Nuova falla di sicurezza nella CPU Intel

[corradoventu]

Google e Intel scoprono nuovo buco sicurezza https://www.theverge.com/2018/5/21/1737 ... -variant-4
Fresco fresco del 12 Giugno https://portal.msrc.microsoft.com/en-US ... /ADV180012
Another Spectre-Like CPU Vulnerability https://www.schneier.com/blog/archives/ ... ectre.html
Ne parla addirittura un sito della sicurezza del governo US: https://www.us-cert.gov/ncas/alerts/TA18-141A
... se dopo aver aperto is sito qui sopra provate (in basso nella pagina) a cliccare su 'Microsoft' e avrete un bellissimo pop-up (allegato)
che dice che state uscendo da un sito della sicurezza US e che il sito linkato non è affar loro!

La pagina di Ubuntu non fa cenno al nuovo problema: https://launchpad.net/ubuntu/+source/intel-microcode

https://portal.msrc.microsoft.com/en-us ... y-guidance
https://portal.msrc.microsoft.com/en-us ... 0d3a33c573

Scaricato il tool aggiornato da https://github.com/speed47/spectre-meltdown-checker
mi dice che sono DI NUOVO VULNERABILE ... come aveva fatto Achille? forse il tallone si chiamava Microsoft?

Codice: Seleziona tutto

corrado@corrado-p8-bionic:~$ apt policy *-microcode
intel-microcode:
  Installed: 3.20180425.1~ubuntu0.18.04.1
  Candidate: 3.20180425.1~ubuntu0.18.04.1
  Version table:
 *** 3.20180425.1~ubuntu0.18.04.1 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     3.20180312.0~ubuntu18.04.1 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
amd64-microcode:
  Installed: 3.20171205.1
  Candidate: 3.20171205.1
  Version table:
 *** 3.20171205.1 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
corrado@corrado-p8-bionic:~$ sudo ./spectre-meltdown-checker.sh
[sudo] password for corrado: 
Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i3-7100 CPU @ 3.90GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 0x9e family 0x6 stepping 0x9 ucode 0x84 cpuid 0x906e9)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 
  * Vulnerable to Variant 3a:  YES 
  * Vulnerable to Variant 4:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec (x86):  YES  (1 occurrence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm):  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  YES  (for kernel and firmware code)
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Kernel supports RSB filling:  YES 
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability:  NO 
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

> How to fix: The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed.

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* Kernel supports speculation store bypass:  YES  (found in /proc/self/status)
> STATUS:  VULNERABLE  (Your CPU doesn't support SSBD)

> How to fix: Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actually provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).

A false sense of security is worse than no security at all, see --disclaimer
corrado@corrado-p8-bionic:~$ 

il buffo è che le ultime update mi hanno installato anche amd64-microcode nonostante abbia una CPU Intel.

[trekfan1]

Non è buffo che gli ultimi update ti abbiano installato il microcodice dell'amd anche se hai cpu intel in quanto adesso vengono installati TUTTI E DUE, indipendentemente dalla cpu, quindi se uno ha una una cpu amd si trova anche il microcode dell'intel

[a323109]

Mah...ormai non ci bado.più.

Chi mi assicura che non sia il contrario???
Che i vecchi computer NON sono vulnerabili appunto perche troppo vecchi e allora quache furbone si inventa sta roba da far installare per rendere vulnerabile alle nuove tecnologie anche i vecchi processori???

Tanto chi riesce esattamente a capire cosa installa???

[wilecoyote]

Salve, nei miei vecchi processori Intel lo toppa è peggio del buco, rallentamenti assurdi tanto che quando compilo con Trusty avvio col Kernel 4.4.0-104.

Con Xenial e Bionic purtroppo non è possibile, con la toppa lenti sono e lenti restano.

Quasi quasi torno allo Z80 e dintorni, lento per lento…

Ciao

[Stealth]

Io faccio gli aggiornamenti che mi vengono proposti dal sistema, ma credo di non averci mai dedicato più di qualche secondo dei miei pensieri, e comunque mai con preoccupazione. Chiunque avesse le capacità e i mezzi per sfruttare queste falle e perdesse il suo tempo con me, sarebbe immediatamente sedato e rinchiuso in apposita stanza imbottita, sotto vigilanza h24 perchè non continui a farsi del male.
Questo solo per dire che essere preoccupati di cose simili, a livello di utente normale e casalingo o poco più, secondo me è solo tempo perso
ciao

[corradoventu]

@trekfan1: grazie, non lo sapevo, lo deduci per esperienza o sta scritto da qualche parte? se si, dove?
@Stealth: sono daccordo con te, ho segnalato solo per informazione e per il bellisimo popup della sicurezza US.

[Stealth]

... e per il bellisimo popup della sicurezza US ...

