[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?

On 13.01.21 23:49, Michael Stone wrote:
On Wed, Jan 13, 2021 at 09:49:43PM +0100, Christoph Pflügler wrote:
[    0.000000] microcode: microcode updated early to revision 0xd6, date = 2019-10-03
[    0.379026] SRBDS: Vulnerable: No microcode
[    1.625090] microcode: sig=0x506e3, pf=0x2, revision=0xd6
[    1.625215] microcode: Microcode Update Driver: v2.2.

Seems like the microcode is applied to my CPUs. This is also supported by numerous other CVEs getting mitigated after intel-microcode installation.

That's exactly the same signature I was testing with different results:
microcode: sig=0x506e3, pf=0x2, revision=0xd6

The only way I can get your results is to run unprivileged, but you said you weren't doing that. The checks for 3640 and 3615 are basically just looking for SSBD; in the top section the line that says "CPU indicates SSBD capability" presumably says something other than "YES (Intel SSBD)"?
I also tried the latest meltdown-spectre-checker (v0.44), the results are the same (plus another red 2020 CVE).

This is presumably CVE-2020-0543; if you look at the changelog for intel-microcode it discusses that issue. You can install the backports version which should fix that at the risk of a boot failure.

You are absolutely right, the SSBD lines say the following (when executed as root):

  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  UNKNOWN  (is cpuid kernel module available?)

Reply to: