Critical Intel CPU Bug – Meltdown and Spectre Vulnerabilities

CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre.Earlier this week, serious security problem – CPU Bug has been found in the Intel/AMD/ARM CPUs. According to various teams including Google Project Zero, CPU data cache timing can be abused efficiently to leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. These vulnerabilities are known by name ‘Meltdown’ and ‘Spectre’.

You can read more about attack from this link

There are 3 known variants for this CPU Bug:

Variant 1: bounds check bypass (CVE-2017-5753)

Variant 2: branch target injection (CVE-2017-5715)

Variant 3: rogue data cache load (CVE-2017-5754)

Spectre CPU Vulnerability CVE-2017-5753/CVE-2017-5715 breaks the isolation between different applications. The two variants abuse speculative execution to perform bounds-check bypass (CVE-2017-5753), or by utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively. It allows an attacker to execute error-free programs, which follow best practices, into leaking their secrets. In fact, it will increase the attack surface and make applications more susceptible to Spectre.

Meltdown CPU Vulnerability CVE-2017-5754 breaks the most fundamental isolation between user applications and the operating system. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

List of affected Linux distros by Meltdown Vulnerability

Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5)
Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6)
Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7)
Debian Linux wheezy
Debian Linux jessie
Debian Linux stretch
Debian Linux buster, sid
SUSE Linux Enterprise 11
SUSE Linux Enterprise 12
OpenSuse Linux based upon SUSE 12/11
Fedora Linux 26
Fedora Linux 27
Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

List of affected Linux distro by Spectre Vulnerability

Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5)
Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6)
Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7)
RHEV-M 4.0
RHEV-M for Servers
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7
Red Hat Enterprise MRG 2
Red Hat OpenStack Platform v 8/9/10/11/12
Debian Linux wheezy
Debian Linux jessie
Debian Linux stretch
Deiban Linux buster, sid
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE OpenStack Cloud 6
Openstack Cloud Magnum Orchestration 7
SUSE Container as a Service Platform ALL
SUSE Linux Enterprise High Availability 12 SP2/SP3
SUSE Linux Enterprise Live Patching 12
SUSE Linux Enterprise Module for Public Cloud 12
SUSE Linux Enterprise Server 11 SP3-LTSS
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Software Development Kit 11/12 SP3/SP4
SUSE Linux Enterprise for SAP 12 SP1
SUSE Linux Enterprise 11
SUSE Linux Enterprise 12
OpenSuse Linux based upon SUSE 12/11
Fedora Linux 26
Fedora Linux 27
Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

To fix the Meltdown and Spectre Vulnerabilities

Patch CentOS/RHEL/Fedora/Oracle/Scientific Linux servers

# sudo yum update

You must reboot your Linux server using shutdown/reboot command:

Run the following dnf command if you are using a Fedora Linux:

# sudo dnf --refresh update kernel
OR
# sudo dnf update

Reboot the Linux box:

Patch Debian/Ubuntu Linux servers

# sudo apt-get update
# sudo shutdown -r 0

Patch Amazon Linux running on AWS servers

# yum update kernel
# reboot

Patch Arch Linux servers

Just run pacman command:

# pacman -Syu
# reboot

If you are running cloudlinux, then you can patch using the below method 

CL7:

# yum clean all --enablerepo=cloudlinux-updates-testing && yum update linux-firmware microcode_ctl && yum install kernel-3.10.0-714.10.2.lve1.4.79.el7 --enablerepo=cloudlinux-updates-testing

# yum clean all --enablerepo=cloudlinux-updates-testing && yum update microcode_ctl && yum install kernel-2.6.32-896.16.1.lve1.4.48.el6 --enablerepo=cloudlinux-updates-testing

Verify all 3 CVEs:

# rpm -q –changelog kernel | egrep ‘CVE-2017-5715|CVE-2017-5753|CVE-2017-5754’

We have pacthed almost all servers managed by us and informed customers about the same so that they can get aware of this issue and do patches of other servers as early as possible which are not managed by us / Self managed.

Don’t forget to reboot after patching as Kernelcare do not have patch completed yet and mostly they will release only by Saturday/Sunday

You can get cloudlinux updated News on updates from this link 

If package is not listed in update, check your yum.conf for excludes list and remove kernel if kernel is added under excludes list in the yum.conf