demo.yunohost.org is vulnerable to metldown

[yunohost-bot]

Original Redmine Issue: 1079

Author Name: alexAubin

---

Some users noticed that, on the admin interface of demo.yunohost.org, the spooky message about the server being vulnerable to Meltdown is displayed

[yunohost-bot]

Original Redmine Comment

Author: sbadia

---

Hello,

Je peux prendre ce point! Je viens de voir que la vm est en para-virtu, elle est donc sur un noyau 3.16…

Coté hyperviseur ça donne :

kernel      = '/boot/vmlinuz-3.16.0-4-amd64'
extra       = 'elevator=noop'
ramdisk     = '/boot/initrd.img-3.16.0-4-amd64'

Je propose donc d'installer grub et un noyau dans la vm, et de passer en full-virt (utiliser le noyau de la vm et non-plus de l'hyperviseur).

Coté modification sur l'hyperviseur ça donne :

kernel = "/usr/lib/grub-xen/grub-x86_64-xen.bin"
extra = "(hd0)/boot/grub/grub.conf"

Coté vm, j'ai encore ma clé SSH sur cette vm, je peux donc faire la partie vm également.

Cela conviendrait ?

Seb, pour Gitoyen

[yunohost-bot]

Original Redmine Comment

Author: alexAubin

---

Salut,

ben de mon côté ca me va, t'as l'air de savoir ce que tu fais :P

[yunohost-bot]

Status Change

Author: sbadia

Status Changed: In Progress

[yunohost-bot]

Original Redmine Comment

Author: sbadia

---

• Sur la vm

1. apt install linux-image-amd64 grub2
1. apt-get clean
1. apt-get autoremove --purge
1. lxc-ls -f
NAME            STATE    IPV4      IPV6  AUTOSTART  
--------------------------------------------------
yunohost_demo1  STOPPED  -         -     NO         
yunohost_demo2  RUNNING  10.1.5.4  -     NO         
1. halt

• Sur l'hyperviseur

1. => Modification du fichier pour utiliser le noyau/grub de la vm
1. xl create -c yunohost.srv.gitoyen.net.cfg

• Sur la vm

1. lxc-stop -n yunohost_demo1
1. lxc-start -n yunohost_demo2 -d

[yunohost-bot]

Original Redmine Comment

Author: sbadia

---

I'll (Gitoyen) need to update the hypervisor :)

root@yunohost:~# bash spectre-meltdown-checker.sh --variant 3 --batch json
[{"NAME":"MELTDOWN","CVE":"CVE-2017-5754","VULNERABLE":true,"INFOS":"Xen PV DomUs are vulnerable and need to be run in HVM, PVHVM, PVH mode, or the Xen hypervisor must have the Xen's own PTI patch"}]

CVE-2017-17566 is un-fixed on Debian jessie

• https://github.com/speed47/spectre-meltdown-checker/commit/5f914e555ecaa5aad95a3b1ae6d6f07ba4ad919f
• https://xenbits.xen.org/xsa/advisory-254.html
• https://security-tracker.debian.org/tracker/CVE-2017-17566

[Psycojoker]

ping @maniackcrudelis @sbadia

Do you know if it's at the LXC level or at the hypervisor level? I remember that gitoyen had updated the hypervisor

[maniackcrudelis]

The 2 LXC are supposed to be updated everyday. And there's no upgrade available. https://demo.yunohost.org/yunohost/admin/#/update

[Psycojoker]

I know you need to reboot to load the new kernel, is it done/needed here or are they updated before the boot?

[maniackcrudelis]

Here, the containers are started, then upgraded, and finally shutdown. So a reboot should not be needed here.

[Psycojoker]

Are the containers that are restarted are the one that were shutdown or are they rebuilt every time?

[maniackcrudelis]

After been shutdown, if there was an upgrade, the container will have a snapshot and then started again when used.

[sbadia]

Hi,

Just more infos on this subject, the hypervisor is a Debian stable host (stretch) running the latest xen (with comet enabled) 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7 and kernel 4.9.88-1+deb9u1.

The yunohost vm is a Debian oldstable (jessie) running on the kernel 3.16+63+deb8u2.

Xen side, this vm use pvh + shim as recommended by Xen faq

# /etc/xen/yunohost.srv.gitoyen.net.cfg
kernel = "/usr/lib/grub-xen/grub-x86_64-xen.bin"
extra = "(hd0)/boot/grub/grub.conf"
# https://xenbits.xen.org/xsa/xsa254/README.comet
type = "pvh"
pvshim = 1

As far I understand the check script, it only check if pti is enabled, the vm kernel support kpti, but sys not seems enabled…

root@yunohost:~# grep PAGE_TABLE /boot/config-3.16.0-6-amd64 
CONFIG_PAGE_TABLE_ISOLATION=y
root@yunohost:~# journalctl -k -b|grep isola
root@yunohost:~# echo $?
1

And the script

root@yunohost:~# bash spectre-meltdown-checker.sh --variant 3 --batch json
[{"NAME":"MELTDOWN","CVE":"CVE-2017-5754","VULNERABLE":true,"INFOS":"Xen PV DomUs are vulnerable and need to be run in HVM, PVHVM, PVH mode, or the Xen hypervisor must have the Xen's own PTI patch"}]

I missed something ?

• https://xenbits.xen.org/xsa/advisory-254.html
• https://xenbits.xen.org/xsa/xsa254/README.comet
• https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/
• https://github.com/speed47/spectre-meltdown-checker/issues/56

[sbadia]

root@yunohost:~# cat /proc/cmdline 
root=UUID=e70212d0-2804-4a06-8042-293d98d5577b ro pti=on quiet
root@yunohost:~# journalctl -k -b|grep isola
root@yunohost:~# 

:-/

[alexAubin]

Tested, apparently it's fixed now ? I connected to the admin interface and didnt get the warning