or setup a repo you can access, i.e., pve-no-subscription (see: https://pve.proxmox.com/wiki/Package_Repositories#_proxmox_ve_no_subscription_repository ) and try again.

Does that look correct?

No, as you have no valid repo you did not get any upgrade from Proxmox side, so you do not have the new kernel with the mitigations installed. To ensure that this kernel is installed run `pveversion -v`, it shows all installed kernels at the top, and in addition the current running one, there should be a pve-kernel-4.15.18-14-pve kernel in version 4.15.18-39 or later.

 

[javii]

After aplying new kernel in Proxmox and installing intel-microcode package from debian non-free repo, I get this on the host:
# cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable

However in a Centos 7 VM inside this host, with udpated kernel I get this:
# cat /sys/devices/system/cpu/vulnerabilities/mds
Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown

Is this ok?
Thank you in advance. Regards.

 

[guillaume34500]

Dear,

I got problem.

pveversion -v
proxmox-ve: 5.4-1 (running kernel: 4.15.18-14-pve)
pve-manager: 5.4-5 (running version: 5.4-5/c6fdb264)
pve-kernel-4.15: 5.4-2
pve-kernel-4.13: 5.2-2
pve-kernel-4.15.18-14-pve: 4.15.18-39
pve-kernel-4.15.18-11-pve: 4.15.18-34
pve-kernel-4.15.18-2-pve: 4.15.18-21
pve-kernel-4.13.16-4-pve: 4.13.16-51
pve-kernel-4.13.16-1-pve: 4.13.16-46
pve-kernel-4.13.13-6-pve: 4.13.13-42
pve-kernel-4.13.13-5-pve: 4.13.13-38
pve-kernel-4.13.13-4-pve: 4.13.13-35
pve-kernel-4.10.17-2-pve: 4.10.17-20
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-9
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-51
libpve-guest-common-perl: 2.0-20
libpve-http-server-perl: 2.0-13
libpve-storage-perl: 5.0-42
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.1.0-3
lxcfs: 3.0.3-pve1
novnc-pve: 1.0.0-3
proxmox-widget-toolkit: 1.0-26
pve-cluster: 5.0-37
pve-container: 2.0-37
pve-docs: 5.4-2
pve-edk2-firmware: 1.20190312-1
pve-firewall: 3.0-20
pve-firmware: 2.0-6
pve-ha-manager: 2.0-9
pve-i18n: 1.1-4
pve-libspice-server1: 0.14.1-2
pve-qemu-kvm: 3.0.1-2
pve-xtermjs: 3.12.0-1
qemu-server: 5.0-51
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.13-pve1~bpo2

dpkg -l | grep microcode
ii  intel-microcode                       3.20190514.1~deb9u1            amd64        Processor microcode firmware for Intel CPUs
ii  iucode-tool                           2.1.1-1                        amd64        Intel processor microcode tool

but always Vulnerable

cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
Mitigation: PTI
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling

Do you have any idea ?

Best regards
Guillaume

 

[guillaume34500]

Found:
https://www.intel.com/content/dam/w...A00233-microcode-update-guidance_05132019.pdf

No patch for Westmere EP-...