Intel CPU flaw
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Intel CPU flaw
As some may have seen on the various tech website, there is a vulnerability in most of the CPUs in use today. This is one of those "Unicorn" vulnerabilities that will require an update our kernel.
(every operating system out there running on Intel CPUs and probably others like AMD).
Thats right, every operating system (Windows, MacOS, Linux, Solaris, etc.) will need to be updated. This is a fundamental design flaw in what appears to be all CPUs in use in computers. Intel CPUs are confirmed to be effected, and while it not clear if AMD CPUs have this design flaw, some security folks think they may as well, right now only Intel has confirmed this flaw. If youre not using Intel based CPUs, this does not mean this does not effect you. It very likely does.
We're in testing with kernel updates now. The updates to all operating systems may incur a performance hit (Intel insists its minor, but testing by the Linux kernel community has shows 13-30% performance hits for vanilla Linux kernels). This performance issue isnt unique to our kernels or anyones for that matter. Its due to the fact that everyone has to fix this flaw in the CPU hardware in software, which means the CPU has to do more work to protect itself, from itself. And we're very sensitive to that for our customers, so before we release anything we want to make sure the kernel is performing optimally.
Unfortunately we cant share any other details than that at this point as the vulnerability details are still embargoed. At the moment there is no known active exploitation of this design flaw.
(every operating system out there running on Intel CPUs and probably others like AMD).
Thats right, every operating system (Windows, MacOS, Linux, Solaris, etc.) will need to be updated. This is a fundamental design flaw in what appears to be all CPUs in use in computers. Intel CPUs are confirmed to be effected, and while it not clear if AMD CPUs have this design flaw, some security folks think they may as well, right now only Intel has confirmed this flaw. If youre not using Intel based CPUs, this does not mean this does not effect you. It very likely does.
We're in testing with kernel updates now. The updates to all operating systems may incur a performance hit (Intel insists its minor, but testing by the Linux kernel community has shows 13-30% performance hits for vanilla Linux kernels). This performance issue isnt unique to our kernels or anyones for that matter. Its due to the fact that everyone has to fix this flaw in the CPU hardware in software, which means the CPU has to do more work to protect itself, from itself. And we're very sensitive to that for our customers, so before we release anything we want to make sure the kernel is performing optimally.
Unfortunately we cant share any other details than that at this point as the vulnerability details are still embargoed. At the moment there is no known active exploitation of this design flaw.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Intel CPU flaw
And here is Intels response to this vulnerability and their assertion this effects other CPU manufacturers.
https://newsroom.intel.com/news/intel-r ... -findings/
https://newsroom.intel.com/news/intel-r ... -findings/
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Intel CPU flaw
Looks like patches/details have started to come out (appears that Jan 9 was the initial coordinated release date) today for RHEL/CentOS stock kernels, etc.
Is there an ETA for the ASL kernel update now that details appear to have been released?
Thanks.
Is there an ETA for the ASL kernel update now that details appear to have been released?
Thanks.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Intel CPU flaw
Tomorrow. The updates that are out there are incomplete, and because this leaked before the embargo date on the 9th some of the solutions have really bad performance problems (and some vendor products, like antivirus, are causing full kernel panics, including on Windows). So a lot is still in motion on the kernel side up and downstream. We do not want to release anything that would cause adverse impact to your systems.
At the moment, there are no active exploits against the Meltdown vulnerability (thats the more serious of the two that relevant to servers). Spectre isnt actually new, its just being addressed at the same time and isnt as relevant for server attack surfaces. Its more applicable to shared application attacks, like tab to tab attacks in browsers. So client side. Meltdown is also much harder to carry out remotely than Spectre, so despite the press this has gotten its not as bad as it sounds, while its worse its also hard to do. In the words of SANS earlier today, the sky is not falling.
Its better that the updates be done right, as the performance hit from KPTI isnt trivial, there are no known attacks at this time and the implementations out there are causing other more serious problems like outright crashing systems.
