198 lines
7.4 KiB
Text
198 lines
7.4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-19:07.mds Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Microarchitectural Data Sampling (MDS)
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2019-05-14
|
|
Credits: Refer to Intel's security advisory at the URL below for
|
|
detailed acknowledgements.
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE)
|
|
2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4)
|
|
2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE)
|
|
2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10)
|
|
CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
|
|
CVE-2019-11091
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
Modern processors make use of speculative execution, an optimization
|
|
technique which performs some action in advance of knowing whether the
|
|
result will actually be used.
|
|
|
|
II. Problem Description
|
|
|
|
On some Intel processors utilizing speculative execution a local process may
|
|
be able to infer stale information from microarchitectural buffers to obtain
|
|
a memory disclosure.
|
|
|
|
III. Impact
|
|
|
|
An attacker may be able to read secret data from the kernel or from a
|
|
process when executing untrusted code (for example, in a web browser).
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
Systems with users or processors in different trust domains should disable
|
|
Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:
|
|
|
|
# echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf'
|
|
# shutdown
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD
|
|
stable or release / security branch (releng) dated after the correction date,
|
|
evaluate mitigation and Hyper Threading controls, and reboot the system.
|
|
|
|
New CPU microcode may be available in a BIOS update from your system vendor,
|
|
or by installing the devcpu-data package or sysutils/devcpu-data port.
|
|
Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14.
|
|
|
|
If using the package or port the microcode update can be applied at boot time
|
|
by adding the following lines to the system's /boot/loader.conf:
|
|
|
|
cpu_microcode_load="YES"
|
|
cpu_microcode_name="/boot/firmware/intel-ucode.bin"
|
|
|
|
Microcode updates can also be applied while the system is running. See
|
|
cpucontrol(8) for details.
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Follow additional details under "Mitigation Configuration" below.
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 12.0-STABLE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc
|
|
# gpg --verify mds.12-stable.patch.asc
|
|
|
|
[FreeBSD 12.0-RELEASE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc
|
|
# gpg --verify mds.12.0.patch.asc
|
|
|
|
[FreeBSD 11.3-PRERELEASE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc
|
|
# gpg --verify mds.11-stable.patch.asc
|
|
|
|
[FreeBSD 11.2-RELEASE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc
|
|
# gpg --verify mds.11.2.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>.
|
|
|
|
Mitigation Configuration
|
|
|
|
Systems with users, processes, or virtual machines in different trust
|
|
domains should disable Hyper-Threading by setting the
|
|
machdep.hyperthreading_allowed tunable to 0:
|
|
|
|
# echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf
|
|
|
|
To activate the MDS mitigation set the hw.mds_disable sysctl. The settings
|
|
are:
|
|
|
|
0 - mitigation disabled
|
|
1 - VERW instruction (microcode) mitigation enabled
|
|
2 - Software sequence mitigation enabled (not recommended)
|
|
3 - Automatic VERW or Software selection
|
|
|
|
Automatic mode uses the VERW instruction if supported by the CPU / microcode,
|
|
or software sequences if not. To enable automatic mode at boot:
|
|
|
|
# echo hw.mds_disable=3 >> /etc/sysctl.conf
|
|
|
|
Reboot the system:
|
|
|
|
# shutdown -r +10min "Security update"
|
|
|
|
Check the mitigation status:
|
|
|
|
# sysctl hw.mds_disable_state
|
|
hw.mds_disable_state: software Silvermont
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r347567
|
|
releng/12.0/ r346594
|
|
stable/11/ r347568
|
|
releng/11.2/ r347595
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html>
|
|
<URL:https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:07.mds.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzcFgRfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cLmcw//cAwFw1SkYL3uFd0nTTnIltrzwTkMkxAFRjsxN5XxOJDEVJfygFHzlFhr
|
|
TxiFRN+QdE5NQt7HWDB7d1BXnmnIRiL6dqrrL+odPNeh9Wsh3Ft6NUxn8I6/wC4g
|
|
O77VYLj5OdhYT6D9PnbIucDBSdNH555Tfmz0eTDY24iVmWw7c1GfYozpl1cEk/Bh
|
|
+jgMH5rQZ30v7dKANGTeF0pQeAZaK9NZBWb86NlSy+FYyDu7KS1oEms4hGdQosYU
|
|
ZEBVV4uxBVFx3RRQuZM3z/+M9GrpliyHKGmNBX97u975oQ1k66pK6r1lxp+odVoa
|
|
UO0YROQ/pepOVmutNHz+8Y953qLaaolNwy+SxpqkEDhjlD6sbwV+ErqbfoCuEnsb
|
|
N0a7t52VEqkd3Cnivrd6dJpGtNsYPhruSXIXjRrKhI1fOnJbC/cw1as7WwXx5TdM
|
|
471ErTqZuNAcwAUT7Ve7kxNpWk+Lii2lprf+YfrZRk7pqcgmiMurIBAcKys7Skb/
|
|
dCGMckAU9hiUZMmiNuxV33m233zmRB7otHnHSXmmm9/SKCGeUw/OSKugtHGQ/6gJ
|
|
2ZQkWCPrL71CRwMzBRtwSCvG6YfTYIZ1gw48r2JzUGg11Urj2pXqRlYGNT7YGHGF
|
|
EOKQqSsU9I4CBfI9munJkNJI+Fpghnjpx2lK5w3rbcnkJI9CDzc=
|
|
=jH3H
|
|
-----END PGP SIGNATURE-----
|