Information leak via speculative execution side channel attacks

In January 2018, security researchers announced a new class of side channel attacks that impact most processors, including processors from Intel, AMD, ARM and IBM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory.

To address the issue in Ubuntu, updates to the kernel, processor microcode, hypervisor, and various other userspace packages will be needed. These updates are being announced in Ubuntu Security Notices as they are available.

There were three original vulnerabilities involved:

Group

Name

Variant

Description

Ubuntu CVE Tracker

Jan 2018

Spectre

Variant 1

Bounds Check Bypass

CVE-2017-5753

Jan 2018

Spectre

Variant 2

Branch Target Injection

CVE-2017-5715

Jan 2018

Meltdown

Variant 3

Rogue Data Cache Load

CVE-2017-5754


The Spectre and Meltdown vulnerabilities have varying impacts in different environments, and the mitigations available can be difficult to understand. We've prepared a Technical FAQ to help answer many common questions.

This article will be updated periodically with new information as it becomes available, until the issues have been resolved.

Current Status

From a guest and non-hypervisor bare-metal perspective, as of the Feb 21 kernel updates, as far as we are aware, the mitigations for Spectre and Meltdown on 64-bit amd64, ppc64el and s390x are feature-complete as long as all microcode, firmware and hypervisor updates underneath the system are done. However:

Additionally:

Kernel Mitigations

Ubuntu enables available kernel mitigations to provide a secure-by-default experience. It should be noted that the security features to mitigate these vulnerabilities can lead to a decrease in system performance. Reputable reports of published application performance data can aide in understanding the impact in various environments. Environments which do not execute untrusted code may benefit from toggling the mitigation controls to disable some or all of the kernel mitigations.

The current kernel mitigation status is as follows:

Ubuntu

Kernel

i386

amd64

ppc64el

s390x

armhf

arm64

Latest USN

S1

S2

M

S1

S2

M

S1

S2

M

S1

S2

S1

S2

M

S1

S2

M

17.10

4.13

Y

R

-

Y

F,R

Y

Y

F

F

Y

F

-

-

-

Y

F

Y

USN-3581-1 on 2018-02-22 USN-3597-2 on 2018-03-15 for arm64

16.04 LTS

4.13 HWE

Y

R

-

Y

F,R

Y

Y

F

F

Y

F

-

-

-

Y

F

Y

USN-3581-2 on 2018-02-22 USN-3597-2 on 2018-03-15 for arm64

4.4

Y

R

-

Y

F,R

Y

Y

F

F

Y

F

-

-

-

-

-

-

USN-3582-1 on 2018-02-22

14.04 LTS

4.4 HWE

Y

R

-

Y

F,R

Y

Y

F

F

U

-

-

-

U

USN-3582-2 on 2018-02-22

3.13

Y

R

-

Y

F,R

Y

-

-

F

-

-

-

USN-3583-1 on 2018-02-22

12.04 ESM

3.13 HWE

U

Y

F

Y

U

USN-3542-2 on 2018-01-22

3.2

Y

F

Y

USN-3580-1 on 2018-02-21


Key

Meaning

S1

Spectre / Variant 1 / CVE-2017-5753

S2

Spectre / Variant 2 / CVE-2017-5715

M

Meltdown / Variant 3 / CVE-2017-5754

Y

Updates have been published to mitigate the issue

F

Updates have been published to mitigate the issue but require updated firmware/microcode

R

Kernel compiled with Retpoline, please see the FAQ around Retpoline to better understand the extent of this mitigation

-

Updates are not yet available

U

Architecture is unsupported


Processor Firmware Availability

Ubuntu Architectures

Vendor Statements

Firmware Status

Notes

i386, amd64

Intel, AMD

Available, see USN-3531-3

Note that some users experienced lockups with the 180108 version of the intel-microcode

ppc64el

IBM

Available from IBM

s390x

IBM

Available from IBM

armhf, arm64

ARM, Cavium

Available from system vendors

A relatively small number of standard ARM cores are known to be affected

Userspace Mitigations

Mitigations have been released for the following non-kernel packages:

Package

USN

Notes

Firefox

USN-3516-1

Reduces resolution of timers, disables a mechanism that could be used to build a timer

WebKitGTK+

USN-3530-1

Reduces resolution of timers, disables a mechanism that could be used to build a timer

NVIDIA graphics drivers

USN-3521-1

QEMU

USN-3560-1

Exposes Spectre variant 2 mitigations, added by microcode/firmware updates, to guests (i386, amd64, and s390x only)

libvirt

USN-3561-1

Exposes Spectre variant 2 mitigations, added by microcode/firmware updates, to guests (i386 and amd64 only)

Cloud Images

Cloud images which address CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown) are available for https://cloud-images.ubuntu.com from for the following releases:

Release

Serial

trusty

20180122

xenial

20180222

artful

20180222


Important notes

Ubuntu Core images

Canonical officially supports reference kernel snaps for amd64 (pc-kernel), i386 (pc-kernel), rpi2/rpi3 (pi2-kernel) and dragonboard (dragonboard-kernel). Updates for affected architectures for Meltdown are available:

Kernel

Snap revision

Ubuntu Core image

pc-kernel (amd64)

98

http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/ubuntu-core-16-amd64.img.xz

pc-kernel (i386)

99

http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/ubuntu-core-16-i386.img.xz


Early Raspberry Pi 2 boards use the Cortex-A7 processor and later versions use the Cortex-A53 processor. Raspberry Pi 3 boards use the Cortex-A53 processor. 96boards Dragonboard 410c boards use the Cortex-A53. According to ARM, none of these devices support speculative execution and are therefore unaffected by Spectre and Meltdown.

Pre-release Updates Available For Testing

None at this time.

Timeline

Additional Side Channel Issues

Since Spectre and Meltdown were disclosed, additional side channel issues have been disclosed and documented in separate KnowledgeBase articles. You can see these articles at the following URLs:

May 2018

Variant 4

Speculative Store Bypass

CVE-2018-3639

June 2018

LazyFP

LazyFP Save/Restore

CVE-2018-3665

July 2018

BCBS

Bounds Check Bypass Store

CVE-2018-3693

SecurityTeam/KnowledgeBase/SpectreAndMeltdown (last edited 2018-07-10 19:43:53 by emilyr)