[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?

On 09.01.2021 20:42, James Wallen wrote:
On 1/9/21 9:48 AM, Christoph Pflügler wrote:

With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the checker reports green for those checks on my test system. Do you have the latest spectre-meltdown-checker, and are you running it as root? If I run the current version as an unprivileged user those checks come up red (presumably because it can't read the cpu registers it is trying to read).

spectre-meltdown-checker:all/buster 0.42-1 uptodate, installed from Debian repository.

Yes, I executed it as root (su -> <passwd> -> spectre-meltdown-checker). I get exactly the same results running it as an unprivileged user. This is what spectre-meltdown-checker, run as root, shows for the two CVEs:

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A
 > STATUS:  VULNERABLE  (your CPU supports SGX and the microcode is not up to date)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  NO
 > STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

Linux version is also 4.19.0-13-amd64.

Both my instances are (almost) fresh installations (GNOME) based on recently released debian-10.7.0-amd64-netinst.iso.

I can confirm spectre-meltdown-checker reporting CVE-2018-3640 is not being mitigated by intel-microcode on a NUC6CAYS system, full-updated Bullseye/Sid. This is a Celeron system.

However, the same intel-microcode version on same OS does mitigate this vulnerability on NUC5i7RYH and NUC8i3BEH systems.

intel-microcode contains a lot of microcodes, for many Intel chips. From your mail, it seems that Intel forgot to include microcode for some CPUs (it happened in past).

Could you check in dmesg, if microcode is applied on your CPU, and which version was applied?

In any case, according Intel, microcode should be updated by BIOS, and not by OS, so you may need to check your BIOS provider for updates, to mitigate vulnerability until we get all microcodes from Intel.


Reply to: