search

WoTTsecurity / api

API and Dashboard
https://dash.wott.io
MIT License
0 stars 2 forks source link

Fix/Hide Meltdown/Spectr on Ubuntu 16.04 #768

Closed vpetersson closed 4 years ago

vpetersson commented 4 years ago

We're getting warnings for Meltdown/Spectr for Ubuntu 16.04 (on GCP) that cannot be resolved using kernel upgrades.

As discussed, our rule of thumb needs to be that we hide RAs that are unresolved (within reason).

vpetersson commented 4 years ago

This also needs to be hidden in Vagrant/Virtualbox on Ubuntu 18.04.

vpetersson commented 4 years ago

Relevant data from GCP:

Ubuntu 16.04 on GCP:

$ grep '' /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.4.0-174-generic root=UUID=6a8554fa-8e1d-4916-ba03-4ca3837feb34 ro console=ttyS0

CentOS 8 on GCP w/ latest patches

$ sudo grep '' /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:Processor vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT Host state unknown
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
$ cat /proc/cmdline
BOOT_IMAGE=(hd0,msdos1)/boot/vmlinuz-4.18.0-147.5.1.el8_1.x86_64 root=UUID=ac683356-370c-403a-b122-fcc90e993052 ro net.ifnames=0 biosdevname=0 scsi_mod.use_blk_mq=Y crashkernel=auto console=ttyS0,38400n8

CentOS 7 on GCP w/ latest patches

$ sudo grep '' /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:Processor vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT Host state unknown
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: Load fences, usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full retpoline, IBPB
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=62213288-7643-4cbc-ba81-eba1f0b2376f ro crashkernel=auto console=ttyS0,38400n8 LANG=en_US.UTF-8
vpetersson commented 4 years ago

Ubuntu 16.04 in Vagrant

Vagrant: 2.0.2 VirtualBox: 5.2.34-dfsg-0~ubuntu18.04.1

$ sudo grep '' /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.4.0-141-generic root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyS0
a-martynovich commented 4 years ago

@vpetersson What about Virtualbox? Shall we add an exception too? What about other Ubuntu's in Virtualbox?

a-martynovich commented 4 years ago

@vpetersson More info on MDS mitigation statuses in kernel. I was wrong in saying that Ubuntu and CentOS kernels report the same status. "Vulnerable: Clear CPU buffers attempted, no microcode" and "Mitigation: Clear CPU buffers" are different.

Ubuntu PoV:

The kernel and corresponding intel-microcode package updates fully address the MDS flaws if your processor does not support Hyper-Threads, also known as Symmetric Multi-Threading (SMT). MDS is not fully mitigated if your processor supports Hyper-Threads and Hyper-Threads are enabled. Ubuntu recommends disabling Hyper-Threads on affected systems if the system is used to execute untrusted or potentially malicious code

I tried installing intel-microcode on our Ubuntu running in AWS, and that didn't do anything, I suspect the microcode didn't load. It did load in CentOS since the kernel doesn't complain.

vpetersson commented 4 years ago

@vpetersson What about Virtualbox? Shall we add an exception too?

If we don't have a fix, then yes, we should add an exception.

What about other Ubuntu's in Virtualbox?

Assuming all other Ubuntu versions have the same issue, then yes.

vpetersson commented 4 years ago

Remove check as it is unreliable and instead rely on CVE for this. Let's bring it back later.

rptrchv commented 4 years ago

5 complexity points

a-martynovich commented 4 years ago

5