Get the most out of your Centmin Mod LEMP stack
Become a Member

Security Microarchitectural Data Sampling (MDS) Speculative Execution Side Channel Vulnerability (Zombieload)

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, May 15, 2019.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    On May 14th 2019, Intel released a statement regarding Microarchitectural Data Sampling (MDS) Speculative Execution Side Channel Vulnerability named, Zombieload which affects Cloud VPS providers like DigitalOcean, Vultr, Linode, Upcloud etc using older Intel cpus.

    Intel's newest 8th and 9th Generation Intel Core processors, as well as the 1st Generation Intel Xeon Scalable Processor Family are also affected according to Intel. So we will expect cloud VPS hosting providers will be contacting their customers to inform them of their plans and steps to mitigate MDS side channel vulnerability via microcode updates and Linux Kernel updates. So yes you will need to do yum update when new Linux Kernels are available and do server reboot.

    For desktop/laptop users, their manufacturers would also have updates, bios/firmware level updates and operating system updates for this I suspect.

    RedHat & CentOS Kernel Updates For MDS Vulnerabilities



    Redhat & CentOS Kernel Updates are starting to show up in YUM repositories for MDS Vulnerabilities. Note the Kernel updates themselves require a server reboot however to fill fix this, you'd need web host's to also update the bios/microcode updates to their servers which also require a reboot/downtime. For OpenVZ VPS users, you're Linux Kernel is derived from VPS host node's Kernel so you need for your web host to update their Linux Kernels which may involve server reboots as OpenVZ VPS users have no control over Linux Kernel they use unlike KVM/Xen/VMware or bare metal server users.

    From MDS - Microarchitectural Data Sampling - CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 - Red Hat Customer Portal where RedHat mentions also imply CentOS. Both CentOS 6 and 7 are affected.

    Example for CentOS 7 yum list update listing available updates
    Code (Text):
    yum list updates

    Code (Text):
    glibc.x86_64                  2.17-260.el7_6.5                  updates         
    glibc-common.x86_64           2.17-260.el7_6.5                  updates         
    glibc-devel.x86_64            2.17-260.el7_6.5                  updates         
    glibc-headers.x86_64          2.17-260.el7_6.5                  updates         
    kernel.x86_64                 3.10.0-957.12.2.el7               updates         
    kernel-devel.x86_64           3.10.0-957.12.2.el7               updates         
    kernel-headers.x86_64         3.10.0-957.12.2.el7               updates         
    kernel-tools.x86_64           3.10.0-957.12.2.el7               updates         
    kernel-tools-libs.x86_64      3.10.0-957.12.2.el7               updates         
    microcode_ctl.x86_64          2:2.1-47.2.el7_6                  updates
    

    Run yum update
    Code (Text):
    yum -y update

    Then reboot server for Linux Kernel update to take effect and verify with command
    Code (Text):
    uname -r

    Code (Text):
    uname -r
    3.10.0-957.12.2.el7.x86_64
    


    More Info



    From Phoronix
    From Redhat MDS - Microarchitectural Store Buffer Data - CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 - Red Hat Customer Portal
    From DigitalOcean
    From ZombieLoad Attack
    From https://mdsattacks.com/
    Redhat video explaining MDS Side Channel Vulnerability


     
    Last edited: May 15, 2019
  2. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    From Zdnet Intel CPUs impacted by new Zombieload side-channel attack | ZDNet

     
  3. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Microsoft Windows https://support.microsoft.com/en-au...ct-against-speculative-execution-side-channel

     
  4. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    From https://www.securityweek.com/new-class-data-leaking-vulnerabilities-impact-intel-cpus

     
  5. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    From https://mdsattacks.com/ exploit demos for three RIDL exploits in action, leaking the root password hash from an unprivileged user, sensitive data from the Linux OS kernel, and JavaScript







    MDS Tool from RIDL Team

    Verify whether your system is vulnerable today with our MDS tool.
    FAQ

     
  6. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Conflicting info as to which cpus are affected https://twitter.com/IanColdwater/status/1128409938441564160

