Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?

To: debian-security@lists.debian.org
Subject: Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
From: Giacomo Catenazzi <cate@debian.org>
Date: Tue, 12 Jan 2021 17:25:23 +0100
Message-id: <[🔎] 3423c1e0-ec0d-627e-d201-9df0d54c22c4@debian.org>
In-reply-to: <[🔎] c81d4d4b-547d-201a-95ff-d7ec9a5cbec7@comcast.net>
References: <[🔎] a9259825-b7ea-8d38-e729-046fe2cba6da@pfluegler.net> <[🔎] 415c3e8c-51f9-11eb-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] a27a1b08-274d-17f2-f68b-62cc67d15bc0@pfluegler.net> <[🔎] 3c335fd2-5201-11eb-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] 5ba315a2-8b51-a869-d9e8-830f5b875f04@pfluegler.net> <[🔎] c81d4d4b-547d-201a-95ff-d7ec9a5cbec7@comcast.net>


On 09.01.2021 20:42, James Wallen wrote:

On 1/9/21 9:48 AM, Christoph Pflügler wrote:
With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 thechecker reports green for those checks on my test system. Do you havethe latest spectre-meltdown-checker, and are you running it as root?If I run the current version as an unprivileged user those checkscome up red (presumably because it can't read the cpu registers it istrying to read).
spectre-meltdown-checker:all/buster 0.42-1 uptodate, installed fromDebian repository.
Yes, I executed it as root (su -> <passwd> ->spectre-meltdown-checker). I get exactly the same results running itas an unprivileged user. This is what spectre-meltdown-checker, run asroot, shows for the two CVEs:
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A
> STATUS: VULNERABLE (your CPU supports SGX and the microcode isnot up to date)
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed tomitigate this vulnerability)
Linux version is also 4.19.0-13-amd64.
Both my instances are (almost) fresh installations (GNOME) based onrecently released debian-10.7.0-amd64-netinst.iso.
I can confirm spectre-meltdown-checker reporting CVE-2018-3640 is notbeing mitigated by intel-microcode on a NUC6CAYS system, full-updatedBullseye/Sid. This is a Celeron system.
However, the same intel-microcode version on same OS does mitigate thisvulnerability on NUC5i7RYH and NUC8i3BEH systems.

intel-microcode contains a lot of microcodes, for many Intel chips. Fromyour mail, it seems that Intel forgot to include microcode for some CPUs(it happened in past).

Could you check in dmesg, if microcode is applied on your CPU, and whichversion was applied?

In any case, according Intel, microcode should be updated by BIOS, andnot by OS, so you may need to check your BIOS provider for updates, tomitigate vulnerability until we get all microcodes from Intel.


ciao
    cate

Reply to:

Follow-Ups:
- Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
  - From: Michael Stone <mstone@debian.org>

References:
- intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
  - From: Christoph Pflügler <christoph@pfluegler.net>
- Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
  - From: Michael Stone <mstone@debian.org>
- Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
  - From: Christoph Pflügler <christoph@pfluegler.net>
- Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
  - From: Michael Stone <mstone@debian.org>
- Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
  - From: Christoph Pflügler <christoph@pfluegler.net>
- Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
  - From: James Wallen <jpwallen@comcast.net>

Prev by Date: Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
Next by Date: Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
Previous by thread: Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
Next by thread: Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
Index(es):
- Date
- Thread