[email protected] +603-2181 3666
How to patch Meltdown CPU Vulnerability CVE-2017-5754 on Linux
January 5, 2018
0

A very serious security problem has been found in the Intel CPUs. Meltdown CPU Vulnerability CVE-2017-5754 breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. How do I protect my Linux server and laptop/desktop against such attack?

A very serious security problem has been found and patched in the Linux kernel. It was announced on 3rd January 2018. It was independently discovered and reported by various teams including Google Project Zero.

 

What is the Meltdown security bug in Intel cpus?

From the xen project:

Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called “speculative execution”.

Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained.

There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue.

A list of affected Linux distros

Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5)
Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6)
Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7)
Debian Linux wheezy
Debian Linux jessie
Debian Linux stretch
Deiban Linux buster, sid
SUSE Linux Enterprise 11
SUSE Linux Enterprise 12
OpenSuse Linux based upon SUSE 12/11
Fedora Linux 26
Fedora Linux 27
Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

Before updating system…

First, always keep backups. Second, note down the Linux kernel version running the following command:

$ uname -r

Please note that fix currently available for the following distros for sure:

RHEL 7.x
CentOS 7.x
Fedora 26/27
Debian stretch
Arch Linux
Gentoo Linux
Fix the Meltdown on a CentOS/RHEL/Fedora/Oracle/Scientific Linux
Type the following yum command:

$ uname -r
3.10.0-693.11.1.el7.x86_64
$ sudo yum update

You must reboot your Linux server using shutdown/reboot command:

$ sudo reboot
$ uname -r
3.10.0-693.11.6.el7.x86_64

Run the following dnf command if you are using a Fedora Linux:

$ sudo dnf –refresh update kernel

OR

sudo dnf update

Reboot the Linux box:

$ sudo reboot

Fix the Meltdown on a Debian/Ubuntu Linux
Use the following apt-get command/apt command:

$ uname -r
4.9.0-4-amd64
$ sudo apt-get update
## better run the following instead of ‘sudo apt-get upgrade’
$ sudo apt-get dist-upgrade

Reboot the box:

$ sudo shutdown -r 0
$ uname -r
4.9.0-5-amd64

Fix the Meltdown on an Amazon Linux running on AWS
Just run yum command:

# yum update kernel
# reboot

Fix the Meltdown on an Arch Linux
Just run pacman command:

# pacman -Syu
# reboot

Source: cyberciti.biz