Security nightmare for Intel CPU owners

Tags: #<Tag:0x00007f14c3703058>
$ wget

$ sudo sh --explain

12 CVE’s checked. Green/OK=Good Red/KO=Bad, bad, bad :face_with_thermometer:

1 Like


1 Like

My OM Lx 4 systems do great on this test - all green/OK. My Lx 3 systems do not - 8 green/OK and 4 red/KO. This is probably because some of the fixes don’t occur until Linux kernel version 5.1.2 or later. Also Lx 3 kernel-firmware seems out of date (20180903).

i have checked from omlv4 , all others is ok ( Green )
this one is Red , and also checked ( added binutils )
maybe missing headers ?

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

  • Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
  • Mitigation 1
    • Kernel is compiled with IBRS support: YES
      • IBRS enabled and active: YES (for firmware code only)
    • Kernel is compiled with IBPB support: YES
      • IBPB enabled and active: YES
  • Mitigation 2
    • Kernel has branch predictor hardening (arm): NO
    • Kernel compiled with retpoline option: YES
      • Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
    • Kernel supports RSB filling: UNKNOWN (kernel image missing)

STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability)

How to fix: To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. You also need a recent-enough kernel that supports RSB filling if you plan to use retpoline. For Skylake+ CPUs, the IBRS + IBPB approach is generally preferred as it guarantees complete protection, and the performance impact is not as high as with older CPUs in comparison with retpoline. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches.

How to fix: Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it. Check in your distro’s documentation on how to do this.

  • Kernel supports RSB filling: UNKNOWN (kernel image missing) <- ?:slight_smile:

Also what does this returns on your machine:

dmesg | grep -m1 microcode

i get this and it should be sudo dmesg for security ( in stable )

mesg | grep -m1 microcode
[sam. juin  1 20:05:39 2019] microcode: microcode updated early to revision 0xcc, date = 2019-04-01

Edit: I had to edit this multiple times to add things I forgot. My knowledge level is that of a user not a developer. It is possible I have made errors. However I will never knowingly post something I know is incorrect and I do verify with other sources before I post things like this.

For the 12 CVE’s addressed in this script the keys to fixing are having the latest microcode for your machine and the most recent Linux kernel and kernel firmware packages.

As of today for OM Cooker/Lx4 the latest kernel version is 5.1.6. Most recent microcode package for Intel hw is microcode-intel-20190514a-1. Most recent kernel firmware is kernel-firmware-20190526-1 and kernel-firmware-extra-20190526-1.

There is a section earlier in the script than what you posted that tells you if you do/don’t have latest microcode. You can also do an Internet search to determine if 0xcc is the latest one for that hardware. Intel has plenty of documentation for things like that.

Based on the error:

Kernel supports RSB filling: UNKNOWN (kernel image missing)

You probably need to either update kernel version or reinstall your kernel package and/or update kernel-firmware packages.

One of the things @bubbawarthog mentions is in the very first section called “Hardware check”. This is specific to your CPU model and version so my results will be different from yours unless you have an i5-4590 CPU. Note the highlighted portion:

So the script gives you a YES or NO as to whether you have latest microcode. Edit: And it tells what that is for your hardware. In the case of this i5-4590 CPU that would 0x27. But again it will be different for different hardware.