Ubuntu
linux-aws package

Missing Linux Kernel mitigations for 'SSB - Speculative Store Bypass' hardware vulnerabilities

Bug #1949186 reported by Ammar Braik
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-aws (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

The Greenbone Security Assistant reporting me the following:
Summary
The remote host is missing one or more known mitigation(s) on Linux Kernel
  side for the referenced 'SSB - Speculative Store Bypass' hardware vulnerabilities.
Detection Result

The Linux Kernel on the remote host is missing the mitigation for the "spec_store_bypass" hardware vulnerabilities as reported by the sysfs interface:

sysfs file checked | Kernel status (SSH response)
----------------------------------------------------------------------------------------
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass | Vulnerable

Notes on the "Kernel status / SSH response" column:
- sysfs file missing: The sysfs interface is available but the sysfs file for this specific vulnerability is missing. This means the kernel doesn't know this vulnerability yet and is not providing any mitigation which means the target system is vulnerable.
- Strings including "Mitigation:", "Not affected" or "Vulnerable" are reported directly by the Linux Kernel.
- All other strings are responses to various SSH commands.

Product Detection Result
Product

cpe:/a:linux:kernel
Method

Detection of Linux Kernel mitigation status for hardware vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.108765)
Log

View details of product detection
Detection Method
Checks previous gathered information on the mitigation status reported
  by the Linux Kernel.
Details:

Missing Linux Kernel mitigations for 'SSB - Speculative Store Bypass' ...
OID: 1.3.6.1.4.1.25623.1.0.108842

Version used: 2021-07-07T02:00:46Z

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public so that teams outside of the security team can see it?

Revision history for this message
Ammar Braik (uo-ramma) wrote :

Hi marc,

yes please.

Many thnaks

Ammar

Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Ammar, apologies for the delayed followup, what is the version of the kernel that you are seeing this with? I.E. what is the output of running the command 'cat /proc/version_signature' where this is showing up?

Steve Beattie (sbeattie)
Changed in linux-aws (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux-aws (Ubuntu) because there has been no activity for 60 days.]

Changed in linux-aws (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.