Critical Intel CPU Bug – Meltdown and Spectre Vulnerabilities
CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre.Earlier this week, serious security problem – CPU Bug has been found in the Intel/AMD/ARM CPUs. According to various teams including Google Project Zero, CPU data cache timing can be abused efficiently to leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. These vulnerabilities are known by name ‘Meltdown’ and ‘Spectre’.
You can read more about attack from this link
There are 3 known variants for this CPU Bug:
Variant 1: bounds check bypass (CVE-2017-5753) Variant 2: branch target injection (CVE-2017-5715) Variant 3: rogue data cache load (CVE-2017-5754)
Spectre CPU Vulnerability CVE-2017-5753/CVE-2017-5715 breaks the isolation between different applications. The two variants abuse speculative execution to perform bounds-check bypass (CVE-2017-5753), or by utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively. It allows an attacker to execute error-free programs, which follow best practices, into leaking their secrets. In fact, it will increase the attack surface and make applications more susceptible to Spectre.
Meltdown CPU Vulnerability CVE-2017-5754 breaks the most fundamental isolation between user applications and the operating system. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
List of affected Linux distros by Meltdown Vulnerability Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5) Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6) Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7) Debian Linux wheezy Debian Linux jessie Debian Linux stretch Debian Linux buster, sid SUSE Linux Enterprise 11 SUSE Linux Enterprise 12 OpenSuse Linux based upon SUSE 12/11 Fedora Linux 26 Fedora Linux 27 Amazon Linux AMI (Bulletin ID: ALAS-2018-939) List of affected Linux distro by Spectre Vulnerability Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5) Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6) Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7) RHEV-M 4.0 RHEV-M for Servers Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Red Hat Enterprise MRG 2 Red Hat OpenStack Platform v 8/9/10/11/12 Debian Linux wheezy Debian Linux jessie Debian Linux stretch Deiban Linux buster, sid SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE OpenStack Cloud 6 Openstack Cloud Magnum Orchestration 7 SUSE Container as a Service Platform ALL SUSE Linux Enterprise High Availability 12 SP2/SP3 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Software Development Kit 11/12 SP3/SP4 SUSE Linux Enterprise for SAP 12 SP1 SUSE Linux Enterprise 11 SUSE Linux Enterprise 12 OpenSuse Linux based upon SUSE 12/11 Fedora Linux 26 Fedora Linux 27 Amazon Linux AMI (Bulletin ID: ALAS-2018-939)
To fix the Meltdown and Spectre Vulnerabilities
Patch CentOS/RHEL/Fedora/Oracle/Scientific Linux servers
# sudo yum update
You must reboot your Linux server using shutdown/reboot command:
Run the following dnf command if you are using a Fedora Linux:
# sudo dnf --refresh update kernel OR # sudo dnf update
Reboot the Linux box:
Patch Debian/Ubuntu Linux servers
# sudo apt-get update # sudo shutdown -r 0
Patch Amazon Linux running on AWS servers
# yum update kernel # reboot
Patch Arch Linux servers
Just run pacman command:
# pacman -Syu # reboot
If you are running cloudlinux, then you can patch using the below method
# yum clean all --enablerepo=cloudlinux-updates-testing && yum update linux-firmware microcode_ctl && yum install kernel-3.10.0-714.10.2.lve1.4.
79.el7 --enablerepo=cloudlinux-update s-testing
# yum clean all --enablerepo=cloudlinux-update
s-testing && yum update microcode_ctl && yum install kernel-2.6.32-896.16.1.lve1.4. 48.el6 --enablerepo=cloudlinux-update s-testing
Verify all 3 CVEs:
# rpm -q –changelog kernel | egrep ‘CVE-2017-5715|CVE-2017-5753|CVE-2017-5754’
We have pacthed almost all servers managed by us and informed customers about the same so that they can get aware of this issue and do patches of other servers as early as possible which are not managed by us / Self managed.
Don’t forget to reboot after patching as Kernelcare do not have patch completed yet and mostly they will release only by Saturday/Sunday
You can get cloudlinux updated News on updates from this link
If package is not listed in update, check your yum.conf for excludes list and remove kernel if kernel is added under excludes list in the yum.conf