Howto patch Spectre Vulnerability CVE-2017-5753/CVE-2017-5715 on Linux

last updated in Categories , , , , ,

A very serious security problem has been found in the Intel/AMD/ARM CPUs. Spectre CPU Vulnerability CVE-2017-5753/CVE-2017-5715 breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. How do I protect my Linux server and laptop/desktop against such attack?

A very serious security problem has been found and patched in the Linux kernel. It was announced on 3rd January 2018. It was independently discovered and reported by various teams including Google Project Zero. Spectre is harder to exploit than Meltdown CPU bug, but it is also harder to mitigate.

What is the Spectre security bug in Intel/AMD/ARM cpus?

From the Google blog:
So far, there are three known variants of the issue:

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

From RHEL page:
Howto patch Spectre Vulnerability CVE-2017-5753 CVE-2017-5715 on Linux

The first two variants abuse speculative execution to perform bounds-check bypass (CVE-2017-5753), or by utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively. Collectively these are known as “Spectre”. Both variants rely upon the presence of a precisely-defined instruction sequence in the privileged code, as well as the fact that memory accesses may cause allocation into the microprocessor’s level 1 data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use these two flaws to read privileged memory by conducting targeted cache side-channel attacks. These variants could be used not only to cross syscall boundary (variant 1 and variant 2) but also guest/host boundary (variant 2).

A list of affected Linux distro by Spectre Vulnerabilitys

  1. Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5)
  2. Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6)
  3. Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7)
  4. RHEV-M 4.0
  5. RHEV-M for Servers
  6. Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
  7. Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7
  8. Red Hat Enterprise MRG 2
  9. Red Hat OpenStack Platform v 8/9/10/11/12
  10. Debian Linux wheezy
  11. Debian Linux jessie
  12. Debian Linux stretch
  13. Deiban Linux buster, sid
  14. SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  15. SUSE OpenStack Cloud 6
  16. Openstack Cloud Magnum Orchestration 7
  17. SUSE Container as a Service Platform ALL
  18. SUSE Linux Enterprise High Availability 12 SP2/SP3
  19. SUSE Linux Enterprise Live Patching 12
  20. SUSE Linux Enterprise Module for Public Cloud 12
  21. SUSE Linux Enterprise Server 11 SP3-LTSS
  22. SUSE Linux Enterprise Server 11 SP4
  23. SUSE Linux Enterprise Software Development Kit 11/12 SP3/SP4
  24. SUSE Linux Enterprise for SAP 12 SP1
  25. SUSE Linux Enterprise 11
  26. SUSE Linux Enterprise 12
  27. OpenSuse Linux based upon SUSE 12/11
  28. Fedora Linux 26
  29. Fedora Linux 27
  30. Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

This page documents a current security event affecting many modern microprocessor designs. Information may change rapidly as the event progresses, and more info or commands added here soon. Please note that a patch for Debian/Ubuntu/CentOS/Fedora and many distros are not released yet. No patches are available for Spectre yet. The Linux kernel team is working on Retpoline. It will be released soon. When you run ‘apt-get upgrade’ or ‘yum update’ command make sure kernel package such as linux-image (Debian/Ubunt) kernel (RHEL) are updated. You also need microcode update from CPU vendor.

While the updates AWS/Google and other cloud performs protect underlying infrastructure, in order to be fully protected against these issues, you must also patch your instance operating systems including Linux distros, MS-Windows and desktop operating system such as macOS, Windows and more.

Before updating system…

First, always keep backups. Second, note down the Linux kernel version running the following command:
$ uname -r

Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

Type the following yum command:
$ uname -r
3.10.0-693.11.1.el7.x86_64
$ sudo yum update

Sample outputs (from my RHEL 7.x box):

Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-693.11.6.el7 will be installed
---> Package kernel-tools.x86_64 0:3.10.0-693.11.1.el7 will be updated
---> Package kernel-tools.x86_64 0:3.10.0-693.11.6.el7 will be an update
---> Package kernel-tools-libs.x86_64 0:3.10.0-693.11.1.el7 will be updated
---> Package kernel-tools-libs.x86_64 0:3.10.0-693.11.6.el7 will be an update
--> Finished Dependency Resolution
 
Dependencies Resolved
 
=========================================================================================
 Package             Arch     Version               Repository                      Size
=========================================================================================
Installing:
 kernel              x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms    43 M
Updating:
 kernel-tools        x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms   5.1 M
 kernel-tools-libs   x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms   5.1 M
 
Transaction Summary
=========================================================================================
Install  1 Package
Upgrade  2 Packages
 
Total download size: 53 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): kernel-tools-3.10.0-693.11.6.el7.x86_64.rpm                | 5.1 MB  00:00:00     
(2/3): kernel-tools-libs-3.10.0-693.11.6.el7.x86_64.rpm           | 5.1 MB  00:00:00     
(3/3): kernel-3.10.0-693.11.6.el7.x86_64.rpm                      |  43 MB  00:00:00     
-----------------------------------------------------------------------------------------
Total                                                        65 MB/s |  53 MB  00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : kernel-tools-libs-3.10.0-693.11.6.el7.x86_64                          1/5 
  Updating   : kernel-tools-3.10.0-693.11.6.el7.x86_64                               2/5 
  Installing : kernel-3.10.0-693.11.6.el7.x86_64                                     3/5 
  Cleanup    : kernel-tools-3.10.0-693.11.1.el7.x86_64                               4/5 
  Cleanup    : kernel-tools-libs-3.10.0-693.11.1.el7.x86_64                          5/5 
  Verifying  : kernel-tools-libs-3.10.0-693.11.6.el7.x86_64                          1/5 
  Verifying  : kernel-tools-3.10.0-693.11.6.el7.x86_64                               2/5 
  Verifying  : kernel-3.10.0-693.11.6.el7.x86_64                                     3/5 
  Verifying  : kernel-tools-3.10.0-693.11.1.el7.x86_64                               4/5 
  Verifying  : kernel-tools-libs-3.10.0-693.11.1.el7.x86_64                          5/5 
 
Installed:
  kernel.x86_64 0:3.10.0-693.11.6.el7                                                    
 
Updated:
  kernel-tools.x86_64 0:3.10.0-693.11.6.el7                                              
  kernel-tools-libs.x86_64 0:3.10.0-693.11.6.el7                                         
 
Complete!

