Spectre Variant 2 on CentoS 6.8

Support for security such as Firewalls and securing linux
Post Reply
polax
Posts: 3
Joined: 2015/11/24 07:35:11

Spectre Variant 2 on CentoS 6.8

Post by polax » 2018/03/09 04:14:54

Hi,
I have updated my CentOS 6 with "yum update" and restarted, but spectre-meltdown-checker is showing vulnerability to Variant 2:
https://puu.sh/zDIam/2b3c438169.png

How can I fix it?

chemal
Posts: 776
Joined: 2013/12/08 19:44:49

Re: Spectre Variant 2 on CentoS 6.8

Post by chemal » 2018/03/09 05:40:55

Your kernel is compiled with IBRS but your CPU microcode is lacking support to successfully mitigate the vulnerability.

Ask Intel for a microcode update or your hardware vendor for a BIOS update that includes this microcode update.

Up to now, Intel has only come up with a microcode update for Skylake CPUs and you can only get it if your hardware vendor offers a BIOS update including it.

It is not included here: https://downloadcenter.intel.com/downlo ... -Data-File

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Spectre Variant 2 on CentoS 6.8

Post by TrevorH » 2018/03/09 14:33:13

Moved to CentOS 6 Security forum.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tsrini
Posts: 24
Joined: 2018/04/06 13:25:09

Re: Spectre Variant 2 on CentoS 6.8

Post by tsrini » 2018/08/16 11:03:56

Hi,

I'm using Cent OS 6.5. With the latest kernel and dracut patches below, it seems all the 3 variants (Spectre Variant 1 & 2, Meltdown) are fixed.

kernel-2.6.32-754.2.1.el6.x86_64
kernel-firmware-2.6.32-754.2.1.el6.noarch

dracut-kernel-004-411.el6.noarch
dracut-004-411.el6.noarch

The spectre checker script shows the below,

Code: Select all

Spectre and Meltdown mitigation detection tool v0.36+

Checking for vulnerabilities on current system
Kernel is Linux 2.6.32-754.3.5.el6.x86_64 #1 SMP Tue Aug 14 20:46:41 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU           L5518  @ 2.13GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 26 stepping 5 ucode 17)
* CPU vulnerability to the three speculative execution attack variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  YES
[b]> STATUS:  NOT VULNERABLE  (Mitigation: Load fences)[/b]

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel has branch predictor hardening (ARM):  NO
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
[b]> STATUS:  NOT VULNERABLE  (Mitigation: Full retpoline)[/b]

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES  (found 'CONFIG_PAGE_TABLE_ISOLATION=y')
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
[b]> STATUS:  NOT VULNERABLE  (Mitigation: PTI)[/b]

A false sense of security is worse than no security at all, see --disclaimer
[root@c3bng-src2 spectre-meltdown-checker-master]#
Is the Spectre Variant 2 fixed in recent kernel/dracut patches?

Regards,
Srini

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Spectre Variant 2 on CentoS 6.8

Post by TrevorH » 2018/08/16 12:00:36

Don't use 6.5, it's more than 5 years old and riddled with security bugs. Run a yum update to get the rest of your server up to date. There are many much more important and exploitable vulnerabilities in 6.5 than just meltdown/spectre.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tsrini
Posts: 24
Joined: 2018/04/06 13:25:09

Re: Spectre Variant 2 on CentoS 6.8

Post by tsrini » 2018/08/17 08:26:41

Yes, we have CentOS upgrade in pipeline and it involves huge effort in porting our product/deployment. We will be working on it.

Just to understand the recent changes in the kernel patches, earlier version of kernel & dracut patches (kernel-2.6.32-696.18.7.el6.x86_64,
kernel-firmware-2.6.32-696.18.7.el6.noarch, dracut-kernel-004-409.el6_8.2.noarch, dracut-004-409.el6_8.2.noarch) haven't fixed the Spectre Variant 2 but the recent one fixed it (without any BIOS / Intel patch).

Is Spectre Variant 2 specifically addressed in recent kernel / dracut patches?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Spectre Variant 2 on CentoS 6.8

Post by TrevorH » 2018/08/17 09:08:48

viewtopic.php?f=17&t=65800

As far as I know, nothing has changed and you need updated microcode to fix everything (that's currently publicly known).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tsrini
Posts: 24
Joined: 2018/04/06 13:25:09

Re: Spectre Variant 2 on CentoS 6.8

Post by tsrini » 2018/08/17 11:12:56

Ok Thank you.

polax
Posts: 3
Joined: 2015/11/24 07:35:11

Re: Spectre Variant 2 on CentoS 6.8

Post by polax » 2018/08/17 18:46:38

Does a "yum update" fix this? If not, where can I see the list of micro code and any instruction to apply them?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Spectre Variant 2 on CentoS 6.8

Post by TrevorH » 2018/08/18 09:55:58

That depends on what processor you have. The RHEL microcode_ctl package ships updated microcode but they can only ship what Intel has made available and they haven't fixed every processor that was ever released. If you yum update then you will get the latest kernel and the latest microcode_ctl package too. Once you reboot into those you should have as much fixed as it's currently possible to fix.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply