Security vulnerability: Microarchitectural Data Sampling (MDS) aka CVE-2018-12126, CVE-2018-12127,CVE-2018-12130, CVE-2019-11091

This document (7023736) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11

Situation

Researchers have identified new CPU side channel information leak attacks against various micro-architectural buffers contained in Intel CPUs.

Four separate issues have been identified:
  • Microarchitectural Store Buffer Data Sampling (MSBDS) aka Fallout Attack - CVE-2018-12126
  • Microarchitectural Fill Buffer Data Sampling (MFBDS) aka ZombieLoadAttack - CVE-2018-12130
  • Microarchitectural Load Port Data Samling (MLPDS) aka RIDL - CVE-2018-12127
  • Microarchitectural Data Sampling Uncacheable Memory (MDSUM) - CVE-2019-11091
These attack allow local attackers that are able to execute code to access portions of recently written or loaded data by using speculative execution information leak methods like Flush+Reload.
As the fill buffers and load ports used are shared across threads on the same CPU core, it is also possible that data can be leaked across CPU threads, which depending on your setup could also happen across virtual machines.

Resolution

The issues identified above share the same mitigations : a combination of CPU Microcode updates, and Kernel and VMM mitigations via software updates.

Microcode updates

Install the latest microcode updates from Intel to enable the buffer / port flush feature. 
These updates are provided by SUSE in the "ucode-intel" or "microcode_ctl" packages, and/or via hardware  BIOS / System vendor.

The software mitigations for these attacks are the following:
  • The Intel CPU instruction called "VERW" is enhanced by the new CPU Microcode such that it flushes all buffers and ports. The VERW instruction will be called during task switch or VM switch by the patched kernels and hypervisors.
  • Disabling Hyper Threading to avoid cross CPU thread information leakage. (Note : This is recommended in high security scenarios).
The upstream community is working on scheduling methods to avoid the need for disabling hyperthreading, however so far no working and performing solution exists.
When there is a need to disable Hyper Threading, SUSE recommends to disable  Hyper Threading in the system BIOS in order to avoid unnecessary kernel overhead.

SUSE is preparing and releasing updates for all currently maintained kernels, XEN hypervisor and KVM (embedded in the kernel).

Kernel updates

The Linux kernel mitigation can be controlled with a kernel boot command line parameter:

mds=off
The mitigation is fully disabled.

mds=full
Enables the mitigation on vulnerable CPUs.
(Note: This is the SUSE default if the option is not given.)

mds=full,nosmt
Enables the mitigations on vulnerable CPUs, and also disables HyperThreading.

The “mds” option is also included in the new generic “mitigations=” kernel boot command line option, described in TID 7023836.

The state of the vulnerability and its mitigations can be found in /sys/devices/system/cpu/vulnerabilities/mds

The following values can appear there :

Not affected
The processor is not affected by these issues.

Vulnerable
There is no mitigation enabled for this issue.

Vulnerable: Clear CPU buffers attempted, no microcode 
No microcode is not present that the kernel can use.

Mitigation: Clear CPU buffers
The microcode is present and used to clear CPU buffers.

The variable will also include the SMT mitigation state appended to it, separated by ';'

SMT: vulnerable
SMT is enabled and the CPU is affected by the Load Port and Fill Buffer issues.

SMT: disabled
SMT is disabled and so not affected by cross thread information leakage.

SMT Host state unknown
Kernel runs in a VM, and the Host SMT state is unknown

SMT: mitigated
This will be displayed if the CPU is only affected by the Store Buffer issue (CVE-2018-12126), and the mitigation is enabled.

A fully mitigated system will show output  similar to  “Mitigation: Clear CPU buffers; SMT: disabled

XEN updates

On the XEN hypervisor the mitigation can be controlled by the "spec-ctrl" command line option, which can take boolean variables :

spec-ctrl=mds=yes
The mitigation is force enabled.

spec-ctrl=mds=no or   spec-ctrl=no-mds
The mitigation is force disabled.

If the option is not present, the mitigation is enabled by default,depending if the CPU model is affected
Also if there is need to disable "smt" in high security scenarios, the following can be used

smt=off
The mitigation is force disabled.

Cause

Additional Information

Note : Detailed vulnerability information on the researchers website : https://cpu.fail/ 
Note : Detailed Xen command line details can be found on the xen-command-line.pandoc

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7023736
  • Creation Date: 21-Feb-2019
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center