Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
On 13.01.21 23:49, Michael Stone wrote: On Wed, Jan 13, 2021 at 09:49:43PM +0100, Christoph Pflügler wrote: [ 0.00] microcode: microcode updated early to revision 0xd6, date = 2019-10-03 [ 0.379026] SRBDS: Vulnerable: No microcode [ 1.625090] microcode: sig=0x506e3, pf=0x2, revision=0xd6 [ 1.625215] microcode: Microcode Update Driver: v2.2. Seems like the microcode is applied to my CPUs. This is also supported by numerous other CVEs getting mitigated after intel-microcode installation. That's exactly the same signature I was testing with different results: microcode: sig=0x506e3, pf=0x2, revision=0xd6 The only way I can get your results is to run unprivileged, but you said you weren't doing that. The checks for 3640 and 3615 are basically just looking for SSBD; in the top section the line that says "CPU indicates SSBD capability" presumably says something other than "YES (Intel SSBD)"? I also tried the latest meltdown-spectre-checker (v0.44), the results are the same (plus another red 2020 CVE). This is presumably CVE-2020-0543; if you look at the changelog for intel-microcode it discusses that issue. You can install the backports version which should fix that at the risk of a boot failure. You are absolutely right, the SSBD lines say the following (when executed as root): * Speculative Store Bypass Disable (SSBD) * CPU indicates SSBD capability: UNKNOWN (is cpuid kernel module available?)
Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
On 13.01.21 17:15, Michael Stone wrote: On Tue, Jan 12, 2021 at 05:25:23PM +0100, Giacomo Catenazzi wrote: In any case, according Intel, microcode should be updated by BIOS I wonder if anyone from intel can manage to say that with a straight face. This is the dmesg | grep microcode output for the i5 gen3: [ 0.00] microcode: microcode updated early to revision 0x21, date = 2019-02-13 [ 0.222193] SRBDS: Vulnerable: No microcode [ 1.067686] microcode: sig=0x306a9, pf=0x10, revision=0x21 [ 1.067856] microcode: Microcode Update Driver: v2.2. and here the one for the E3 v5: [ 0.00] microcode: microcode updated early to revision 0xd6, date = 2019-10-03 [ 0.379026] SRBDS: Vulnerable: No microcode [ 1.625090] microcode: sig=0x506e3, pf=0x2, revision=0xd6 [ 1.625215] microcode: Microcode Update Driver: v2.2. Seems like the microcode is applied to my CPUs. This is also supported by numerous other CVEs getting mitigated after intel-microcode installation. I also tried the latest meltdown-spectre-checker (v0.44), the results are the same (plus another red 2020 CVE).
Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
On 08.01.21 23:40, Michael Stone wrote: On Fri, Jan 08, 2021 at 10:48:30PM +0100, Christoph Pflügler wrote: On 08.01.21 22:34, Michael Stone wrote: On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote: Installing package intel-microcode in Debian 10 (Buster) mitigates most vulnerabilities as per spectre-meltdown-checker. However, CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated after reboot, with spectre-meltdown-checker --explain (executed as su) pointing to missing microcode upgrades. According to the Debian package description of intel-microcode, the two vulnerabilities are fixed in the current version of the package. This occurs in exactly the same way on two different machines, one with an i5-3320M CPU and another one with an E3-1235L v5. If I remember correctly, I was all green as per spectre-meltdown-checker in Debian 9 (Stretch). What version of intel-microcode do you have installed? intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed from Debian non-free repository With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the checker reports green for those checks on my test system. Do you have the latest spectre-meltdown-checker, and are you running it as root? If I run the current version as an unprivileged user those checks come up red (presumably because it can't read the cpu registers it is trying to read). spectre-meltdown-checker:all/buster 0.42-1 uptodate, installed from Debian repository. Yes, I executed it as root (su -> -> spectre-meltdown-checker). I get exactly the same results running it as an unprivileged user. This is what spectre-meltdown-checker, run as root, shows for the two CVEs: CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault' * CPU microcode mitigates the vulnerability: N/A > STATUS: VULNERABLE (your CPU supports SGX and the microcode is not up to date) CVE-2018-3640 aka 'Variant 3a, rogue system register read' * CPU microcode mitigates the vulnerability: NO > STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability) Linux version is also 4.19.0-13-amd64. Both my instances are (almost) fresh installations (GNOME) based on recently released debian-10.7.0-amd64-netinst.iso.
Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
On 08.01.21 22:34, Michael Stone wrote: On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote: Installing package intel-microcode in Debian 10 (Buster) mitigates most vulnerabilities as per spectre-meltdown-checker. However, CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated after reboot, with spectre-meltdown-checker --explain (executed as su) pointing to missing microcode upgrades. According to the Debian package description of intel-microcode, the two vulnerabilities are fixed in the current version of the package. This occurs in exactly the same way on two different machines, one with an i5-3320M CPU and another one with an E3-1235L v5. If I remember correctly, I was all green as per spectre-meltdown-checker in Debian 9 (Stretch). What version of intel-microcode do you have installed? intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed from Debian non-free repository
intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
Installing package intel-microcode in Debian 10 (Buster) mitigates most vulnerabilities as per spectre-meltdown-checker. However, CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated after reboot, with spectre-meltdown-checker --explain (executed as su) pointing to missing microcode upgrades. According to the Debian package description of intel-microcode, the two vulnerabilities are fixed in the current version of the package. This occurs in exactly the same way on two different machines, one with an i5-3320M CPU and another one with an E3-1235L v5. If I remember correctly, I was all green as per spectre-meltdown-checker in Debian 9 (Stretch). Does anybody have an explanation and/or fix for this issue? Thanks and best regards, Christoph
