Ubuntu
linux-aws package

Missing Linux Kernel Mitigations

Bug #1891812 reported by Riki
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-aws (Ubuntu)
New
Undecided
Unassigned

Bug Description

We need assistance in resolving OpenVAS security scan findings related to Spectre/Meltdown vulnerabilities across both Ubuntu 16.04LTS/20.04LTS platforms on AWS. Both the systems were updated with the latest supported Kernel versions (4.4.0.1111-aws & 5.4.0-1021-aws), relevant Intel Microcode updates (3.20200609.0ubuntu0.20.04.2) and suggested mitigations on the Ubuntu Site. Please reference the findings below and suggest any mitigations that we may need to take to address them.

The Linux Kernel on the remote host is missing one or more mitigation(s) for hardware vulnerabilities as reported by the sysfs interface:

sysfs file (Related CVE(s)) | Kernel status
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/sys/devices/system/cpu/vulnerabilities/itlb_multihit (CVE-2018-12207) | KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/mds (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091) | Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass (CVE-2018-3639) | Vulnerable

Notes on specific Kernel status output:
- sysfs file missing: The sysfs interface is available but the sysfs file for this specific vulnerability is missing. This means the kernel doesn't know this vulnerability yet and is not providing any mitigation which means the target system is vulnerable.
- Strings including "Mitigation:", "Not affected" or "Vulnerable" are reported directly by the Linux Kernel.
- All other strings are responses to various SSH commands.

Tags: bot-comment
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1891812/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Manfred Hampl (m-hampl)
affects: ubuntu → linux-aws (Ubuntu)
Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

https://aws.amazon.com/security/security-bulletins/AWS-2019-004/

According to Amazon advisory, fixes have been applied and "no customer action is required at the Infrastructure level". Reading from other sources [1], I can only conclude that Amazon has not provided the knobs needed to do the mitigation. This explains the issue for MDS and TAA. SSB is likely vulnerable for the same reasons, but I'll look for their advisory and update it here. Same thing for ITLB multihit.

One possible avenue of investigation is verifying if VERW is being used and providing the mitigation for the MDS case.

Regards.
Cascardo.

[1] https://www.reddit.com/r/aws/comments/br38fl/sidechannel_md_clear_cpu_flags_not_being_passed/

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.