Blog

03/06/2019

Howto patch Spectre Vulnerability CVE-2017-5753/CVE-2017-5715 on Linux



A very serious security problem has been found in the Intel/AMD/ARM CPUs. Spectre CPU Vulnerability CVE-2017-5753/CVE-2017-5715 breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. How do I protect my Linux server and laptop/desktop against such attack?

A very serious security problem has been found and patched in the Linux kernel. It was announced on 3rd January 2018. It was independently discovered and reported by various teams including Google Project Zero. Spectre is harder to exploit than Meltdown CPU bug, but it is also harder to mitigate.

What is the Spectre security bug in Intel/AMD/ARM cpus?

From the Google blog:
So far, there are three known variants of the issue:

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

From RHEL page:

The first two variants abuse speculative execution to perform bounds-check bypass (CVE-2017-5753), or by utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively. Collectively these are known as “Spectre”. Both variants rely upon the presence of a precisely-defined instruction sequence in the privileged code, as well as the fact that memory accesses may cause allocation into the microprocessor’s level 1 data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use these two flaws to read privileged memory by conducting targeted cache side-channel attacks. These variants could be used not only to cross syscall boundary (variant 1 and variant 2) but also guest/host boundary (variant 2).

A list of affected Linux distro by Spectre Vulnerabilitys

  1. Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5)
  2. Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6)
  3. Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7)
  4. RHEV-M 4.0
  5. RHEV-M for Servers
  6. Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
  7. Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7
  8. Red Hat Enterprise MRG 2
  9. Red Hat OpenStack Platform v 8/9/10/11/12
  10. Debian Linux wheezy
  11. Debian Linux jessie
  12. Debian Linux stretch
  13. Deiban Linux buster, sid
  14. SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  15. SUSE OpenStack Cloud 6
  16. Openstack Cloud Magnum Orchestration 7
  17. SUSE Container as a Service Platform ALL
  18. SUSE Linux Enterprise High Availability 12 SP2/SP3
  19. SUSE Linux Enterprise Live Patching 12
  20. SUSE Linux Enterprise Module for Public Cloud 12
  21. SUSE Linux Enterprise Server 11 SP3-LTSS
  22. SUSE Linux Enterprise Server 11 SP4
  23. SUSE Linux Enterprise Software Development Kit 11/12 SP3/SP4
  24. SUSE Linux Enterprise for SAP 12 SP1
  25. SUSE Linux Enterprise 11
  26. SUSE Linux Enterprise 12
  27. OpenSuse Linux based upon SUSE 12/11
  28. Fedora Linux 26
  29. Fedora Linux 27
  30. Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

This page documents a current security event affecting many modern microprocessor designs. Information may change rapidly as the event progresses, and more info or commands added here soon. Please note that a patch for Debian/Ubuntu/CentOS/Fedora and many distros are not released yet. No patches are available for Spectre yet. The Linux kernel team is working on Retpoline. It will be released soon. When you run ‘apt-get upgrade’ or ‘yum update’ command make sure kernel package such as linux-image (Debian/Ubunt) kernel (RHEL) are updated. You also need microcode update from CPU vendor.

While the updates AWS/Google and other cloud performs protect underlying infrastructure, in order to be fully protected against these issues, you must also patch your instance operating systems including Linux distros, MS-Windows and desktop operating system such as macOS, Windows and more.

Before updating system…

First, always keep backups. Second, note down the Linux kernel version running the following command:
$ uname -r

Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

Type the following yum command:
$ uname -r
3.10.0-693.11.1.el7.x86_64
$ sudo yum update

Sample outputs (from my RHEL 7.x box):

Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-693.11.6.el7 will be installed
---> Package kernel-tools.x86_64 0:3.10.0-693.11.1.el7 will be updated
---> Package kernel-tools.x86_64 0:3.10.0-693.11.6.el7 will be an update
---> Package kernel-tools-libs.x86_64 0:3.10.0-693.11.1.el7 will be updated
---> Package kernel-tools-libs.x86_64 0:3.10.0-693.11.6.el7 will be an update
--> Finished Dependency Resolution
 
Dependencies Resolved
 
=========================================================================================
 Package             Arch     Version               Repository                      Size
=========================================================================================
Installing:
 kernel              x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms    43 M
Updating:
 kernel-tools        x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms   5.1 M
 kernel-tools-libs   x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms   5.1 M
 
Transaction Summary
=========================================================================================
Install  1 Package
Upgrade  2 Packages
 
Total download size: 53 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): kernel-tools-3.10.0-693.11.6.el7.x86_64.rpm                | 5.1 MB  00:00:00     
(2/3): kernel-tools-libs-3.10.0-693.11.6.el7.x86_64.rpm           | 5.1 MB  00:00:00     
(3/3): kernel-3.10.0-693.11.6.el7.x86_64.rpm                      |  43 MB  00:00:00     
-----------------------------------------------------------------------------------------
Total                                                        65 MB/s |  53 MB  00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : kernel-tools-libs-3.10.0-693.11.6.el7.x86_64                          1/5 
  Updating   : kernel-tools-3.10.0-693.11.6.el7.x86_64                               2/5 
  Installing : kernel-3.10.0-693.11.6.el7.x86_64                                     3/5 
  Cleanup    : kernel-tools-3.10.0-693.11.1.el7.x86_64                               4/5 
  Cleanup    : kernel-tools-libs-3.10.0-693.11.1.el7.x86_64                          5/5 
  Verifying  : kernel-tools-libs-3.10.0-693.11.6.el7.x86_64                          1/5 
  Verifying  : kernel-tools-3.10.0-693.11.6.el7.x86_64                               2/5 
  Verifying  : kernel-3.10.0-693.11.6.el7.x86_64                                     3/5 
  Verifying  : kernel-tools-3.10.0-693.11.1.el7.x86_64                               4/5 
  Verifying  : kernel-tools-libs-3.10.0-693.11.1.el7.x86_64                          5/5 
 
Installed:
  kernel.x86_64 0:3.10.0-693.11.6.el7                                                    
 
Updated:
  kernel-tools.x86_64 0:3.10.0-693.11.6.el7                                              
  kernel-tools-libs.x86_64 0:3.10.0-693.11.6.el7                                         
 
Complete!