    From INTEL-SA-00233

    From linked PDF does look like 8th & 9th generation Intel & 1st generation Intel Xeon Scalable Skylake cpus are affected too

    upload_2019-5-15_15-57-39.png
    upload_2019-5-15_15-58-23.png
    upload_2019-5-15_15-58-52.png
    upload_2019-5-15_16-0-17.png
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Linux Kernel updates starting to show up for MSD mitigation fixes which need to work with microcode firmware updates with server manufacturers according to Phoronix https://www.phoronix.com/scan.php?page=news_item&px=MDS-Kernel-Fixes. There's supposedly another 10% performance penalty with the updated Kernel fixes which Phoronix will benchmark test.
    For Redhat and CentOS, they will usually backport such MDS mitigation fixes into their 2.6.32/3.10 Linux Kernel with minor version increments so need to keep an eye out for those.
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    From Linode Intel’s MDS (ZombieLoad) CPU Vulnerabilities & Linode

     
  9. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More info as Apple, Microsoft, Google and Amazon release patch updates Apple, Amazon, Google, Microsoft and Mozilla release patches for ZombieLoad chip flaws – TechCrunch

    From https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates

     
  10. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ouch patches for MDS vulnerabilities have a measurable overhead cost for performance https://www.phoronix.com/scan.php?page=news_item&px=MDS-Zombieload-Initial-Impact

     
  11. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Seems conflicting info is due to cpu revision steppings so a cpu model can have stepping revisions over time, only older cpu stepping revisions in 8th and 9th generation Intel cpus are vulnerable https://www.phoronix.com/forums/for...ping-hyper-threading-on?p=1099466#post1099466
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    RedHat & CentOS Kernel Updates For MDS Vulnerabilities



    Redhat & CentOS Kernel Updates are starting to show up in YUM repositories for MDS Vulnerabilities. Note the Kernel updates themselves require a server reboot however to fill fix this, you'd need web host's to also update the bios/microcode updates to their servers which also require a reboot/downtime. For OpenVZ VPS users, you're Linux Kernel is derived from VPS host node's Kernel so you need for your web host to update their Linux Kernels which may involve server reboots as OpenVZ VPS users have no control over Linux Kernel they use unlike KVM/Xen/VMware or bare metal server users.

    From MDS - Microarchitectural Data Sampling - CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 - Red Hat Customer Portal where RedHat mentions also imply CentOS. Both CentOS 6 and 7 are affected.

    Example for CentOS 7 yum list update listing available updates
    Code (Text):
    yum list updates

    Code (Text):
    glibc.x86_64                  2.17-260.el7_6.5                  updates         
    glibc-common.x86_64           2.17-260.el7_6.5                  updates         
    glibc-devel.x86_64            2.17-260.el7_6.5                  updates         
    glibc-headers.x86_64          2.17-260.el7_6.5                  updates         
    kernel.x86_64                 3.10.0-957.12.2.el7               updates         
    kernel-devel.x86_64           3.10.0-957.12.2.el7               updates         
    kernel-headers.x86_64         3.10.0-957.12.2.el7               updates         
    kernel-tools.x86_64           3.10.0-957.12.2.el7               updates         
    kernel-tools-libs.x86_64      3.10.0-957.12.2.el7               updates         
    microcode_ctl.x86_64          2:2.1-47.2.el7_6                  updates
    

    Run yum update
    Code (Text):
    yum -y update

    Then reboot server for Linux Kernel update to take effect and verify with command
    Code (Text):
    uname -r

    Code (Text):
    uname -r
    3.10.0-957.12.2.el7.x86_64
    
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Phoronix benchmarks for The Performance Impact Of MDS / Zombieload Plus The Overall Cost Now Of Spectre/Meltdown/L1TF/MDS.

     
  14. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More Phoronix benchmarks A Look At The MDS Cost On Xeon, EPYC & Xeon Total Impact Of Affected CPU Vulnerabilities

     
  15. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More from Phoronix https://www.phoronix.com/scan.php?page=news_item&px=Haswell-Xeon-Zombie-Load-Ref

     
  16. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Phoronix has more wonderful benchmarks of how the MDS/Zombieload mitigations negatively affect performance at https://www.phoronix.com/scan.php?page=article&item=sandy-fx-zombieload&num=1
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Interesting write up by Techspot How Screwed is Intel without Hyper-Threading?

     
  18. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    LOL this tweet from Intel sounds like they're preparing for a world where disabling Intel Hyperthreading to mitigate MDS/zombieload security vulnerabilities https://twitter.com/IntelBusiness/status/1132813701772394499 :LOL:
     
  19. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Latest Upcloud newsletter regarding MDS/Zombieload mitigation - wow they even disabled Intel Hyper-Threading !

     
  20. eva2000

    eva2000 Administrator Staff Member

    53,150
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    6:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
Thread Status:
Not open for further replies.