Page 1 of 1

linux/intel-microcode security upgrades

Posted: 2018-08-22 06:47
by sunrat
There have been security upgrades to linux and intel-microcode this week. Does anyone know if this applies to all Intel processors? The advisory mentions "Common server class CPUs".
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4279-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 20, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2018-3620 CVE-2018-3646

Multiple researchers have discovered a vulnerability in the way the
Intel processor designs have implemented speculative execution of
instructions in combination with handling of page-faults. This flaw
could allow an attacker controlling an unprivileged process to read
memory from arbitrary (non-user controlled) addresses, including from
the kernel and all other processes running on the system or cross
guest/host boundaries to read host memory.

To fully resolve these vulnerabilities it is also necessary to install
updated CPU microcode (only available in Debian non-free). Common server
class CPUs are covered in the update released as DSA 4273-1.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.110-3+deb9u3.
https://www.debian.org/security/2018/dsa-4279
https://www.debian.org/security/2018/dsa-4273

Re: linux/intel-microcode security upgrades

Posted: 2018-08-22 15:33
by None1975
sunrat wrote:There have been security upgrades to linux and intel-microcode this week. Does anyone know if this applies to all Intel processors?
No, not all processors. For example my processor

Code: Select all

Intel i7 920 (8) @ 2.7GHz
is not in the list.

Re: linux/intel-microcode security upgrades

Posted: 2018-08-22 16:36
by stevepusser
None1975 wrote:
sunrat wrote:There have been security upgrades to linux and intel-microcode this week. Does anyone know if this applies to all Intel processors?
No, not all processors. For example my processor

Code: Select all

Intel i7 920 (8) @ 2.7GHz
is not in the list.
Ummmm....that list you linked to is for a microcode update from 2009. I wouldn't expect any newer processors to be on it, either.

The Security Now podcast usually has clear explanations as to what hardware is affected by these new exploits...and transcripts can easily downloaded and searched from here: https://www.grc.com/securitynow.htm

Re: linux/intel-microcode security upgrades

Posted: 2018-08-22 22:37
by pcalvert

Re: linux/intel-microcode security upgrades

Posted: 2018-08-22 22:40
by stevepusser
Basically, all Intel processors from the last decade (or even earlier) use speculative execution, and that's where the exploits have been discovered.

Re: linux/intel-microcode security upgrades

Posted: 2018-08-23 00:00
by sunrat
Here's the current list, appears to be for almost all Intel processors. Including my i5 6500, Core2Duo E8500, and Celeron <something> in a netbook. Just had to scroll down on None1975's linked page to "Other Versions".

https://downloadcenter.intel.com/downlo ... -Data-File

Re: linux/intel-microcode security upgrades

Posted: 2018-08-23 01:28
by 4D696B65
Licence issue in the latest microcode
https://bugs.debian.org/cgi-bin/bugrepo ... um=website

Re: linux/intel-microcode security upgrades

Posted: 2018-08-23 06:02
by Head_on_a_Stick
For those who need the fixes now, download the Arch intel-ucode package from this link:

https://www.archlinux.org/packages/extr ... /download/

Unpack the tarball and copy the initrd image to /boot:

Code: Select all

tar xf intel-ucode-20180807-1-any.pkg.tar.xz
# cp boot/intel-ucode.img /boot/intel-ucode.img
Now add a custom GRUB boot entry at the end of /etc/grub/40_custom:

Code: Select all

menuentry 'Debian ucode' {
    set root 'hdX,Y'
    linux /vmlinuz root=/dev/sdZY ro quiet # add other kernel parameters here
    initrd /boot/intel-ucode.img /initrd.img
}
^ Change the "set root" line so the X is replaced by the hard drive index (where sda is represented by "0", sdb="1", sdc="2", etc) and the Y is the partition number of the root filesystem; remember to run `update-grub` (as root) to generate the entry afterwards.

EDIT: Z=X+1

Re: linux/intel-microcode security upgrades

Posted: 2018-08-23 07:31
by sunrat
intel-microcode was always non-free.
An upgrade was released on August 16 as linked in my OP. Is that not the current release from Intel?
https://www.debian.org/security/2018/dsa-4273

Debian Security Advisory
DSA-4273-1 intel-microcode -- security update

Date Reported:
16 Aug 2018
Affected Packages:
intel-microcode
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2018-3639, CVE-2018-3640.
More information:

This update ships updated CPU microcode for some types of Intel CPUs and provides SSBD support (needed to address "Spectre v4") and fixes for "Spectre v3a".

For the stable distribution (stretch), these problems have been fixed in version 3.20180703.2~deb9u1.

Re: linux/intel-microcode security upgrades

Posted: 2018-08-23 12:35
by None1975
stevepusser wrote:The Security Now podcast usually has clear explanations as to what hardware is affected by these new exploits...and transcripts can easily downloaded and searched from here: https://www.grc.com/securitynow.htm
Thank you for the link.

Re: linux/intel-microcode security upgrades

Posted: 2018-08-25 02:18
by 4D696B65
4D696B65 wrote:Licence issue in the latest microcode
https://bugs.debian.org/cgi-bin/bugrepo ... um=website
Licence issue is settled and new microcode is in sid
https://bugs.debian.org/cgi-bin/bugrepo ... website#88

Re: linux/intel-microcode security upgrades

Posted: 2018-08-25 16:42
by stevepusser
FWIW, it is safe to manually download and install the Sid deb in Stretch in terms of not making a FrankenDebian, or one could just wait until it's a security update in Stretch.