ZombieLand / RIDL / Fallout (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091)

What's the response from Proxmox devs as to when we can see patches for this?

We started yesterday evening (UTC+2) into backporting, sent those out for review today morning, and now switched over to the just now pushed ubuntu-kernel fixes, where we base our own kernel on, to profit both from using the exact same approach.

Packages are being under testing, and will be released to our public infrastructure soon.

NOTE: It's still required and recommended to get the intel-microdcode update from stretch-backports (3.20190514.1~deb9u1), which is too not yet released, but will be hopefully soon.
The kernel fixes are just best-effort ones without those updates. But also note that this attack is quite hard to execute, so there is no need to panic.
 
  • Like
Reactions: BloodyIron
After some further testing we uploaded the kernel to the pve-no-subscription and pmg-no-subscription repository.
Further, intel-microcode updates are now available via the intel-microcode Debian package, distributed through non-free security update.

If you do not get it ensure that you have a line with non-free similar to:
Code:
deb http://security.debian.org stretch/updates main contrib non-free
in /etc/apt/sources.list or a sources.list.d/ list file and run
Code:
apt update
apt full-upgrade

After rebooting you can check your vulnerability and mitigation state with
Code:
# cat /sys/devices/system/cpu/vulnerabilities/mds

See: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#mds-system-information for possible values here.
 
Hi, I updated the kernel, however I don't get the microcode update.

I have the following line in my sources.list:
deb http://security.debian.org stretch/updates main contrib

I tried to add 'non-free' to the end of the line, and issue apt-get full-upgrade but I don't get the new microcode package.

# cat /sys/devices/system/cpu/vulnerabilities/mds
Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
 
"apt install intel-microcode" solved the problem. Now:

# cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable

So, this would be the right the way to mitigate Zombieload?
Update kernel and add "non-free" to the debian security updates repo and install intel-microcode package?

Or are you planning adding intel-microcode package to pve repositories?

Thank you in advance. Regards
 
So, this would be the right the way to mitigate Zombieload?
Update kernel and add "non-free" to the debian security updates repo and install intel-microcode package?

Yes, exactly, as save as it currently gets. The "best-effort" mechanisms the kernel employs could be even enough, but we, nor anybody else without access to internal CPU design documents really can tell this for sure...

Or are you planning adding intel-microcode package to pve repositories?

no,
1. some do not use this way to get the microcode but employ bios/uefi/firmware updates from there Hardware vendor and
2. we're not to sure about shipping non-free binary blobs per default, I know this may not seem ideal for some as they need to make extra steps to ensure they run a secure(er) setup, but I hope you direct any resentment in the direction of the ones causing this issue in the first place and having such proprietary, intransparent, methods of updating such critical components afterwards - even if they knew about this issue for almost a year...
 
  • Like
Reactions: BloodyIron
So i ran
Code:
apt install intel-microcode
and I also added
Code:
non-free
to
Code:
deb http://security.debian.org stretch/updates main contrib non-free
.

When I run
Code:
apt update
I get the following output:

Code:
Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://ftp.us.debian.org/debian stretch InRelease                         
Hit:3 http://ftp.us.debian.org/debian stretch-updates InRelease                 
Hit:4 http://ftp.us.debian.org/debian stretch Release
Ign:5 https://enterprise.proxmox.com/debian/pve stretch InRelease
Err:6 https://enterprise.proxmox.com/debian/pve stretch Release
  401  Unauthorized
Reading package lists... Done
E: The repository 'https://enterprise.proxmox.com/debian/pve stretch Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

And when I run
Code:
apt full-upgrade
I get the output:

Code:
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

running
Code:
cat /sys/devices/system/cpu/vulnerabilities/mds
returns
Code:
cat: /sys/devices/system/cpu/vulnerabilities/mds: No such file or directory

Does that look correct?
 
Err:6 https://enterprise.proxmox.com/debian/pve stretch Release 401 Unauthorized Reading package lists... Done

You do not have a valid support subscription, or do not have it setup, so you cannot access the Enterprise Repository. Either buy and setup a Support Subscription, or setup a repo you can access, i.e., pve-no-subscription (see: https://pve.proxmox.com/wiki/Package_Repositories#_proxmox_ve_no_subscription_repository ) and try again.

Does that look correct?

No, as you have no valid repo you did not get any upgrade from Proxmox side, so you do not have the new kernel with the mitigations installed. To ensure that this kernel is installed run `pveversion -v`, it shows all installed kernels at the top, and in addition the current running one, there should be a pve-kernel-4.15.18-14-pve kernel in version 4.15.18-39 or later.
 
After aplying new kernel in Proxmox and installing intel-microcode package from debian non-free repo, I get this on the host:
# cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable

However in a Centos 7 VM inside this host, with udpated kernel I get this:
# cat /sys/devices/system/cpu/vulnerabilities/mds
Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown

Is this ok?
Thank you in advance. Regards.
 
Last edited:
Dear,

I got problem.

Code:
pveversion -v
proxmox-ve: 5.4-1 (running kernel: 4.15.18-14-pve)
pve-manager: 5.4-5 (running version: 5.4-5/c6fdb264)
pve-kernel-4.15: 5.4-2
pve-kernel-4.13: 5.2-2
pve-kernel-4.15.18-14-pve: 4.15.18-39
pve-kernel-4.15.18-11-pve: 4.15.18-34
pve-kernel-4.15.18-2-pve: 4.15.18-21
pve-kernel-4.13.16-4-pve: 4.13.16-51
pve-kernel-4.13.16-1-pve: 4.13.16-46
pve-kernel-4.13.13-6-pve: 4.13.13-42
pve-kernel-4.13.13-5-pve: 4.13.13-38
pve-kernel-4.13.13-4-pve: 4.13.13-35
pve-kernel-4.10.17-2-pve: 4.10.17-20
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-9
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-51
libpve-guest-common-perl: 2.0-20
libpve-http-server-perl: 2.0-13
libpve-storage-perl: 5.0-42
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.1.0-3
lxcfs: 3.0.3-pve1
novnc-pve: 1.0.0-3
proxmox-widget-toolkit: 1.0-26
pve-cluster: 5.0-37
pve-container: 2.0-37
pve-docs: 5.4-2
pve-edk2-firmware: 1.20190312-1
pve-firewall: 3.0-20
pve-firmware: 2.0-6
pve-ha-manager: 2.0-9
pve-i18n: 1.1-4
pve-libspice-server1: 0.14.1-2
pve-qemu-kvm: 3.0.1-2
pve-xtermjs: 3.12.0-1
qemu-server: 5.0-51
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.13-pve1~bpo2

Code:
dpkg -l | grep microcode
ii  intel-microcode                       3.20190514.1~deb9u1            amd64        Processor microcode firmware for Intel CPUs
ii  iucode-tool                           2.1.1-1                        amd64        Intel processor microcode tool

but always Vulnerable
Code:
cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
Mitigation: PTI
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling

Do you have any idea ?

Best regards
Guillaume
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!