Open fshmcallister opened 4 years ago
TITLE System contains Meltdown and/or Spectre vulnerabilities
update your system
TL;DR
Your [DEVICE] appear/s to have Meltdown and Spectre vulnerabilities. This could compromise your data by allowing unwanted access to sensitive data through bypassing hardware. Update immediately with sudo apt-get update && sudo apt-get upgrade
.
FAQ Meltdown and Spectre vulnerabilities were found in 2018, effectively affecting every computer-based hardware manufactured in the last 20 years. There are 3 common vulnerabilities, 2 encompass what is known as Spectre; the other is Meltdown. If exploited, these vulnerabilities could allow for access to what was previously thought of as protected data.
Meltdown bypasses hardware security boundaries between applications and the operating systems and uses this to gain access to memory based on 'out of order' sequencing. Intel chips manufactured since 2010 were reported to be vulnerable to these issues. Spectre also acts at a hardware level by essentially 'tricking' a program into executing a sequence it wouldn't normally by exploiting the speculative logic systems in a chip.
Meltdown vulnerabilities are easier to exploit than Spectre, but Spectre attacks are harder to mitigate. Software updates are being rolled out to protect against these vulnerabilities, so it is imperative that if you have affected hardware that you are up to date. While there are no actual attacks recorded to date, rather as a proof of concept, it cannot be said for certain that no attacks have taken place given that they would not be recorded.
I think this is a CVE tho
Also probably constitutes a whole article
This is good @fshmcallister. I would however change the device reference as discussed, and also change sudo apt-get update && sudo apt-get upgrade
to be specific to the kernel package. @a-martynovich did we extract the actual package affected here?
Updated TL;DR
Meltdown and Spectre vulnerabilities have been detected. This could compromise your data by allowing unwanted access to sensitive data through bypassing hardware. Update immediately with sudo apt-get update && sudo apt-get dist-upgrade
.
I imagine this varies by distro though? Maybe I should rework the last part to just 'update your distribution's kernel.' Thoughts?
I imagine this varies by distro though? Maybe I should rework the last part to just 'update your distribution's kernel.'
Yes, this will be distribution specific, but let's use debian/ubuntu ones for now.
@vpetersson There may be more than one package affected. Not only kernel, but also drivers and some software.
@a-martynovich @vpetersson in the larger guide I am writing I suggest updating other software and drivers separately. For this FAQ though what do you think is better, just sudo apt-get disc-upgrade
or normal sudo apt-get upgrade
@a-martynovich
There may be more than one package affected. Not only kernel, but also drivers and some software.
Is there any way for us to filter this out (within reason)? For instance, wouldn't apt-get upgrade linux-image-generic
also upgrade all the dependencies? This of course assumes that the user is using the 'linux-image' series. However, I know this is a bit crude, but wouldn't this work?
$ apt-get upgrade $(dpkg -l | grep -e 'linux-image-\(virtual\|generic\)' | grep 'ii' | awk {'print $2'})
@fshmcallister
For this FAQ though what do you think is better, just sudo apt-get disc-upgrade or normal sudo apt-get upgrade
I was under the impression that apt-get dist-upgrade
was used for moving between minor OS versions of a distro (i.e. like a lightweight version of do-release-upgrade). However, after consulting the man pages, that does not seem to be the case:
dist-upgrade
dist-upgrade in addition to performing the function of upgrade, also intelligently
handles changing dependencies with new versions of packages; apt-get has a "smart"
conflict resolution system, and it will attempt to upgrade the most important packages
at the expense of less important ones if necessary. The dist-upgrade command may
therefore remove some packages. The /etc/apt/sources.list file contains a list of
locations from which to retrieve desired package files. See also apt_preferences(5)
for a mechanism for overriding the general settings for individual packages.
That said, my concern with either [...] dist-upgrade
or [...] upgrade
is that there is a large blast radius. The chance of accidental breakage is large, when we really just want to upgrade the kernel.
This fix will be improved in https://github.com/WoTTsecurity/agent/issues/257
Where are we sitting on this one now?
Where are we sitting on this one now?
Yes
@fshmcallister ?
TITLE System contains Meltdown and/or Spectre vulnerabilities
update your system
TL;DR
Your [DEVICE] appear/s to have Meltdown and Spectre vulnerabilities. This could compromise your data by allowing unwanted access to sensitive data through bypassing hardware. Update immediately with sudo apt-get update && sudo apt-get upgrade
.
FAQ Meltdown and Spectre vulnerabilities were found in 2018, effectively affecting every computer-based hardware manufactured in the last 20 years. There are 3 common vulnerabilities, 2 encompass what is known as Spectre; the other is Meltdown. If exploited, these vulnerabilities could allow for access to what was previously thought of as protected data.
Meltdown bypasses hardware security boundaries between applications and the operating systems and uses this to gain access to memory based on 'out of order' sequencing. Intel chips manufactured since 2010 were reported to be vulnerable to these issues. Spectre also acts at a hardware level by essentially 'tricking' a program into executing a sequence it wouldn't normally by exploiting the speculative logic systems in a chip.
Meltdown vulnerabilities are easier to exploit than Spectre, but Spectre attacks are harder to mitigate. Software updates are being rolled out to protect against these vulnerabilities, so it is imperative that if you have affected hardware that you are up to date. While there are no actual attacks recorded to date, rather as a proof of concept, it cannot be said for certain that no attacks have taken place given that they would not be recorded.
Bearing in mind this is the one that I still don't know what we're doing with because you didn't come to a conclusion
its literally the same text, the only thing 'wrong' is the update command, and I didn't know what you opted for
Your [DEVICE] appear/s to have ...
[DEVICE]
This is wrong
TITLE System contains Meltdown and/or Spectre vulnerabilities
TL;DR Your system appears to be vulnerable to the [Meltdown](https://meltdownattack.com/meltdown.pdf) and [Spectre](https://spectreattack.com/spectre.pdf) attacks. This could compromise your data by allowing unwanted access to sensitive data through bypassing hardware restrictions.
FAQ [Meltdown](https://meltdownattack.com/meltdown.pdf) and [Spectre](https://spectreattack.com/spectre.pdf) vulnerabilities were found in 2018, effectively affecting every computer-based hardware manufactured in the last 20 years. There are 3 common vulnerabilities, 2 encompass what is known as Spectre; the other is Meltdown. If exploited, these vulnerabilities could allow for access to what was previously thought of as protected data.
Meltdown bypasses hardware security boundaries between applications and the operating systems and uses this to gain access to memory based on 'out of order' sequencing. Intel chips manufactured since 2010 were reported to be vulnerable to these issues. Spectre also acts at a hardware level by essentially 'tricking' a program into executing a sequence it wouldn't normally by exploiting the speculative logic systems in a chip.
Meltdown vulnerabilities are easier to exploit than Spectre, but Spectre attacks are harder to mitigate. Software updates are available in most operating systems to protect against these vulnerabilities, so it is imperative that if you have affected hardware that you are up to date. While there are no actual attacks recorded to date, rather as a proof of concept, it cannot be said for certain that no attacks have taken place given that they would not be recorded.
Code Snippet
To update your operating system, run the following commands:
``` $ sudo apt-get update $ sudo apt-get upgrade ```
but again, bear in mind this one wasn't updated because I didn't get a concrete answer re: the update command
We detected that {devices} is vulnerable to Meltdown/Spectre. You can learn more about these issues here. To fix the issue, please run apt-get update && apt-get upgrade.
part of #198