Gli americani cercano di essere sempre attentissimi, anche perchè in quel paese hanno avvocati che mangiano avvoltoi a colazione e iene per cena.
ciao

[trekfan1]

Codice: Seleziona tutto

 dpkg -l | grep microcode
ii  amd64-microcode                            3.20180524.1                         amd64        Processor microcode firmware for AMD CPUs
ii  intel-microcode                            3.20180425.1~ubuntu0.18.04.1         amd64        Processor microcode firmware for Intel CPUs
ii  iucode-tool                                2.3.1-1

Codice: Seleziona tutto

inxi -Fz
System:    Host: ubuntu-hp-dev Kernel: 4.15.0-24-generic x86_64 bits: 64 Console: tty 1 
           Distro: Ubuntu Cosmic Cuttlefish (development branch) 
Machine:   Type: Laptop System: Hewlett-Packard product: HP ProBook 450 G2 v: A3009DD10303 serial: <filter> 
           Mobo: Hewlett-Packard model: 2248 v: KBC Version 59.23 serial: <filter> BIOS: Hewlett-Packard 
           v: M73 Ver. 01.47 date: 01/24/2018 
Battery:   ID-1: BAT0 charge: 35.2 Wh condition: 36.8/36.8 Wh (100%) 
CPU:       Topology: Dual Core model: Intel Core i7-5500U bits: 64 type: MT MCP L2 cache: 4096 KiB 
           Speed: 1141 MHz min/max: 500/3000 MHz Core speeds (MHz): 1: 1006 2: 1125 3: 847 4: 805 
Graphics:  Card-1: Intel HD Graphics 5500 driver: i915 v: kernel 
           Card-2: Advanced Micro Devices [AMD/ATI] Topaz PRO [Radeon R5 M255] driver: amdgpu v: kernel 
           Display: server: X.org 1.20.0 driver: amdgpu tty: 169x41 
           Message: Advanced graphics data unavailable for root. Old System? 
Audio:     Card-1: Intel Broadwell-U Audio driver: snd_hda_intel 
           Card-2: Intel Wildcat Point-LP High Definition Audio driver: snd_hda_intel 
           Sound Server: ALSA v: k4.15.0-24-generic 
Network:   Card-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet driver: r8169 
           IF: enp8s0 state: down mac: <filter> 
           Card-2: Intel Wireless 3160 driver: iwlwifi 
           IF: wlo1 state: up mac: <filter> 
Drives:    HDD Total Size: 1.36 TiB used: 929.85 GiB (66.5%) 
           ID-1: /dev/sda vendor: Seagate model: ST1500LM006 HN-M151RAD size: 1.36 TiB 
Partition: ID-1: / size: 14.64 GiB used: 7.37 GiB (50.4%) fs: ext4 dev: /dev/sda5 
           ID-2: /home size: 9.72 GiB used: 7.21 GiB (74.1%) fs: ext4 dev: /dev/sda6 
Sensors:   System Temperatures: cpu: 46.0 C mobo: 0.0 C gpu: amdgpu temp: 46 C 
           Fan Speeds (RPM): N/A 
Info:      Processes: 252 Uptime: 1h 36m Memory: 15.10 GiB used: 1.92 GiB (12.7%) Shell: bash inxi: 3.0.12

[a323109]

Linux mint 17

Codice: Seleziona tutto

matrix@matrix ~ $ dpkg -l | grep microcode
ii  amd64-microcode                             2.20131007.1+really20130710.1                       amd64        Processor microcode firmware for AMD CPUs
ii  intel-microcode                             3.20180425.1~ubuntu0.14.04.1                        amd64        Processor microcode firmware for Intel CPUs
ii  iucode-tool                                 1.0.1-1                                             amd64        Intel processor microcode tool
matrix@matrix ~ $ 

Codice: Seleziona tutto

matrix@matrix ~ $ inxi -Fz
System:    Host: matrix Kernel: 3.13.0-149-generic x86_64 (64 bit) Desktop: Gnome Distro: Linux Mint 17.1 Rebecca
Machine:   System: Acer (portable) product: Aspire 5735 version: 0100
           Mobo: Acer model: CathedralPeak version: Rev Bios: Phoenix version: V1.11 date: 02/02/2009
CPU:       Dual core Pentium CPU T4200 (-MCP-) cache: 1024 KB flags: (lm nx sse sse2 sse3 ssse3) 
           Clock Speeds: 1: 1200.00 MHz 2: 1200.00 MHz
Graphics:  Card: Intel Mobile 4 Series Chipset Integrated Graphics Controller 
           X.Org: 1.15.1 drivers: intel (unloaded: fbdev,vesa) Resolution: 1366x768@60.0hz 
           GLX Renderer: Mesa DRI Mobile Intel GM45 Express Chipset GLX Version: 2.1 Mesa 10.1.3
Audio:     Card: Intel 82801I (ICH9 Family) HD Audio Controller driver: snd_hda_intel Sound: ALSA ver: k3.13.0-149-generic
Network:   Card-1: Qualcomm Atheros AR928X Wireless Network Adapter (PCI-Express) driver: ath9k 
           IF: wlan1 state: down mac: <filter>
           Card-2: Marvell 88E8071 PCI-E Gigabit Ethernet Controller driver: sky2 
           IF: eth1 state: down mac: <filter>
Drives:    HDD Total Size: 224.1GB (13.5% used) 1: id: /dev/sda model: WDC_WD1600BEVT size: 160.0GB 
           2: USB id: /dev/sdc model: Cruzer_Blade size: 32.0GB 3: USB id: /dev/sde model: Cruzer_Fit size: 32.0GB 
Partition: ID: / size: 30G used: 20G (71%) fs: ext4 
RAID:      No RAID devices detected - /proc/mdstat and md_mod kernel raid module present
Sensors:   System Temperatures: cpu: 76.0C mobo: 74.0C 
           Fan Speeds (in rpm): cpu: N/A 
Info:      Processes: 164 Uptime: 10 min Memory: 733.4/3854.5MB Client: Shell inxi: 1.8.4 

