Language Selection

English French German Italian Portuguese Spanish

Security Patches and the Kernel (Linux)

Filed under
Linux
Security
  • Security updates for Tuesday

    Security updates have been issued by Fedora (community-mysql, crun, java-latest-openjdk, and mupdf), openSUSE (libssh2_org), and SUSE (go1.12, libseccomp, and tar).

  • New ZombieLoad Side-Channel Attack Variant: TSX Asynchronous Abort

    In addition to the JCC erratum being made public today and that performance-shifting Intel microcode update affecting Skylake through Cascade Lake, researchers also announced a new ZombieLoad side-channel attack variant dubbed "TSX Asynchronous Abort" or TAA for short.

    ZombieLoad / MDS (Microarchitectural Data Sampling) was announced back in May by researchers while today Cyberus Technology has announced a new variant focused on Intel processors with TSX (Transactional Synchronization Extensions). TSX Asynchronous Abort is a new ZombieLoad variant that was actually discovered back as part of Cyberus' originally discoveries but faced an extended embargo.

  • Linux Kernel Gets Mitigations For TSX Aync Abort Plus Another New Issue: iITLB Multihit

    The Linux kernel has just received its mitigation work for the newly-announced TSX Asynchronous Abort (TAA) variant of ZombieLoad plus revealing mitigations for another Intel CPU issue... So today in addition to the JCC Erratum and ZombieLoad TAA the latest is iITLB Multihit (NX) - No eXcuses.

    The mainline Linux kernel received mitigations for ZombieLoad TAA that work in conjunction with newly-published Intel microcode. The mitigations also now expose /sys/devices/system/cpu/vulnerabilities/tsx_async_abort for reporting the mitigation status plus a new tsx_async_abort kernel parameter. With the TAA mitigation, the system will clear CPU buffers on ring transitions.

  • LinuxBoot Continues Maturing - Now Able To Boot Windows

    LinuxBoot is approaching two years of age as the effort led by Facebook and others for replacing some elements of the system firmware with the Linux kernel.

    Chris Koch of Google presented at last month's Platform Security Summit 2019 on the initiative. The Platform Security Summit 2019 took place at the start of October at Microsoft's facilities in Redmond. LinuxBoot in recent months has been able to begin booting Windows 10, which is related to the recent reports on kexec'ing Windows from Linux. But not only is Windows booting but VMware and Xen are also now working in a LinuxBoot environment.

SUSE addresses Transactional Asynchronous Abort

Now the reaction from Red Hat and Canonical to Intel defects

  • Red Hat Responds to ZombieLoad v2 Security Vulnerabilities Affecting Intel CPUs

    Red Hat informes Softpedia today on a series of three new security vulnerabilities affecting the Intel CPU microarchitecture, but which have been already patched in the Linux kernel.

    The three new security vulnerabilities are CVE-2018-12207 (Machine Check Error on Page Size Change), CVE-2019-11135 (TSX Asynchronous Abort), as well as CVE-2019-0155 and CVE-2019-0154 (i915 graphics driver-related vulnerabilities). These are marked by Red Hat Security team as having an important and moderate security impact, which could allow attacker to gain read access to sensitive data, and which affects all supported Red Hat Enterprise Linux systems.

  • Ubuntu updates to mitigate latest Intel hardware vulnerabilities

    Today, Intel announced a group of new vulnerabilities affecting various Intel CPUs and associated GPUs, known as TSX Asynchronous Abort (CVE-2019-11135), Intel® Processor Machine Check Error (CVE-2018-12207), and two Intel i915 graphics hardware vulnerabilities (CVE-2019-0155, CVE-2019-0154).

    TSX Asynchronous Abort (TAA) is related to the previously announced MDS vulnerabilities but only affects Intel processors that support Intel® Transactional Synchronization Extensions (TSX). Due to the similarity between this issue and MDS, the mitigations for MDS are sufficient to also mitigate TAA. As such, processors which were previously affected by MDS and which have the MDS microarchitectural buffer clearing mitigations employed are not affected by TAA. For newer processors which were not affected by MDS, but which support Intel® TSX, TAA is mitigated in Ubuntu by a combination of an updated Linux kernel and Intel microcode packages which disable Intel® TSX. Where TSX is required, this can be re-enabled via a kernel command-line option (tsx=on) and in this case, the kernel will automatically employ microarchitectural buffer clearing mechanisms as used for MDS to mitigate TAA.

    Intel® Processor Machine Check Error (MCEPSC, also called iTLB multihit) is a vulnerability specific to virtualisation, where a virtual machine can cause a denial of service (system hang) to the host processor when hugepages are employed. This is mitigated in Ubuntu with an updated Linux kernel.

  • This week's hardware vulnerabilities

    A set of patches has just been pushed into the mainline repository (and stable updates) for yet another set of hardware vulnerabilities. "TSX async abort" (or TAA) exposes information through the usual side channels by way of internal buffers used with the transactional memory (TSX) instructions. Mitigation is done by disabling TSX or by clearing the relevant buffers when switching between kernel and user mode. Given that this is not the first problem with TSX, disabling it entirely is recommended; a microcode update may be needed to do so, though. This commit contains documentation on this vulnerability and its mitigation.

Canonical Announces Ubuntu Updates to Mitigate Latest Intel Vuln

  • Canonical Announces Ubuntu Updates to Mitigate Latest Intel Vulnerabilities

    Following on the footsteps of Red Hat, Canonical also announced today that it has prepared updates for all of its supported Ubuntu Linux releases to mitigate the latest Intel CPU security vulnerabilities.

