Hei!
Richard B have punch about mem exploit. Boot on AMD and INTEL
**Strange; AMD and kernel dev having a different opinion. Have to reboot on my desktop. … Spectre.
Regards.
My view from 30 000 feet (10 000 metres):
- Some CPUs have a feature which has been marketed as being a performance booster for ** some ** CPU intensive tasks.
- Catch-22: this feature allows the strict separation between kernel-space and user-space to be violated.
- The Linux world jumped the gun on the ‘within the industry agreed’ 9th January 2018 press release date.
- To (almost but, not quite) quote “Woody on Windows”:
Buy a very large bucket of popcorn and a crate of beer; settle down into your favourite armchair and watch the game.
[HR][/HR]IMHO, this may be simply a “Super Bowl” preview.
in short: Meltdown hits only Intel, Spectre hits 'm (almost) all.
BTW This is not a request for help, I will move this to Chit-Chat in 10 minutes. Closed for now.
ARM Cortex A75 is also affected.
It’s my understanding that there aren’t many CPUs today (except maybe low capability, embedded processors) that don’t do “speculative execution.” You shouldn’t need to enable, should be enabled by default. And, I’m pretty sure there is no option to enable/disable, if that were the case then addressing the vulnerabilities wouldn’t be so big a deal (just disable the feature).
From what I’ve read, “Meltdown” is likely considered addressed… at a price. Early comment is that the penalty is much higher on MSWindows (20-30%) compared to published Linux benchmarks (17-23%), but of course YMMV and those numbers may not reflect real world experiences.
Problem from what I’ve read is that Spectre
- Is not addressed by the Meltdown patch although the vulnerability is similar
- Exploit code has already be published
- Is exploitable over a network.
- Affects all CPU architectures, although as I’ve noted above some very low capacity “mobile” CPUs might not be affected if they don’t have that feature (I’ll have to look at lesser known CPUs like MIPS for verification). But, at least x86/x64 and ARM CPUs have been identified as affected.
So, Spectre is literally the worse computing flaw that can ever be imagined.
TSU
This Raspberry Pi statement (issued a few minutes ago) may help to understand the issues being discussed in this thread: <https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/>.
So far, any information I have found about this problem states only that “a local attacker” can take advantage of this serious flaw.
Can anyone confirm that? Has anyone seen any official or authoritative mention that it can be used by a remote attacker?
If not, that certainly mitigates the problem for a lot of us whose computers are not accessed by “a local attacker”.
Likely not going to get a response from Mr Brown for a bit, he’s on vacation.
JavaScript PoC are available. Any language can be used to write it, the only prerequisite is to have high resolution time source (you need to distinguish between cache hit and cache miss), so e.g. Firefox disabled access to high resolution timer recently.
So yes, remote attack is certainly technically possible.
And, just for anybody’s information: Richard is the Chairman of the Board, not some kind of master-dev of -packager.
@jonte1 Please stop addressing individuals.
And, just for the record, there were three openSUSE Leap 42.3 patches published yesterday (Friday the 5th of January 2018) morning Central European time:
- openSUSE-2018-1: Security update for kernel-firmware (AMD microcode);
- openSUSE-2018-2: Security update for the Linux Kernel;
- openSUSE-2018-4: Security update for ucode-intel.
[HR][/HR]May I suggest that, as members of the openSUSE community we give a round of applause for the SUSE employees who, through their contacts within the industry, worked to make these repairs available in a timely fashion.
For casual readers,
That first patch doesn’t reference only processors made by AMD, saying it applies to the “AMD family” generally refers to all x64 processors made by both Intel and AMD.
When you read the description of the patches (thx SUSE for that info), it is interesting that the Spectre attack is stopped by simply disabling the speculative execution feature(the first patch) while the third patch applies the publicly discussed procedure of passing memory writes back and forth between user and kernel maps which exacts a major performance penalty and can be temporarily disabled on boot by the User who would rather risk exposure to an attack rather than suffer the penalty.
TSU
FYI
Currently updated TW and LEAP should be patched.
I found a *NIX vulnerability checker for these patches…
At least, it looks like the script depends on the ability of Linux to probe the hardware, then reads what is stored in vmlinuz and inspects system settings… So, IMO there is a major dependency involved here particularly when evaluating whether your hardware is vulnerable. The script to my eye contains no harmful code(It’s open source, you can inspect for yourself).