At the moment, there are no active exploits against the Meltdown vulnerability (thats the more serious of the two that relevant to servers). Spectre isnt actually new, its just being addressed at the same time and isnt as relevant for server attack surfaces. Its more applicable to shared application attacks, like tab to tab attacks in browsers. So client side. Meltdown is also much harder to carry out remotely than Spectre, so despite the press this has gotten its not as bad as it sounds, while its worse its also hard to do. In the words of SANS earlier today, the sky is not falling.
Its better that the updates be done right, as the performance hit from KPTI isnt trivial, there are no known attacks at this time and the implementations out there are causing other more serious problems like outright crashing systems.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Intel CPU flaw
Great. Thanks for the analysis and perspective!
Re: Intel CPU flaw
That was posted a week ago. Any thoughts on when you might be releasing a patched kernel?mikeshinn wrote:Tomorrow.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Intel CPU flaw
The kernel was released this past weekend. It uses UDEREF and not the slow and buggy KPTI in the mainline kernel. So you wont experience performance impacts like the mainline kernel or kernel panics.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Intel CPU flaw
Mike:
Just to make sure I'm clear, what is said kernel patched against (meltdown only, meltdown and some spectre variants, etc.)?
Some of the vendor kernels needed microcode updates for their patches as well and not sure if that was related to the method used or if the ASL kernel would need as well.
Thanks!
Just to make sure I'm clear, what is said kernel patched against (meltdown only, meltdown and some spectre variants, etc.)?
Some of the vendor kernels needed microcode updates for their patches as well and not sure if that was related to the method used or if the ASL kernel would need as well.
Thanks!
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Intel CPU flaw
Both. If a microcode update was needed for that CPU it would also be updated.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Intel CPU flaw
Mike:
Could you please post a current status as to what mitigations were introduced in what kernels (so those who don't update their kernel with each release will know the minimum needed updates)?
TIA!
Could you please post a current status as to what mitigations were introduced in what kernels (so those who don't update their kernel with each release will know the minimum needed updates)?
TIA!
Re: Intel CPU flaw
Just in case it wasn't seen, a bump of:
__
Mike:
Could you please post a current status as to what mitigations were introduced in what kernels (so those who don't update their kernel with each release will know the minimum needed updates)?
TIA!
__
Thanks!
__
Mike:
Could you please post a current status as to what mitigations were introduced in what kernels (so those who don't update their kernel with each release will know the minimum needed updates)?
TIA!
__
Thanks!
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Intel CPU flaw
All of the Meltdown and Spectre mitigations were available in the last 4.4.x release (we've since retired 4.4.x and moved to 4.14.x tree). That last version is 4.4.109. We do recommend upgrading to the 4.14.x kernel as it contains significant performance enhancements over the 4.4.x kernels. All of the 4.14.x kernels contain all mitigations (again the newer kernels will be faster, so we recommend upgrading).
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Intel CPU flaw
Thank you. Not sure if I'm reading you correctly but are you saying that 4.4.109 has all of the same mitigations as the 4.14.x releases?
Re: Intel CPU flaw
We're in trying with part refreshes now. The updates to every working framework may bring about an execution hit (Intel demands its minor, yet testing by the Linux part network has indicates 13-30% execution hits for vanilla Linux bits). This execution issue isnt novel to our pieces or anyones besides. Its because of the way that everybody needs to settle this blemish in the CPU equipment in programming, which implies the CPU needs to accomplish more work to ensure itself, from itself. What's more, we're exceptionally delicate to that for our clients, so before we discharge anything we need to ensure the part is performing ideally.mikeshinn wrote:All of the Meltdown and Spectre mitigations were available in the last 4.4.x release (we've since retired 4.4.x and moved to 4.14.x tree). That last version is 4.4.109. We do recommend upgrading to the 4.14.x kernel as it contains significant performance enhancements over the 4.4.x kernels. All of the 4.14.x kernels contain all mitigations (again the newer kernels will be faster, so we recommend upgrading).