store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Dec 14, 2018 7:37 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 13 posts ] 
Author Message
 Post subject: Intel CPU flaw
Unread postPosted: Wed Jan 03, 2018 4:03 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4066
Location: Chantilly, VA
As some may have seen on the various tech website, there is a vulnerability in most of the CPUs in use today. This is one of those "Unicorn" vulnerabilities that will require an update our kernel.
(every operating system out there running on Intel CPUs and probably others like AMD).

Thats right, every operating system (Windows, MacOS, Linux, Solaris, etc.) will need to be updated. This is a fundamental design flaw in what appears to be all CPUs in use in computers. Intel CPUs are confirmed to be effected, and while it not clear if AMD CPUs have this design flaw, some security folks think they may as well, right now only Intel has confirmed this flaw. If youre not using Intel based CPUs, this does not mean this does not effect you. It very likely does.

We're in testing with kernel updates now. The updates to all operating systems may incur a performance hit (Intel insists its minor, but testing by the Linux kernel community has shows 13-30% performance hits for vanilla Linux kernels). This performance issue isnt unique to our kernels or anyones for that matter. Its due to the fact that everyone has to fix this flaw in the CPU hardware in software, which means the CPU has to do more work to protect itself, from itself. And we're very sensitive to that for our customers, so before we release anything we want to make sure the kernel is performing optimally.

Unfortunately we cant share any other details than that at this point as the vulnerability details are still embargoed. At the moment there is no known active exploitation of this design flaw.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Wed Jan 03, 2018 5:05 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4066
Location: Chantilly, VA
And here is Intels response to this vulnerability and their assertion this effects other CPU manufacturers.

https://newsroom.intel.com/news/intel-r ... -findings/

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Thu Jan 04, 2018 1:23 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 308
Looks like patches/details have started to come out (appears that Jan 9 was the initial coordinated release date) today for RHEL/CentOS stock kernels, etc.

Is there an ETA for the ASL kernel update now that details appear to have been released?

Thanks.


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Thu Jan 04, 2018 7:28 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4066
Location: Chantilly, VA
Tomorrow. The updates that are out there are incomplete, and because this leaked before the embargo date on the 9th some of the solutions have really bad performance problems (and some vendor products, like antivirus, are causing full kernel panics, including on Windows). So a lot is still in motion on the kernel side up and downstream. We do not want to release anything that would cause adverse impact to your systems.

At the moment, there are no active exploits against the Meltdown vulnerability (thats the more serious of the two that relevant to servers). Spectre isnt actually new, its just being addressed at the same time and isnt as relevant for server attack surfaces. Its more applicable to shared application attacks, like tab to tab attacks in browsers. So client side. Meltdown is also much harder to carry out remotely than Spectre, so despite the press this has gotten its not as bad as it sounds, while its worse its also hard to do. In the words of SANS earlier today, the sky is not falling.

Its better that the updates be done right, as the performance hit from KPTI isnt trivial, there are no known attacks at this time and the implementations out there are causing other more serious problems like outright crashing systems.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Fri Jan 05, 2018 8:49 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 308
Great. Thanks for the analysis and perspective!


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Thu Jan 11, 2018 6:15 am 
Offline
New Forum User
New Forum User

Joined: Thu Jan 11, 2018 6:09 am
Posts: 1
Location: Manchester, UK
mikeshinn wrote:
Tomorrow.


That was posted a week ago. Any thoughts on when you might be releasing a patched kernel?


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Thu Jan 11, 2018 5:46 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4066
Location: Chantilly, VA
The kernel was released this past weekend. It uses UDEREF and not the slow and buggy KPTI in the mainline kernel. So you wont experience performance impacts like the mainline kernel or kernel panics.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Fri Jan 12, 2018 12:50 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 308
Mike:

Just to make sure I'm clear, what is said kernel patched against (meltdown only, meltdown and some spectre variants, etc.)?

Some of the vendor kernels needed microcode updates for their patches as well and not sure if that was related to the method used or if the ASL kernel would need as well.

Thanks!


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Fri Jan 12, 2018 2:17 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4066
Location: Chantilly, VA
Both. If a microcode update was needed for that CPU it would also be updated.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Fri Mar 30, 2018 12:13 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 308
Mike:

Could you please post a current status as to what mitigations were introduced in what kernels (so those who don't update their kernel with each release will know the minimum needed updates)?

TIA!


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Thu Apr 12, 2018 12:27 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 308
Just in case it wasn't seen, a bump of:

__

Mike:

Could you please post a current status as to what mitigations were introduced in what kernels (so those who don't update their kernel with each release will know the minimum needed updates)?

TIA!

__

Thanks!


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Mon Apr 16, 2018 3:58 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4066
Location: Chantilly, VA
All of the Meltdown and Spectre mitigations were available in the last 4.4.x release (we've since retired 4.4.x and moved to 4.14.x tree). That last version is 4.4.109. We do recommend upgrading to the 4.14.x kernel as it contains significant performance enhancements over the 4.4.x kernels. All of the 4.14.x kernels contain all mitigations (again the newer kernels will be faster, so we recommend upgrading).

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Tue Apr 17, 2018 5:54 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 308
Thank you. Not sure if I'm reading you correctly but are you saying that 4.4.109 has all of the same mitigations as the 4.14.x releases?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group