Resolving Dependencies –> Running transaction check —> Package kernel.x86_64 0:3.10.0-693.11.6.el7 will be installed —> Package kernel-tools.x86_64 0:3.10.0-693.11.1.el7 will be updated —> Package kernel-tools.x86_64 0:3.10.0-693.11.6.el7 will be an update —> Package kernel-tools-libs.x86_64 0:3.10.0-693.11.1.el7 will be updated —> Package kernel-tools-libs.x86_64 0:3.10.0-693.11.6.el7 will be an update –> Finished Dependency Resolution Dependencies Resolved ========================================================================================= Package Arch Version Repository Size ========================================================================================= Installing: kernel x86_64 3.10.0-693.11.6.el7 rhui-rhel-7-server-rhui-rpms 43 M Updating: kernel-tools x86_64 3.10.0-693.11.6.el7 rhui-rhel-7-server-rhui-rpms 5.1 M kernel-tools-libs x86_64 3.10.0-693.11.6.el7 rhui-rhel-7-server-rhui-rpms 5.1 M Transaction Summary ========================================================================================= Install 1 Package Upgrade 2 Packages Total download size: 53 M Is this ok [y/d/N]: y Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/3): kernel-tools-3.10.0-693.11.6.el7.x86_64.rpm | 5.1 MB 00:00:00 (2/3): kernel-tools-libs-3.10.0-693.11.6.el7.x86_64.rpm | 5.1 MB 00:00:00 (3/3): kernel-3.10.0-693.11.6.el7.x86_64.rpm | 43 MB 00:00:00 —————————————————————————————– Total 65 MB/s | 53 MB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : kernel-tools-libs-3.10.0-693.11.6.el7.x86_64 1/5 Updating : kernel-tools-3.10.0-693.11.6.el7.x86_64 2/5 Installing : kernel-3.10.0-693.11.6.el7.x86_64 3/5 Cleanup : kernel-tools-3.10.0-693.11.1.el7.x86_64 4/5 Cleanup : kernel-tools-libs-3.10.0-693.11.1.el7.x86_64 5/5 Verifying : kernel-tools-libs-3.10.0-693.11.6.el7.x86_64 1/5 Verifying : kernel-tools-3.10.0-693.11.6.el7.x86_64 2/5 Verifying : kernel-3.10.0-693.11.6.el7.x86_64 3/5 Verifying : kernel-tools-3.10.0-693.11.1.el7.x86_64 4/5 Verifying : kernel-tools-libs-3.10.0-693.11.1.el7.x86_64 5/5 Installed: kernel.x86_64 0:3.10.0-693.11.6.el7 Updated: kernel-tools.x86_64 0:3.10.0-693.11.6.el7 kernel-tools-libs.x86_64 0:3.10.0-693.11.6.el7 Complete!

You must reboot your Linux server using shutdown/reboot command:
$ sudo reboot
$ uname -r
3.10.0-693.11.6.el7.x86_64

Verify all 3 CVEs (you must see output:
$ rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
Sample outputs:

- [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
....
...
- [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
....
..
- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}

– [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715} – [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715} …. … – [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754} – [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754} …. .. – [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753} – [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}

Run the following dnf command if you are using a Fedora Linux:
$ sudo dnf --refresh update kernel
OR
sudo dnf update
Reboot the Linux box:
$ sudo reboot

Fix the Spectre on a Debian/Ubuntu Linux

Use the following apt-get command/apt command:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo shutdown -r 0

Fix the Spectre on an Amazon Linux running on AWS

Just run yum command:
# yum update kernel
# reboot

Fix the Spectre on an Arch Linux

Just run pacman command:
# pacman -Syu
# reboot

Spectre & Meltdown Checker

After reboot make sure your Linux server/box patched and not vulnerable any more with spectre-meltdown-checker.sh.

How to apply microcode update supplied by Intel on Linux

See “How to install/update Intel microcode firmware on Linux” for more info.

See also

This entry is 2 of 6 in the Processor/CPU Speculative Execution Patching on Linux Tutorial series. Keep reading the rest of the series:
  1. How to patch Meltdown CPU Vulnerability CVE-2017-5754 on Linux
  2. How to patch Spectre Vulnerability CVE-2017-5753/CVE-2017-5715 on Linux
  3. How to check Linux for Spectre and Meltdown vulnerability
  4. How to install/update Intel microcode firmware on Linux
  5. How to patch Meltdown vulnerability on OpenBSD Unix
  6. How to patch Meltdown and Spectre vulnerabilities on FreeBSD

(adsbygoogle = window.adsbygoogle || []).push({});

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

14/08/2019

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...
14/08/2019

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....
12/08/2019

How to Start and Enable Firewalld on CentOS 7

In this article, we discuss how to start and enable firewalld. It is highly recommended that you have a firewall protecting your server.Pre-Flight CheckThese...