Spectre/Meltdown 3a and 4 still Vulnerable?

Support for security such as Firewalls and securing linux
Post Reply
kevins7189
Posts: 7
Joined: 2016/09/13 21:52:40

Spectre/Meltdown 3a and 4 still Vulnerable?

Post by kevins7189 » 2018/05/29 16:46:53

I have a Dell R620 (not running a VM)
I was patched against the previous vulns with Bios 2.6.1, kernel-3.10.0-693.11.6.el7.x86_64, etc.
When the 3a and 4 came up, I updated to kernel 3.10.0-862.3.2.el7.x86_64 and related updates. When I updated there wasn't a new microcode. I noticed today there is one, microcode_ctl-2.1-29.2.el7_5.x86_64. Installed this and rebooted.
However, the spectre/metldown checker script still says vulnerable. I diffed the updates in /lib/firmware/intel-ucode to the ones from intel (20180425) and they appear the same.
Logs show this
[ 2.076459] hostname kernel: microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
[ 11.332269] hostname systemd[1]: Starting Load CPU microcode update...
[ 11.709297] hostname systemd[1]: Started Load CPU microcode update.

I checked a server that did not have this update, and the weird thing is they both show same revision of microcode
microcode_ctl-2.1-22.5.el7_4.x86_64 - kernel: microcode: CPU31 sig=0x206d7, pf=0x1, revision=0x713
microcode_ctl-2.1-29.2.el7_5.x86_64 - kernel: microcode: CPU31 sig=0x206d7, pf=0x1, revision=0x713

So are the microcodes just not ready yet?


CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)

> How to fix: The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed.

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface: NO (Vulnerable)
* Kernel supports speculation store bypass: YES (found in /proc/self/status)
> STATUS: VULNERABLE (Your CPU doesn't support SSBD)

> How to fix: Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actually provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).

Post Reply