My Favorites

Close

Please to see your favorites.

  • Bookmark
  • Email Document
  • Printer Friendly
  • Favorite
  • Rating:

Security Vulnerability: "Meltdown" and "Spectre" side channel attacks against modern CPUs.

This document (7022512) is provided subject to the disclaimer at the end of this document.

Environment

Based on research from various groups and individuals, Google's security team has identified a family of side channel attacks against modern CPUs that can be used by attackers to read memory content of otherwise inaccessible memory.

To help mitigating this hardware implementation related flaw on the software layer, SUSE as an operating system vendor is preparing mitigations for these side channel attacks in the Linux kernel.

For details on the vulnerability, please check :  https://meltdownattack.com/

Situation

Following three attacks have been identified:
  • CVE-2017-5753: variant 1 - bounds check bypass 
Local attackers on systems with modern CPUs featuring deep instruction pipe-lining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets.
This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. It needs to be addressed for all SUSE Linux Enterprise processor architectures, Intel and AMD x86_64, IBM Power, IBM Z and 64-bit ARM.
  • CVE-2017-5715: variant 2 - branch target injection
Local attackers on systems with modern CPUs featuring branch prediction could use mis-predicted branches to speculatively execute code patterns that in turn could be made to leak other  non-readable content in the same address space, an attack similar to CVE-2017-5753.
This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries.
Mitigation is done with help of Linux Kernel fixes on the Intel/AMD x86_64 and IBM Z architectures. On x86_64, this requires also updates of the CPU microcode packages, delivered in separate updates.
SUSE has shipped microcode updates for Intel and AMD processors that supply control of the "indirect branch speculation" feature, please also check the respective CPU and hardware vendors firmware / BIOS download pages for updates.
For IBM Power and IBM Z the required firmware updates are supplied over regular channels by IBM.
This mitigation has a performance impact, and so will be made configurable via the kernel commandline option "nospec" in later releases.
To disable this mitigation with the current updates, the ucode-intel or microcode_ctl packages could be downgraded to its previous releases or temporary de-installed.
For IBM Z the option "nobp" can be used to disable this mitigation..
  • CVE-2017-5754: variant 3 - rogue data cache load
Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.
This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach described in the "KAISER" paper.
The terms used here are "KAISER" / "Kernel Address Isolation" and "PTI" / "Page Table Isolation".
The update does this on the Intel x86_64 and IBM Power architecture. Updates are also necessary for the ARM architecture, but will be delivered in the second round of updates.
This feature can be enabled / disabled by the "pti=[on|off|auto]" or "nopti" command line options. More details can be found in the "Additional information" section.

Resolution

SUSE will be releasing kernel updates for all maintained SUSE products to mitigate these issues.

SUSE will also be releasing firmware updates for AMD and Intel in the packages microcode_ctl on SUSE Linux Enterprise 11, ucode-intel and kernel-firmware on SUSE Linux Enterprise 12.

As the fixes for CVE-2017-5715 will also need adjustments in the QEMU virtualization host to pass through CPUID flags and MSRs from host to guest system, SUSE will also be providing QEMU / KVM updates.

Note that also the XEN Hypervisor needs mitigations for the described problems, the XEN team is currently developing a fix. For further details please review TID#7022514.


Performance Impact

The performance impact of these patches is highly dependent on the actual workload, but also on CPU vendor and family. We recommend to always validate the performance impact prior to deploying these updates to production systems.


SUSE has released the following updates :

SLES 12 SP3
  • kernel-default-4.4.103-94.6.1 (IBM Z Series ONLY) released Tuesday, 16th of January 2018
  • kernel-default-4.4.103-6.38.1 released Thursday, 4th of January 2018
  • kernel-firmware-20170530-21.16.1 released Thursday, 4th of January 2018
  • ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
  • (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
  • qemu-2.9.1-6.9.2 released Thursday, 4th of January 2018
SLES 12 SP2
  • kernel-default-4.4.103-92.59.1 (IBM Z Series ONLY) released Thursday, 11th of January 2018
  • kernel-default-4.4.103-92.56.1 released Thursday, 4th of January 2018
  • kernel-firmware-20170530-21.16.1 released Thursday, 4th of January 2018
  • ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
  • (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
SLES 12 SP1-LTSS
  • kernel-default-3.12.74-60.64.72.1 (IBM Z Series ONLY) released Tuesday, 16th of January 2018
  • kernel-default-3.12.74-60.64.69.1 released Friday, 5th of January 2018
  • ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
  • (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
  • qemu-2.3.1-33.6.1 released Tuesday, 9th of January 2018

[*SLE-12-SP1 ppc64le customers, please see  'note 2' below.]

SLES 12-LTSS
  • kernel-default-3.12.61-52.111.1 released Tuesday, 16th of January 2018
  • kernel-firmware-20140807git-5.3.1 released Tuesday, 9th of January 2018
  • ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
  • (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
SLES 11 SP4
  • kernel-default-3.0.101-108.21.1 released Thursday, 4th of January 2018
  • microcode_ctl-1.17-102.83.9.1 released Thursday,11th of January 2018
  • (**obsoleted**) microcode_ctl-1.17-102.83.6.1 released Thursday, 4th of January 2018
SLES 11 SP3-LTSS
  • kernel-default-3.0.101-0.47.106.11.1 released Monday, 8th of January 2018
  • microcode_ctl-1.17-102.83.9.1 released Thursday,11th of January 2018
  • (**obsoleted**) microcode_ctl-1.17-102.83.6.1 released Thursday, 4th of January 2018
SUSE CaaS Platform
  • kernel-firmware-20170530-21.16.1  released Thursday, 4th of January 2018
  • qemu-2.9.1-6.9.2  released Thursday, 4th of January 2018


Note 1: Observing multiple microcode-ctl and/or ucode-intel releases for the same SLE version :
As firmware updates continue to become available for other CPU models, this will show as another new microcode-ctl and/or ucode-intel release with the date released.

The microcode listed as (**obsoleted**) suffered quality issues and were retracted by the vendor. As such they now will also be deleted from our maintenance updates, and removed from the SUSE patch finder location here.

Note 2 : An LTSS channel for SLE-12-SP1 ppc64le does not exist.
The patches for Spectre & Meltdown are available in the SLES-12-SP1-SAP channel. This channel is supported until May 2018 (as per the SUSE Product Life Cycle page here).

Important note : A valid SLES for SAP subscriptions is required to access this repository.

Cause

CVE-2017-5753  (Spectre - variant 1) 
CVE-2017-5715  (Spectre - variant 2)
CVE-2017-5754  (Meltdown - variant 3)

Additional Information

Products running on top of SUSE Linux Enterprise Server, such as SUSE OpenStack Cloud, SUSE Enterprise Storage, SUSE Manager are not directly vulnerable. For these SUSE products, updating the the Host (running SUSE Linux Enterprise Server) with the updates detailed and listed here is sufficient.


Public Cloud:

SUSE has updated all (on-demand and BYOS) images that are actively maintained within the SUSE Public Cloud Image lifecycle guidelines. Image information can be retrieved with the "pint" tool.

All updated images have a timestamp of v20180104, i.e. January 4th 2018 or later.

For all running instances of SUSE images in production within public clouds, SUSE's advice to all customers is to apply all existing kernel updates available.


PTI kernel parameter:

The default value for x86-64 is "auto", meaning enabled for processors deemed vulnerable or unknown, and disabled on those known to be unaffected (AMD). 
For ARM the default value is "off" for the time being as the "auto" trigger has not been implemented yet.
pti = auto
lets kernel decide, which means it turns PTI on when is's running on Intel and turns it off when running on AMD
pti = off
force-disable PTI even on Intel
pti = on
force-enables PTI even on AMD


Verifying if a system is protected :
Following updating the latest kernels, it is possible to check /proc/cpuinfo for  'kaiser' or 'pti'  and 'spec_ctrl' or 'ibpb' information.

When the output includes :
'kaiser' or 'pti' flags, then v3 (Meltdown) protection is active.
'spec_ctrl' flag, then v2/v1 (Spectre) protection is active on Intel CPU's.
'ibpb' flag, then v2/v1 (Spectre) protection is active on AMD CPU's.
Additional detail :
- The 'kaiser' flag is used on SLE versions up to SLE 12, in turn, SLE 15 will use the 'pti' flag.
- The 'spec_ctrl' or  'ibpb' flag implies both v2 and v1 protection, but if it is not present, it means v2 is not active, but v1 still may, as it currently cannot be disabled in SLES - if  the installed kernel has it, it's on.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022512
  • Creation Date:03-JAN-18
  • Modified Date:18-JAN-18
    • SUSESUSE Linux Enterprise Desktop
      SUSE Linux Enterprise Server

Did this document solve your problem? Provide Feedback

< Back to Support Search

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center