Pare ci sia tutto.
Se dopo avvio Cosmic posto anche quello.

Ecco, stessa macchina ma Ubuntu 18.10 avviato ora.

Codice: Seleziona tutto

matrix@linux:~$ dpkg -l | grep microcode
ii  amd64-microcode                       3.20180524.1                      amd64        Processor microcode firmware for AMD CPUs
ii  intel-microcode                       3.20180425.1~ubuntu0.18.04.1      amd64        Processor microcode firmware for Intel CPUs
ii  iucode-tool                           2.3.1-1                           amd64        Intel processor microcode tool
matrix@linux:~$ 

Codice: Seleziona tutto

root@linux:/home/matrix# inxi -Fz
System:
  Host: linux Kernel: 4.15.0-23-generic x86_64 bits: 64 Desktop: LXDE 
  Distro: Ubuntu Cosmic Cuttlefish (development branch) 
Machine:
  Type: Laptop System: Acer product: Aspire 5735 v: 0100 serial: <filter> 
  Mobo: Acer model: CathedralPeak v: Rev serial: <filter> BIOS: Phoenix 
  v: 1.11 date: 02/02/2009 
Battery:
  ID-1: BAT0 charge: 13.6 Wh condition: 13.6/48.8 Wh (28%) 
CPU:
  Topology: Dual Core model: Pentium T4200 bits: 64 type: MCP 
  L2 cache: 1024 KiB 
  Speed: 1197 MHz min/max: 1200/2000 MHz Core speeds (MHz): 1: 1197 2: 1197 
Graphics:
  Card-1: Intel Mobile 4 Series Integrated Graphics driver: i915 v: kernel 
  Display: x11 server: X.Org 1.19.6 driver: modesetting unloaded: fbdev,vesa 
  resolution: 1366x768~60Hz 
  OpenGL: renderer: Mesa DRI Mobile Intel GM45 Express v: 2.1 Mesa 18.1.1 
Audio:
  Card-1: Intel 82801I HD Audio driver: snd_hda_intel 
  Sound Server: ALSA v: k4.15.0-23-generic 
Network:
  Card-1: Marvell 88E8071 PCI-E Gigabit Ethernet driver: sky2 
  IF: enp2s0 state: down mac: <filter> 
  Card-2: Qualcomm Atheros AR928X Wireless Network Adapter driver: ath9k 
  IF: wlp3s0 state: down mac: <filter> 
  IF-ID-1: ppp0 state: unknown speed: N/A duplex: N/A mac: N/A 
Drives:
  HDD Total Size: 178.87 GiB used: 8.64 GiB (4.8%) 
  ID-1: /dev/sda vendor: Western Digital model: WD1600BEVT-22ZCT0 
  size: 149.05 GiB 
  ID-2: /dev/sdb type: USB vendor: SanDisk model: Cruzer Fit size: 29.82 GiB 
Partition:
  ID-1: / size: 28.35 GiB used: 8.64 GiB (30.5%) fs: ext4 dev: /dev/sdb1 
Sensors:
  System Temperatures: cpu: 55.0 C mobo: 55.0 C 
  Fan Speeds (RPM): N/A 
Info:
  Processes: 151 Uptime: 18m Memory: 3.76 GiB used: 509.4 MiB (13.2%) 
  Shell: bash inxi: 3.0.12 
root@linux:/home/matrix# 

Codice: Seleziona tutto

root@linux:/home/matrix# apt policy *-microcode
intel-microcode:
  Installato: 3.20180425.1~ubuntu0.18.04.1
  Candidato:  3.20180425.1~ubuntu0.18.04.1
  Tabella versione:
 *** 3.20180425.1~ubuntu0.18.04.1 500
        500 http://it.archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status
amd64-microcode:
  Installato: 3.20180524.1
  Candidato:  3.20180524.1
  Tabella versione:
 *** 3.20180524.1 500
        500 http://it.archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status
root@linux:/home/matrix#