You must reboot your Linux server using shutdown/reboot command:
$ sudo reboot
$ uname -r
3.10.0-693.11.6.el7.x86_64

Verify all 3 CVEs (you must see output:
$ rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
Sample outputs:

- [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
....
...
- [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
....
..
- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}

Run the following dnf command if you are using a Fedora Linux:
$ sudo dnf --refresh update kernel
OR
sudo dnf update
Reboot the Linux box:
$ sudo reboot

Fix the Spectre on a Debian/Ubuntu Linux

Use the following apt-get command/apt command:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo shutdown -r 0

Fix the Spectre on an Amazon Linux running on AWS

Just run yum command:
# yum update kernel
# reboot

Fix the Spectre on an Arch Linux

Just run pacman command:
# pacman -Syu
# reboot

Spectre & Meltdown Checker

After reboot make sure your Linux server/box patched and not vulnerable any more with spectre-meltdown-checker.sh.

How to apply microcode update supplied by Intel on Linux

See “How to install/update Intel microcode firmware on Linux” for more info.

See also

This entry is 2 of 6 in the Processor/CPU Speculative Execution Patching on Linux Tutorial series. Keep reading the rest of the series:
  1. How to patch Meltdown CPU Vulnerability CVE-2017-5754 on Linux
  2. How to patch Spectre Vulnerability CVE-2017-5753/CVE-2017-5715 on Linux
  3. How to check Linux for Spectre and Meltdown vulnerability
  4. How to install/update Intel microcode firmware on Linux
  5. How to patch Meltdown vulnerability on OpenBSD Unix
  6. How to patch Meltdown and Spectre vulnerabilities on FreeBSD

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Share this on (or read 22 comments/add one below):

Notable Replies

  1. Patches for those are not out yet. They were just committed to upstream kernel version. You have to wait for it. You need microcode update too. In short to patch Spectre you need kernel update and microcode update from your CPU vendor or OEM (such as Dell/HP and so on).

Continue the discussion www.nixcraft.com

1 more reply

Participants

Historical Comment Archive

22 comment

  1. guys, the issue is still open for e.g. Debian. no patches available yet – so updating the system doesn’t help (yet). See: CVE-2017-5715

  2. As far as those links and documentation goes, execpt AWS,

    Red Hat/Centos and Debian/Ubuntu has no fix yet, your commands are good for when the fix come, would be worth to clarify for people who doesn’t read the references

    Kind Regards,

  3. Is there any tool/script that I can use to verify that the system is patched? I’m not sure if the kernel updates I’ve done solved it.

  4. for Ubuntu I believe you also have to run

    sudo apt-get dist-upgrade

    to get updated kernel. run before rebooting

  5. I run a system which is virtually never updated, and where I have complete confidence in the updates that are in fact being applied.

    I would not like to see any sort of performance loss due to patching this problem since it is extremely unlikely to ever affect me.

    So how do I avoid or blacklist this patch so I don’t get it if i apt-get update/upgrade?

  6. Yes, same here, Debian jessie.

    Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u1 (2017-06-18) x86_64 GNU/Linux
    And
    Linux abi 3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux

    NO PATCH yet available

  7. It seems that the issue is also still open for RHEL as well, https://access.redhat.com/security/vulnerabilities/speculativeexecution and I haven’t yet seen any information about this patch being available for CentOS.

    This article will solve the problem once the updated kernels are available, but until then this post should indicate that a fix is not yet possible. Some users might just read it, update to a as-of-yet vulnerable kernel and then think they are done.

      1. No one is blaming you for anything. Just mentioning, as others have in the comments, that it would be helpful to list the kernel versions that include the fix.

  8. On Windows the problems have been solved with the update no. KB4056892. On Linux it’s a bit confused, some are saying that haven’t received the update yet.

  9. Hello All,

    Where I need to subscribe so I will all these notifications about latest security issues about linux kernel , SSL etc.

  10. for 5715, it still showing vulnerable after patching

    CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
    * Mitigation 1
    * Hardware (CPU microcode) support for mitigation
    * The SPEC_CTRL MSR is available: YES
    * The SPEC_CTRL CPUID feature bit is set: NO
    * Kernel support for IBRS: YES
    * IBRS enabled for Kernel space: NO
    * IBRS enabled for User space: NO
    * Mitigation 2
    * Kernel compiled with retpoline option: NO
    * Kernel compiled with a retpoline-aware compiler: NO
    > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

  11. Still showing vulnerable to CVE-2017-5715 on CentOS 7.4.1708

    Yet when I check rpm -q –changelog kernel | egrep ‘CVE-2017-5715’, I find 99 lines in the logs mostly from Poimboeuf.

    So am I patched or not??

    Help?

    Have a question? Post it on our forum!