Security vulnerability: Microarchitectural Data Sampling (MDS) aka CVE-2018-12126, CVE-2018-12127,CVE-2018-12130, CVE-2019-11091
This document (7023736) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
Situation
- Microarchitectural Store Buffer Data Sampling (MSBDS) aka Fallout Attack - CVE-2018-12126
- Microarchitectural Fill Buffer Data Sampling (MFBDS) aka ZombieLoadAttack - CVE-2018-12130
- Microarchitectural Load Port Data Samling (MLPDS) aka RIDL - CVE-2018-12127
- Microarchitectural Data Sampling Uncacheable Memory (MDSUM) - CVE-2019-11091
Resolution
Microcode updates
- The Intel CPU instruction called "VERW" is enhanced by the new CPU Microcode such that it flushes all buffers and ports. The VERW instruction will be called during task switch or VM switch by the patched kernels and hypervisors.
- Disabling Hyper Threading to avoid cross CPU thread information leakage. (Note : This is recommended in high security scenarios).
Kernel updates
mds=offThe mitigation is fully disabled.mds=fullEnables the mitigation on vulnerable CPUs.(Note: This is the SUSE default if the option is not given.)mds=full,nosmtEnables the mitigations on vulnerable CPUs, and also disables HyperThreading.
Not affectedThe processor is not affected by these issues.Vulnerable
There is no mitigation enabled for this issue.Vulnerable: Clear CPU buffers attempted, no microcodeNo microcode is not present that the kernel can use.Mitigation: Clear CPU buffersThe microcode is present and used to clear CPU buffers.
SMT: vulnerableSMT is enabled and the CPU is affected by the Load Port and Fill Buffer issues.SMT: disabledSMT is disabled and so not affected by cross thread information leakage.SMT Host state unknownKernel runs in a VM, and the Host SMT state is unknownSMT: mitigatedThis will be displayed if the CPU is only affected by the Store Buffer issue (CVE-2018-12126), and the mitigation is enabled.
XEN updates
If the option is not present, the mitigation is enabled by default,depending if the CPU model is affectedspec-ctrl=mds=yesThe mitigation is force enabled.spec-ctrl=mds=no or spec-ctrl=no-mdsThe mitigation is force disabled.
smt=offThe mitigation is force disabled.
Cause
Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7023736
- Creation Date: 21-Feb-2019
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com