A very serious security problem has been found in the Intel/AMD/ARM CPUs. Spectre CPU Vulnerability CVE-2017-5753/CVE-2017-5715 breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. How do I protect my Linux server and laptop/desktop against such attack?
A very serious security problem has been found and patched in the Linux kernel. It was announced on 3rd January 2018. It was independently discovered and reported by various teams including Google Project Zero. Spectre is harder to exploit than Meltdown CPU bug, but it is also harder to mitigate.
What is the Spectre security bug in Intel/AMD/ARM cpus?
From the Google blog:
So far, there are three known variants of the issue:
Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)
The first two variants abuse speculative execution to perform bounds-check bypass (CVE-2017-5753), or by utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively. Collectively these are known as “Spectre”. Both variants rely upon the presence of a precisely-defined instruction sequence in the privileged code, as well as the fact that memory accesses may cause allocation into the microprocessor’s level 1 data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use these two flaws to read privileged memory by conducting targeted cache side-channel attacks. These variants could be used not only to cross syscall boundary (variant 1 and variant 2) but also guest/host boundary (variant 2).
A list of affected Linux distro by Spectre Vulnerabilitys
Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5)
Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6)
Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7)
RHEV-M 4.0
RHEV-M for Servers
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7
Red Hat Enterprise MRG 2
Red Hat OpenStack Platform v 8/9/10/11/12
Debian Linux wheezy
Debian Linux jessie
Debian Linux stretch
Deiban Linux buster, sid
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE OpenStack Cloud 6
Openstack Cloud Magnum Orchestration 7
SUSE Container as a Service Platform ALL
SUSE Linux Enterprise High Availability 12 SP2/SP3
SUSE Linux Enterprise Live Patching 12
SUSE Linux Enterprise Module for Public Cloud 12
SUSE Linux Enterprise Server 11 SP3-LTSS
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Software Development Kit 11/12 SP3/SP4
SUSE Linux Enterprise for SAP 12 SP1
SUSE Linux Enterprise 11
SUSE Linux Enterprise 12
OpenSuse Linux based upon SUSE 12/11
Fedora Linux 26
Fedora Linux 27
Amazon Linux AMI (Bulletin ID: ALAS-2018-939)
While the updates AWS/Google and other cloud performs protect underlying infrastructure, in order to be fully protected against these issues, you must also patch your instance operating systems including Linux distros, MS-Windows and desktop operating system such as macOS, Windows and more.
Before updating system…
First, always keep backups. Second, note down the Linux kernel version running the following command:
$ uname -r
Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux
Type the following yum command:
$ uname -r
3.10.0-693.11.1.el7.x86_64
$ sudo yum update
You must reboot your Linux server using shutdown/reboot command:
$ sudo reboot
$ uname -r
3.10.0-693.11.6.el7.x86_64
Verify all 3 CVEs (you must see output:
$ rpm -q –changelog kernel | egrep ‘CVE-2017-5715|CVE-2017-5753|CVE-2017-5754’
Run the following dnf command if you are using a Fedora Linux:
$ sudo dnf –refresh update kernel
OR
$ sudo dnf update
Reboot the Linux box:
$ sudo reboot
Fix the Spectre on a Debian/Ubuntu Linux
Use the following apt-get command/apt command:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo shutdown -r 0
Fix the Spectre on an Amazon Linux running on AWS
Just run yum command:
# yum update kernel
# reboot
Fix the Spectre on an Arch Linux
Just run pacman command:
# pacman -Syu
# reboot
Source: cyberciti.biz