SpectreAndMeltdown

Revision 70 as of 2018-01-25 01:01:29

Clear message

Information Leak via speculative execution side channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 aka Spectre and Meltdown)

It was discovered that a new class of side channel attacks impact most processors, including processors from Intel, AMD, ARM and IBM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory. To address the issue, updates to the Ubuntu kernel, processor microcode, hypervisor, and various other userspace packages will be needed. These updates will be announced in future Ubuntu Security Notices once they are available.

There are three separate vulnerabilities involved:

Name

Variant

Description

Ubuntu CVE Tracker

Spectre

Variant 1

Bounds Check Bypass

CVE-2017-5753

Spectre

Variant 2

Branch Target Injection

CVE-2017-5715

Meltdown

Variant 3

Rogue Data Cache Load

CVE-2017-5754


This article will be updated periodically with new information as it becomes available until the issues have been resolved.

Current Status

From a guest and non-hypervisor bare-metal perspective, as of the Jan 22 kernel updates, as far as we are aware, the mitigations for Spectre and Meltdown on 64-bit amd64, ppc64el and s390x are feature-complete as long as all microcode, firmware and hypervisor updates underneath the system are done. However:

  • Ubuntu kernels have not been rebuilt using retpolines. We plan on rebuilding the Bionic (codename for Ubuntu 18.04 LTS) userspace and selectively rebuilding portions of userspace in Ubuntu 17.10, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS.
  • No microcode updates are currently available for AMD or Intel, which means Spectre v2 is still unmitigated out of the box on Ubuntu on x86 CPUs.

Additionally:

  • No fix is currently available for Meltdown on 32-bit x86; moving to a 64-bit kernel is the currently recommended mitigation.
  • No fixes are yet available for ARM platforms. Note that a relatively small number of standard ARM cores are known to be affected.

  • For Ubuntu hypervisors, further work will be required to expose the Spectre variant 2 mitigations to guests running on top of Ubuntu, including a qemu update and some additional kernel updates.

Kernel Mitigations

The current kernel mitigation status is as follows:

Ubuntu

Kernel

i386

amd64

ppc64el

s390x

Latest USN

SV1

SV2

M

SV1

SV2

M

SV1

SV2

M

SV1

SV2

M

17.10

4.13

Y

-

-

Y

Y*

Y

Y

Y*

Y*

Y

Y*

NA

USN-3541-1 on 2018-01-22

16.04 LTS

4.13 HWE

Y

-

-

Y

Y*

Y

Y

Y*

Y*

Y

Y*

NA

USN-3541-2 on 2018-01-22

4.4

Y

-

-

Y

Y*

Y

Y

Y*

Y*

Y

Y*

NA

USN-3540-1 on 2018-01-22

14.04 LTS

4.4 HWE

Y

-

-

Y

Y*

Y

Y

Y*

Y*

U

U

U

USN-3540-2 on 2018-01-22

3.13

Y

-

-

Y

Y*

Y

-

-

-

U

U

U

USN-3542-1 on 2018-01-22

12.04 ESM

3.13 HWE

Y

-

-

Y

Y*

Y

-

-

-

U

U

U

USN-3542-2 on 2018-01-22

3.2

-

-

-

Y

-

-

-

-

-

U

U

U

USN-3525-1 on 2018-01-10


Key

Meaning

SV1

Spectre / Variant 1 / CVE-2017-5753

SV2

Spectre / Variant 2 / CVE-2017-5715

M

Spectre / Variant 3 / CVE-2017-5754

Y

Updates have been published to mitigate the issue

Y*

Updates have been published to mitigate the issue but require updated firmware/microcode

-

Updates are not yet available

NA

Architecture is not affected

U

Architecture is unsupported


Important notes

  • Updated microcode has not yet been released by Intel or AMD
  • The Rolling HWE kernel for Ubuntu 16.04 LTS moved to 4.13 early, as the 4.10 HWE kernel did not receive fixes
  • Support for retpoline is not yet included in any of these kernel updates

Userspace Mitigations

Mitigations have been released for the following non-kernel packages:

Package

USN

Notes

Firefox

USN-3516-1

WebKitGTK+

USN-3530-1

NVIDIA graphics drivers

USN-3521-1

intel-microcode

USN-3531-1

Reverted by USN-3531-2 at Intel's request

Cloud Images

Cloud images which address CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown) are available for https://cloud-images.ubuntu.com from for the following releases:

Release

Serial

trusty

20180122

xenial

20180122

artful

20180122


Important notes

  • As release images are published in clouds many are indexed @ https://cloud-images.ubuntu.com/locator/ This tool can be used to find images with the above serials, or later, with applicable fixes.

  • Previously released cloud images (serial 20180109 for xenial and artful and serial 20180110 for trusty) only mitigated Meltdown
  • Note: A small number of systems running linux 4.4.0-108.131 were affected by LP: #1741934 which was fixed in 4.4.0-109.132. Cloud instances were not affected by the bug. Cloud images created using 4.4.0-108.131 and its derivatives (for example, linux-aws 4.4.0-1047.56) have the mitigations for Meltdown.

