Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

[niusmallnan]

https://googleprojectzero.blogspot.hk/2018/01/reading-privileged-memory-with-side.html

So far, there are three known variants of the issue:

• Variant 1: bounds check bypass (CVE-2017-5753)
• Variant 2: branch target injection (CVE-2017-5715)
• Variant 3: rogue data cache load (CVE-2017-5754)

[mikemoate]

Updated info from http://news.softpedia.com/news/linux-kernels-4-14-11-4-9-74-4-4-109-3-16-52-and-3-2-97-patch-meltdown-flaw-519215.shtml it looks like we should take kernel 4.9.74 to mitigate CVE-2017-5754 (aka Meltdown).

[albertdb]

Please, remember to backport to 1.0 LTS.

[ryansch]

@niusmallnan Any way we could get this before or in place of 1.1.3? I'd like a straight security patch release.

[janeczku]

Looks like the mitigation for Meltdown (CVE-2017-5754) will land in 4.9.75 upstream: https://www.spinics.net/lists/kernel/msg2688700.html

[aemneina]

@ryansch The intent is to have this go out with ROS 1.1.3.

[ryansch]

@aemneina Understood. Keep in mind that it increases the amount of new stuff I/we have to review alongside the security update before we can adopt the new version in production.

[aemneina]

1.1.3 will only contain the kernel update. Sorry, I didn't make that clear. Shipping all the changes in the originally scoped 1.1.3 + cve fix would have slowed down the release of this important fix.

[ryansch]

Fantastic!

[albertdb]

Please please please, backport to 1.0.x LTS

[mikemoate]

@niusmallnan Kernel 4.9.76 is now out and apparently has some more meltdown and spectre fixes http://news.softpedia.com/news/linux-kernels-4-14-13-4-9-76-and-4-4-111-bring-more-security-fixes-update-now-519321.shtml

[albertdb]

Again, please backport kernel upgrade to RancherOS 1.0.x LTS. Thanks!

[niusmallnan]

@mikemoate v1.1.3 has enabled KPTI with kernel 4.9.75. v1.1.4 will use GCC(7.3) to compile the latest kernel for full Retpoline support. This can mitigate Spectre.

[albertdb]

@niusmallnan Will you forget those users who put their confidence in the 1.0.x LTS version? Jumping to 1.1.x is a no-go due to Docker 1.10 being unsupported, so please tell us your plans about it including the case in which there aren't any, so we can find alternatives. Thanks.

[niusmallnan]

@albertdb What're the problems if you upgrade to RancherOS v1.1.x? If it is not required, there will not be a new 1.0.x version.

[albertdb]

@niusmallnan

The problem is this: https://github.com/rancher/os/pull/2056 Docker 1.10 support is a must for us at the moment.

Thank you.

[albertdb]

BTW, 1.0.x was announced as a Long Term Support and it was released less than a year ago.

[mikemoate]

@niusmallnan thanks and understood on the kernel versions, my mistake!

[niusmallnan]

@albertdb Oh, I see. Thanks your feedback.

If only for Docker 1.10 support, you can use any RancherOS version. You can fork your own services and custom a repository. Refer to the following: http://rancher.com/docs/os/v1.0/en/system-services/custom-system-services/#service-development-and-testing https://github.com/rancher/os-services/blob/master/index.yml

We will ship v1.0.5, both Meltdown and Spectre(var.2 ) fixes will be included. Because indeed a small number of users need it. But before that, let's wait for the GCC 7.3 release.

BTW, after v1.0.5, there will not be a new 1.0.x version.

[mikemoate]

Mitigations for CVE-2017-5753 (spectre_v1) are available in newer kernel releases. I think Kernel 4.9.81 (previous LTS) or Kernel 4.14.18 (current LTS) is needed.

Note https://github.com/rancher/os/issues/2361 will also require a kernel update, to even later versions, so solving that will address this.

[niusmallnan]

Test with our latest release v1.4.0-rc1:

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO
* Checking count of LFENCE instructions following a jump in kernel...  NO  (only 6 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  UNKNOWN
    * IBRS enabled for User space:  UNKNOWN
    * IBPB enabled:  UNKNOWN
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Performance impact if PTI is enabled
  * CPU supports PCID:  YES  (performance degradation with PTI will be limited)
  * CPU supports INVPCID:  YES  (performance degradation with PTI will be limited)
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

Both Meltdown and Spectre have been addressed, It's a long journey.