    As we reported earlier, Intel announced today that several new security vulnerabilities are affecting various of its Intel CPU microarchitectures, as well as associated GPUs. These vulnerabilities are known as TSX Asynchronous Abort (CVE-2019-11135), Intel Processor Machine Check Error (CVE-2018-12207), and Intel i915 graphics hardware vulnerabilities (CVE-2019-0155, CVE-2019-0154).

    The first security vulnerability, TSX Asynchronous Abort (TAA), is related to the previously announced MDS (Microarchitectural Data Sampling) vulnerabilities. However, Canonical's Alex Murray explains that it only affects Intel processors that support the Intel Transactional Synchronization Extensions (TSX). As such, the existing MDS mitigations will also mitigate TAA.

Linux vs. Zombieland v2: The security battle continues

  • Linux vs. Zombieland v2: The security battle continues

    Here's the bad news: We're going to keep seeing fundamental Intel CPU security holes popping open until every last one of the current generations of these chips is in landfills. Zombieland v2 is only the latest of a line of problems, which go back to Meltdown and Spectre. The "good" news is for now Intel and the operating system companies are staying ahead of hackers. Here's what Linux and Red Hat are doing about the latest nastiness.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

today's howtos

Events: KVM Forum 2019 and "Bar Charts for Diversity"

  • A recap of KVM Forum 2019

    The 13th KVM Forum virtualization conference took place in Lyon, France in October 2019. One might think that development may have finished on the Kernel Virtual Machine (KVM) module that was merged in Linux 2.6.20 in 2007, but this year's conference underscored the amount of work still being done, particularly on side-channel attack mitigation, I/O device assignment with VFIO and mdev, footprint reduction with micro virtual machines (VMs), and with the ability to run VMs nested within VMs. Many talks also involved the virtual machine monitor (VMM) user-space programs that use the KVM kernel module—of which QEMU is the most widely used.

  • Enhancing KVM for guest protection and security

    A key tenet in KVM is to reuse as much Linux infrastructure as possible and focus specifically on processor virtualization. Back in 2007, this meant a smaller code base and less friction with the other kernel subsystems, especially when compared with other virtualization technologies such as Xen. This led to KVM being merged into the mainline with relative ease. But now, in the era of microarchitectural vulnerabilities, the priorities have shifted, and the KVM's reliance on other kernel subsystems can be a liability. For one thing, the host kernel widens the TCB (Trusted Computing Base) and makes for a larger attack surface. In addition, kernel data structures such as the direct memory map give Linux access to guest memory even when it is not strictly necessary and make it impossible to fully enforce the principle of least privilege. In his talk "Enhancing KVM for Guest Protection and Security" (slides [PDF]) presented at KVM Forum 2019, long-time KVM contributor Jun Nakajima explained this risk and suggested some strategies to mitigate it.

  • Bar charts for diversity

    At the Linux App Summit I gave an unconference talk titles Hey guys, this conference is for everyone. The “hey guys” part refers to excluding people from a talk or making them feel uncomfortable – you can do this unintentionally, and the take-away of the talk was that you, (yes, you) can be better. I illustrated this mostly with conversational distance, a favorite topic of mine that I can demonstrate easily on stage. There’s a lot of diversity in how far people stand away from strangers, while explaining something they care about. The talk wasn’t recorded, but I’ve put the slides up. Another side of diversity can be dealt with by statistics. Since I’m a mathematician, I have a big jar of peanuts and raisins in the kitchen. Late at night I head down to the kitchen and grab ten items from the jar. Darn, all of them are raisins. What are the odds!? Well, a lot depends on whether there are any peanuts in the jar at all; what percentage is peanuts; whether I’m actually picking things randomly or not. There’s a convenient tool that Katarina Behrens pointed me to, which can help figure this out. Even if there’s only a tiny fraction of peanuts in the jar, there’s an appreciable chance of getting one (e.g. change the percentage on that page to 5% and you’ll see).

Linux on the MAG1 8.9 inch mini-laptop (Ubuntu and Fedora)

The Magic Ben MAG1 mini-laptop is a 1.5 pound notebook computer that measures about 8.2″ x 5.8″ x 0.7″ and which features an 8.9 inch touchscreen display and an Intel Core m3-8100Y processor. As I noted in my MAG1 review, the little computer also has one of the best keyboards I’ve used on a laptop this small and a tiny, but responsive trackpad below the backlit keyboard. Available from GeekBuying for $630 and up, the MAG1 ships with Windows 10, but it’s also one of the most Linux-friendly mini-laptops I’ve tested to date. [...] I did not install either operating system to local storage, so I cannot comment on sleep, battery life, fingerprint authentication, or other features that you’d only be able to truly test by fully installing Ubuntu, Fedora, or another GNU/Linux-based operating system. But running from a liveUSB is a good way to kick the tires and see if there are any obvious pain points before installing an operating system, and for the most part the two operating systems I tested look good to go. Booting from a flash drive is also pretty easy. Once you’ve prepared a bootable drive using Rufus, UNetbootin, or a similar tool, just plug it into the computer’s USB port, hit the Esc key during startup to bring up the UEFI/SETUP utility. Read more Also: Top 10 technical skills that will get you hired in 2020

Android Leftovers