You can either download the script or copy the script contents to your own or clone the git repo.
If anyone is confused or unable to obtain the script, you can post in the Technical Help Forums (recommend Install Forum)
https://github.com/speed47/spectre-meltdown-checker
Interestingly, when I ran this script on my own machine which is a first generation Haswell (launched approx May 2003), it indicates that the Branch Target Injection feature (CVE-2017-5715 commonly called "Spectre vulnerability #2) is not even enabled, which means that there may be a large number of full size machines without this “speculative execution” vulnerability.
But, it’s still supposedly vulnerable to the critical “Meltdown” vulnerability so the patch with significant performance impact is recommended.
HTH,
TSU
Since this script has been changed often even within the past 48 hrs to be more informative, modify some tests and adapt to new patches as they are released,
I recommend the best way to keep up to date is to clone the repo, after you install git on your system you can run the following command
git clone https://github.com/speed47/spectre-meltdown-checker.git
After that,
It’s simple to get the latest version of the script, from within that repo you can run the following command to get the latest version of everything in that repo
git pull
And, now you can execute the script (as root for most accurate information)
HTH,
TSU
There’s a computer magazine here in Germany named “Ct” – unfortunately “German-only”. Here in Germany, there’s also the “Chaos Computer Club” (CCC) but, that’s something else: <https://events.ccc.de/congress/2017/wiki/index.php/Main_Page>.
Ct are publishing a continually updated list of manufacturer sites with Meltdown and Spectre information: <https://www.heise.de/newsticker/meldung/Meltdown-und-Spectre-Die-Sicherheitshinweise-und-Updates-von-Hardware-und-Software-Herstellern-3936141.html>.
The Microsoft information (presumably also being continually updated) for KB4056892 (1st published 3rd of January 2018) is here: <January 3, 2018—KB4056892 (OS Build 16299.192) - Microsoft Support. A Microsoft Blog is here: <https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/> – the Ct article (sorry, German) is here: <https://www.heise.de/newsticker/meldung/Microsoft-ueber-Meltdown-Spectre-Details-zu-Patches-und-Leistungseinbussen-3937462.html>.
The Ubuntu statement (changed since the original from a couple of days ago: “We’re publishing the patches on the industry agreed date: 9th of January 2018.”) is as follows:
I say “unfortunately”, in part because there was a coordinated release date of January 9, 2018, agreed upon by essentially every operating system, hardware, and cloud vendor in the world. By design, operating system updates would be available at the same time as the public disclosure of the security vulnerability. While it happens rarely, this an industry standard best practice, which has broken down in this case.
My personal favourite for Microsoft comments is Woody Leonhard:“Microsoft yanks buggy Windows Meltdown/Spectre patches for AMD computers” <Microsoft yanks buggy Windows Meltdown/Spectre patches for AMD computers | Computerworld.
Plus, Woody’s usual articles: <Woody on Windows; and <Topic: > @ AskWoody.
More on the theme “poor Microsoft customer”: Woody Leonhard has published this in his “Microsoft yanks buggy Windows Meltdown/Spectre patches for AMD computers” article:
If you think about that for more than 30 seconds, it should be obvious that there’s a fatal flaw. Several. Ignore, for the moment, the gargantuan task of ensuring that a large enterprise has all of its antivirus software (possibly from multiple manufacturers) up to date. Instead, think about the people who can’t get their antivirus software updated for whatever reason — compatibility, or they haven’t paid the piper. Then think about those who don’t run antivirus software, or at least antivirus software that complies with Microsoft’s registry requirement. And what about those who install or uninstall new, different or even multiple antivirus scanners?
Since all of Microsoft’s patches now are cumulative (except the Win7 and 8.1 security-only manually downloaded patches), that means those who don’t pay for their antivirus product, or otherwise get thrown under the antivirus bus, won’t get any more Windows patches. Ever.
And most will never know why.
Well, he does more than that; openQA anyone? For a start. He was the QA engineer that built it…
Hi!
I notice that there is a forum on reddit.
https://www.reddit.com/r/openSUSE/
Hmm… Ok it point to.
Still, -why a hurry? Patch for… Course problems.
Regards