Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
On 09.01.2021 20:42, James Wallen wrote:
On 1/9/21 9:48 AM, Christoph Pflügler wrote:
I can confirm spectre-meltdown-checker reporting CVE-2018-3640 is not
being mitigated by intel-microcode on a NUC6CAYS system, full-updated
Bullseye/Sid. This is a Celeron system.
spectre-meltdown-checker:all/buster 0.42-1 uptodate, installed from
With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the
checker reports green for those checks on my test system. Do you have
the latest spectre-meltdown-checker, and are you running it as root?
If I run the current version as an unprivileged user those checks
come up red (presumably because it can't read the cpu registers it is
trying to read).
Yes, I executed it as root (su -> <passwd> ->
spectre-meltdown-checker). I get exactly the same results running it
as an unprivileged user. This is what spectre-meltdown-checker, run as
root, shows for the two CVEs:
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability: N/A
> STATUS: VULNERABLE (your CPU supports SGX and the microcode is
not up to date)
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to
mitigate this vulnerability)
Linux version is also 4.19.0-13-amd64.
Both my instances are (almost) fresh installations (GNOME) based on
recently released debian-10.7.0-amd64-netinst.iso.
However, the same intel-microcode version on same OS does mitigate this
vulnerability on NUC5i7RYH and NUC8i3BEH systems.
intel-microcode contains a lot of microcodes, for many Intel chips. From
your mail, it seems that Intel forgot to include microcode for some CPUs
(it happened in past).
Could you check in dmesg, if microcode is applied on your CPU, and which
version was applied?
In any case, according Intel, microcode should be updated by BIOS, and
not by OS, so you may need to check your BIOS provider for updates, to
mitigate vulnerability until we get all microcodes from Intel.