Ubuntu Core images

Canonical officially supports reference kernel snaps for amd64 (pc-kernel), i386 (pc-kernel), rpi2/rpi3 (pi2-kernel) and dragonboard (dragonboard-kernel). Updates for affected architectures for Meltdown are available:


Early Raspberry Pi 2 boards use the Cortex-A7 processor and later versions use the Cortex-A53 processor. Raspberry Pi 3 boards use the Cortex-A53 processor. 96boards Dragonboard 410c boards use the Cortex-A53. According to ARM, none of these devices support speculative execution and are therefore unaffected by Spectre and Meltdown.

Pre-release Update Available For Testing

The teams behind the updates for Meltdown and Spectre are working in the open to allow partners and users to evaluate, test, and provide feedback on pre-release updates. This section contains information about pre-release updates that are available for testing. We welcome any and all feedback and want to hear about both positive and negative test results. Please contact security@ubuntu.com to let us know that you intend to test the updates as well as following up with us once your testing is complete.

Package

Description of changes

Location

linux (kernel)

Retpoline mitigations for Spectre variant 2

ppa:canonical-kernel-team/spectre

qemu

Enable IBRS/IBPB mitigations for Spectre variant 2 in guest VMs

ppa:ubuntu-security-proposed/ppa

Timeline

  • 2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA
  • 2017 Nov 20: the CRD is established as 2018-01-09
  • 2017 Dec: the Ubuntu Security team receives notifications from additional silicon vendors about the impact to their products
  • 2018 Jan 03: issue becomes public a few days before the CRD

  • 2018 Jan 04: Canonical publicly communicates the planned update schedule

  • 2018 Jan 04: Mozilla releases timing attack mitigations

  • 2018 Jan 05: Ubuntu Firefox updates are made available in USN 3516-1

  • 2018 Jan 07: Candidate kernels are beginning to be made available for testing at ppa:canonical-kernel-team/pti. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds. Kernels currently available are as follows. We will continue to update this table as more become available:

    Package

    Version

    Series

    linux

    4.4.0-108.131

    Xenial 16.04

    linux

    4.13.0-25.29

    Artful 17.10

    linux-aws

    4.4.0-1048.57

    Xenial 16.04

    linux-aws

    4.4.0-1010.10

    Trusty 14.04

    linux-azure

    4.13.0-1005.7

    Xenial 16.04

    linux-euclid

    4.4.0-9022.23

    Xenial 16.04

    linux-gcp

    4.13.0-1006.9

    Xenial 16.04

    linux-hwe-edge

    4.13.0-25.29~16.04.1

    Xenial 16.04

    linux-kvm

    4.4.0-1015.20

    Xenial 16.04

    linux-lts-xenial

    4.4.0-108.131~14.04.1

    Trusty 14.04

    linux-oem

    4.13.0-1015.16

    Xenial 16.04

  • 2018 Jan 09: NVIDIA driver updates published, see USN-3521-1

  • 2018 Jan 09: Ubuntu kernel updates are made available in USN 3522-1 (Ubuntu 16.04 LTS), USN 3523-1 (Ubuntu 17.10), USN 3522-2 (Ubuntu 14.04 LTS (HWE)), and USN-3524-1 (Ubuntu 14.04 LTS).

  • 2018 Jan 09: Notification issued for livepatch users to reboot after applying kernel update.

  • 2018 Jan 10: Updates for the pc-kernel snaps for Meltdown are released to the stable channel
  • 2018 Jan 11: Updates to the intel-microcode package were released, see USN-3531-1

    • Note: These updates were reverted on 2018 Jan 22

  • 2018 Jan 11: Core image updates for amd64 and i386 are published

  • 2018 Jan 12: Linux kernel version 4.13.0-29.32 for Artful 17.10 with Spectre mitigations is available in artful-proposed for testing.

  • 2018 Jan 16: Linux kernel version 4.4.0-111.134 for 16.04 and 3.13.0-140.189 for 14.04 with Spectre mitigations is available in the respective -proposed pocket for testing.

  • 2018 Jan 17: Linux kernel version 4.13.0-30.33 for Ubuntu Bionic with Spectre mitigations is available in the bionic-proposed pocket for testing.

  • 2018 Jan 22: Previous updates to the intel-microcode package were reverted at Intel's request, see USN-3531-2

  • 2018 Jan 22: Ubuntu kernel updates addressing all three vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) across amd64, ppc64el and s390x are released in USN-3541-1 (Ubuntu 17.10), USN-3540-1 (Ubuntu 16.04 LTS), USN-3541-2 (Ubuntu 16.04 LTS (HWE)), USN-3542-1 (Ubuntu 14.04 LTS) and USN-3540-2 (Ubuntu 14.04 LTS (HWE)).

    • Note:

      • CVE-2017-5753 (Spectre Variant 1) is additionally mitigated on i386.
      • i386, armhf and arm64 mitigations remain outstanding on all releases.
      • ppc64el mitigations are not yet provided for the Ubuntu 14.04 LTS kernel (based on kernel version 3.13).
      • Support for retpoline is not yet included in these kernel updates