Ubuntu – Ubuntu’s status on the Meltdown and Spectre vulnerabilities

Security

Any questions relating to status updates, or asking if anything is going to be patched for these vulnerabilities should be closed as duplicates of this question.

Meltdown and Spectre are in the news right now and sound pretty severe. I don't see any security updates from Ubuntu that cover these vulnerabilities.

What is Ubuntu doing about these vulnerabilities, and what should Ubuntu users be doing?

These are CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754.

Best Answer

It was discovered that a new class of side channel attacks impact most processors, including processors from Intel, AMD, and ARM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory.

To address the issue, updates to the Ubuntu kernel and processor microcode are needed. Updates are announced in Ubuntu Security Notices. Meltdown/Spectre related updates have now been announced, covering updates to the kernel and to some userspace software.

The following updates have been released:

Ubuntu kernel updates are available in USN 3522-1 (for Ubuntu 16.04 LTS), USN 3523-1 (for Ubuntu 17.10), USN 3522-2 (for Ubuntu 14.04 LTS (HWE)), and USN-3524-1 (for Ubuntu 14.04 LTS).
Further kernel updates (which include mitigations for both Spectre variants and additional mitigations for Meltdown) were made available on January 22 2018 in USN-3541-2 (for Ubuntu 16.04 LTS (HWE)), USN-3540-1 (for Ubuntu 16.04 LTS), USN-3541-1 (for Ubuntu 17.10), USN-3540-2 (for Ubuntu 14.04 LTS (HWE)), USN-3542-1 (for Ubuntu 14.04 LTS), USN-3542-2 (for Ubuntu 12.04 LTS (HWE)).
USN-3516-1 provides Firefox updates.
USN-3521-1 provides NVIDIA driver updates.
~~USN-3531-1 provides Intel microcode updates.~~ Due to regressions, the microcode updates have been reverted for now (USN-3531-2).

Users should immediately install the updates as they are released in the normal way. A reboot is required for the kernel and microcode updates to take effect.

Users can verify the kernel page table isolation patches are active after the reboot.

Updates for Ubuntu 17.04 (Zesty Zapus) will not be provided as it reached end-of-life on January 13 2018.

In advance of security updates being released, Dustin Kirkland had provided some more details of what updates to expect in a blog post, including mention of kernel updates as well as CPU microcode, gcc and qemu updates.

Kiko Reis from Canonical wrote an accessible description of the impact of these vulnerabilities and their mitigations for Ubuntu users on 24 January 2018.

The Ubuntu Security Team is maintaining their current status on these issues and an official technical FAQ that goes into detail about the specific individual vulnerability variants and their migitations under different use cases.

Note that Linux mainline and stable release updates from v4.15 (28th January 2018) and onwards include the appropriate fixes and Ubuntu kernels are based on those. As such, any versions of Ubuntu using Linux Kernel versions 4.15.0 and up are patched (including 18.04 and 18.10).

Related Solutions

Ubuntu – Has anyone independently vetted Speed 47’s shell script (spectre-meltdown-checker.sh) that checks for Meltdown and Spectre patches

The script is actually checking the mitigations in kernel for all three vulnerabilities. By now the LTS systems and Ubuntu 17.10 have available mitigations for Meltdown vulnerability.

There is a C program to determine one of the Spectre vulnerabilities. You can check if your processor is vulnerable with:

wget https://gist.githubusercontent.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6/raw/41bf9bd0e7577fe3d7b822bbae1fec2e818dcdd6/spectre.c

gcc spectre.c -o spectre -std=c99 -w -O0

./spectre

If you can see lines with:

Reading at malicious_x = 0xffffffffffdfebb8... Success: 0x54=’T’ score=7

Then your processor is vulnerable to Spectre branch prediction.

I have personally tested Intel Atom 1st gen, Core 2 Duo E8400, Core 2 Duo 4300 not to be vulnerable and Core i5 3230M, AMD Turion TL-56 to be vulnerable based on running this program.

Ubuntu – Meltdown and Spectre when using encryption and VPN

Yes.

Disk encryption protects against access to the disk when it is not in use, for instance if someone steals your computer. VPN protects against anyone sniffing the wire.

Meltdown and Spectre can give attackers local access to the data, before it is encrypted.

For the system to use any kind of information, it more or less has to be available in un-encrypted form. Whenever it is available in un-encrypted form any attacker with superuser access to the computer can copy it at will.

Best Answer

Related Solutions

Ubuntu – Has anyone independently vetted Speed 47’s shell script (spectre-meltdown-checker.sh) that checks for Meltdown and Spectre patches

Ubuntu – Meltdown and Spectre when using encryption and VPN

Related Question