226 lines
8.8 KiB
Text
226 lines
8.8 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-19:07.mds Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Microarchitectural Data Sampling (MDS)
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2019-05-14
|
|
Credits: Refer to Intel's security advisory at the URL below for
|
|
detailed acknowledgements.
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE)
|
|
2019-05-15 13:44:27 UTC (releng/12.0, 12.0-RELEASE-p5)
|
|
2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE)
|
|
2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10)
|
|
CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
|
|
CVE-2019-11091
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
0. Revision history
|
|
|
|
v1.0 2019-05-14 Initial release.
|
|
v1.1 2019-05-15 Fixed date on microcode update package.
|
|
v1.2 2019-05-15 Userland startup microcode update details added.
|
|
Add language specifying which manufacturers is affected.
|
|
v1.3 2019-05-15 Minor quoting nit for the HT disable loader config.
|
|
v2.0 2019-05-15 Rerelease 12.0-RELEASE patch as -p5 due to i386 panic bug.
|
|
|
|
I. Background
|
|
|
|
Modern processors make use of speculative execution, an optimization
|
|
technique which performs some action in advance of knowing whether the
|
|
result will actually be used.
|
|
|
|
II. Problem Description
|
|
|
|
On some Intel processors utilizing speculative execution a local process may
|
|
be able to infer stale information from microarchitectural buffers to obtain
|
|
a memory disclosure.
|
|
|
|
III. Impact
|
|
|
|
An attacker may be able to read secret data from the kernel or from a
|
|
process when executing untrusted code (for example, in a web browser).
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
Only Intel x86 based processors are affected. x86 processors from other
|
|
manufacturers (eg, AMD) are not believed to be vulnerable.
|
|
|
|
Systems with users or processors in different trust domains should disable
|
|
Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:
|
|
|
|
# echo 'machdep.hyperthreading_allowed=0' >> /boot/loader.conf
|
|
# shutdown -r +10min "Security update"
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD
|
|
stable or release / security branch (releng) dated after the correction date,
|
|
evaluate mitigation and Hyper Threading controls, and reboot the system.
|
|
|
|
New CPU microcode may be available in a BIOS update from your system vendor,
|
|
or by installing the devcpu-data package or sysutils/devcpu-data port.
|
|
Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14.
|
|
|
|
If using the package or port the Intel microcode update can be applied at
|
|
boot time (only on FreeBSD 12 and later) by adding the following lines to the
|
|
system's /boot/loader.conf:
|
|
|
|
cpu_microcode_load="YES"
|
|
cpu_microcode_name="/boot/firmware/intel-ucode.bin"
|
|
|
|
To automatically load microcode during userland startup (supported on all
|
|
FreeBSD versions), add the following to /etc/rc.conf:
|
|
|
|
microcode_update_enable="YES"
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Follow additional details under "Mitigation Configuration" below.
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[*** v2.0 NOTE *** Only applies to 12.0-RELEASE ***]
|
|
Due to an error in the 12.0-RELEASE affecting the i386 architecture, a new
|
|
set of patches is being released. If your 12.0-RELEASE sources are not yet
|
|
patched using the initially published patch, then you need to apply the
|
|
mds.12.0.patch. If your sources are already updated, or patched with the
|
|
patch from the initial advisory, then you need to apply the incremental
|
|
patch, named mds.12.0.p4p5.patch
|
|
|
|
[FreeBSD 12.0-STABLE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc
|
|
# gpg --verify mds.12-stable.patch.asc
|
|
|
|
[FreeBSD 12.0-RELEASE, not patched with initial SA-19:07.mds patch]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc
|
|
# gpg --verify mds.12.0.patch.asc
|
|
|
|
[FreeBSD 12.0-RELEASE, patched with initial SA-19:07.mds patch]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.p4p5.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.p4p5.patch.asc
|
|
# gpg --verify mds.12.0.p4p5.patch.asc
|
|
|
|
[FreeBSD 11.3-PRERELEASE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc
|
|
# gpg --verify mds.11-stable.patch.asc
|
|
|
|
[FreeBSD 11.2-RELEASE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc
|
|
# gpg --verify mds.11.2.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>.
|
|
|
|
Mitigation Configuration
|
|
|
|
Systems with users, processes, or virtual machines in different trust
|
|
domains should disable Hyper-Threading by setting the
|
|
machdep.hyperthreading_allowed tunable to 0:
|
|
|
|
# echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf
|
|
|
|
To activate the MDS mitigation set the hw.mds_disable sysctl. The settings
|
|
are:
|
|
|
|
0 - mitigation disabled
|
|
1 - VERW instruction (microcode) mitigation enabled
|
|
2 - Software sequence mitigation enabled (not recommended)
|
|
3 - Automatic VERW or Software selection
|
|
|
|
Automatic mode uses the VERW instruction if supported by the CPU / microcode,
|
|
or software sequences if not. To enable automatic mode at boot:
|
|
|
|
# echo hw.mds_disable=3 >> /etc/sysctl.conf
|
|
|
|
Reboot the system:
|
|
|
|
# shutdown -r +10min "Security update"
|
|
|
|
Check the mitigation status:
|
|
|
|
# sysctl hw.mds_disable_state
|
|
hw.mds_disable_state: software Silvermont
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r347567
|
|
releng/12.0/ r347632
|
|
stable/11/ r347568
|
|
releng/11.2/ r347595
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html>
|
|
<URL:https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:07.mds.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzciUJfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cKc2w//UxEu2JWDEJnpGuYv/Hh+PAEsWjzG2mCuFmriF7//deJTbwWybJk0DXhU
|
|
n6HCdw47nG/uVaeVOw921BRpJMK9bqpqr80VXKturOacS6kaQmMCXS+ZyPytZT0K
|
|
XJIgM3QrHsUUd6FnCHZ6Z6PBRLWl72RvNm8b2ZUE32puALlEeDCcd9PP3pyPITgj
|
|
iU3gP05GafKzG/7liqQuWPffRqAq4oQyQYCjkRfBdPNlacACvbtAXNnDPnwkfIqg
|
|
Si2Svj2TDS0eTxC5fspQtdWkKru50ZHTFFsoNhT33uX9L1Yr8ui+ajRG0Zxd81fj
|
|
0YGGat9QhzF6R2dywU75wXRveM/VMXj2wy5/CWBVI9kY84SeqcDDdkksG3iMC63Q
|
|
ebkZF38kbZ85Xwpi3z2yHxw16yKg0pLNryW/GBp0xyJz5ivFhgpeFWEHfmjmiX+u
|
|
Ka0E5RgCHh/eNAihbU8XN9MLnHToaX3mlEM+He+YsAXCMutaiSKaFpUhEs7uVmqu
|
|
r8YIYLbxJcIfqrRyIJtn9RpWisxJfo/RVLyE3QDg7Pg5x6QeVysyuYkbeOdIk75e
|
|
KW5B0b3eKh8Xu0mZqexdL9Hb1kEii5RxbSU5qLYoKfkMSo4/dLKgJwYZH61EC5cP
|
|
dEj/KaIAdMA0VMi8XQfAsPIR4FKhKcd5tUazjBaW97WJjha0dog=
|
|
=StiT
|
|
-----END PGP SIGNATURE-----
|