Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?

[James Wallen <jpwallen@comcast.net>]

On 1/9/21 9:48 AM, Christoph Pflügler wrote:
> On 08.01.21 23:40, Michael Stone wrote:
> > On Fri, Jan 08, 2021 at 10:48:30PM +0100, Christoph Pflügler wrote:
> > > On 08.01.21 22:34, Michael Stone wrote:
> > > > On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote:
> > > > > Installing package intel-microcode in Debian 10 (Buster) mitigates 
> > > > > most vulnerabilities as per spectre-meltdown-checker. However, 
> > > > > CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated 
> > > > > after reboot, with spectre-meltdown-checker --explain (executed as 
> > > > > su) pointing to missing microcode upgrades.
> > > > >
> > > > > According to the Debian package description of intel-microcode, the 
> > > > > two vulnerabilities are fixed in the current version of the package.
> > > > >
> > > > > This occurs in exactly the same way on two different machines, one 
> > > > > with an i5-3320M CPU and another one with an E3-1235L v5.
> > > > >
> > > > > If I remember correctly, I was all green as per 
> > > > > spectre-meltdown-checker in Debian 9 (Stretch).
> > > >
> > > > What version of intel-microcode do you have installed?
> > > intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed 
> > > from Debian non-free repository
> >
> > With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the 
> > checker reports green for those checks on my test system. Do you have 
> > the latest spectre-meltdown-checker, and are you running it as root? 
> > If I run the current version as an unprivileged user those checks come 
> > up red (presumably because it can't read the cpu registers it is 
> > trying to read).
> spectre-meltdown-checker:all/buster 0.42-1 uptodate, installed from 
> Debian repository.
>
> Yes, I executed it as root (su -> <passwd> -> spectre-meltdown-checker). 
> I get exactly the same results running it as an unprivileged user. This 
> is what spectre-meltdown-checker, run as root, shows for the two CVEs:
>
> CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
> * CPU microcode mitigates the vulnerability:  N/A
>  > STATUS:  VULNERABLE  (your CPU supports SGX and the microcode is not 
> up to date)
>
> CVE-2018-3640 aka 'Variant 3a, rogue system register read'
> * CPU microcode mitigates the vulnerability:  NO
>  > STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to 
> mitigate this vulnerability)
>
> Linux version is also 4.19.0-13-amd64.
>
> Both my instances are (almost) fresh installations (GNOME) based on 
> recently released debian-10.7.0-amd64-netinst.iso.
I can confirm spectre-meltdown-checker reporting CVE-2018-3640 is not 
being mitigated by intel-microcode on a NUC6CAYS system, full-updated 
Bullseye/Sid. This is a Celeron system.

However, the same intel-microcode version on same OS does mitigate this 
vulnerability on NUC5i7RYH and NUC8i3BEH systems.