'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

Discussion in 'other security issues & news' started by Minimalist, Jan 2, 2018.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,221
    Location:
    Under a bushel ...
    Thanks. My newer Dell and ThinkPad laptops were already updated on the 29th and 27th of December respectively. :)
     
  2. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    Thanks paulderdash, I have read your edit now - interesting.
    Plus this morning I finally received an answer from Zemana -

    Thanks for your help guys @daman1, @paulderdash, @plingman, I can now get on and add the registry edit, and go from there.
     
    Last edited: Jan 10, 2018
  3. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    599
    Location:
    UK
    I have been trying to enable mitigation against CVE-2017-5715 and CVE-2017-5754 on my Windows 10 laptop by adding the registry keys discussed here:

    https:\\support.microsoft.com\help\4073119

    Two REG_DWORD two keys are created at:

    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management"

    They are:

    FeatureSettingsOverride
    FeatureSettingsOverrideMask

    This is supposed to work as follows:

    bit 0 of FeatureSettingsOverride toggles mitigation against CVE-2017-5715 (branch target injection) on/off (0 = enable, 1 = disable)
    bit 1 of FeatureSettingsOverride toggles mitigation against CVE-2017-5754 (rogue data cache load) on/off (0 = enable, 1 = disable)

    So setting FeatureSettingsOverride to 3 (binary 11) should enable mitigation against both.

    Using this key I am able to successfully toggle bit 1 off/on and enable/disable mitigation against CVE-2017-5754 (using SpecuCheck to test).

    However, toggling bit 0 on/off doesn't enable/disable mitigation against CVE-2017-5754

    I am not sure what the mask does so it is set at 3 as in the Microsoft article.

    I am not sure what is wrong. Might be me. Might be Microsoft.

    Edit.

    It seems these keys are only needed if you want to disable mitigation. By default, when the keys are not present mitigation should be enabled.

    However, for me there is some other reason why mitigation against CVE-2017-5754 isn't being enabled. I have CPU and policy/registry support but I can't enable it. See picture.

    specuckeck.JPG
     
    Last edited: Jan 10, 2018
  4. mary7

    mary7 Registered Member

    Joined:
    Oct 17, 2017
    Posts:
    57
    Location:
    Italy
    Hi,

    I have use the microcodeupdate for my CPU Pentium B960 and in the event viewer there is write No CPUs needed an update
     
  5. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    599
    Location:
    UK
    The B960 isn't on Intel's list of processors which are affected as far as I can see (which is good news).
    If that is the case you don't need the microcode, so uninstall it and delete the service that calls it at startup.
     
  6. mary7

    mary7 Registered Member

    Joined:
    Oct 17, 2017
    Posts:
    57
    Location:
    Italy
    yes isn't in that list of affected CPU but was one of the listed CPU for the microcode on the https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?v=t

    I have unistalled the microcode update and deleted the service. So I have to update the microcode of my other two computers? One is the Celeron N3060 (affected) and the other is Pentium G3260 (not affected) but all 2 are in the list of intel download center. Or I have to wait BIOS update for the pc with Celeron N3060?

    Stress
     
  7. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,263
    Location:
    Member state of European Union
    I have the same CPU and it is certainly affected by Spectre, because I tested this CPU using PoC (proof of concept). I don't know whether it is affected by Meltdown.

    Don't stress. For now follow other security advices (update system for fixing other vulnerabilities, use NoScript or at least Ad-block and so on) and it should be enough for some time.
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Attempting not to stress(!). Is it your understanding that the microcode updates will be rolled out by the Windows or Linux distributions in due course (IOW, I just have to be patient)? At least the recent Windows 7 roll-up patch did not include the microcode update for a supported processor in the current Intel list.

    Given that Spectre is likely to run and run, I would guess we're likely to be facing repeated open-heart surgery for some while.

    I think my main concern is actually guest-guest isolation in Vmware and VirtualBox. It's somewhat hard to see how this could be exploited, but from what I understand, some form of Spectre vulnerability could presumably enumerate the running virtual machines from the hypervisor process, and then, assuming it knew or could find out what was running in each VM process (which is userland as I understand it), and had an exploit for that, it could potentially have access to both kernel and user process ram in that virtual machine. I think this would be a high-value tailored attack, but you never know where automation is going to go. Anyway, early days, and I'm acutely aware I don't understand nearly enough!

    For sure, I'll be taking additional steps to harden the guests in various ways (including RBAC/Firejail/Sandboxie restricting internet access for those processes that don't require it, so that exfiltration fails; and the measures you describe for internet facing apps which can run code).
     
  9. plat1098

    plat1098 Guest

    I have an older Haswell Skylake processor that's virtually guaranteed to suffer when the Spectre flaw will have the first microcode applied via BIOS update. Lenovo hasn't provided this yet. All the available updates were applied to my vulnerable machines and I use ad-blockers in secured browsers. What more can you do? Frankly, I'm a little concerned about the potential reduction in CPU performance. From what I understand, it's going to be significant. When updates for Meltdown came out, the effects were negligible to none.
     
    Last edited by a moderator: Jan 10, 2018
  10. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,009
    Location:
    DC Metro Area
    "More details emerge on how much Meltdown and Spectre patches will slow down your PC...

    According to Microsoft, those using Windows 10 along with Skylake or newer Intel processors experience “single-digit slowdowns”, meaning less than 10%...

    ...[T]hose running Windows 10 with older Intel processors (Haswell, which is 4th-gen, or older) will experience more significant slowdowns, and 'some users will notice a decrease in system performance'.

    Finally, Microsoft observes that in the case of those running older CPUs (Haswell or previous) along with an older OS – i.e. Windows 7 or Windows 8 – it expects 'most users to notice a decrease in system performance'..."

    http://www.techradar.com/news/more-...wn-and-spectre-patches-will-slow-down-your-pc
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,095
    Location:
    U.S.A.
    I suspect this is due to the use of the VMWare driver to simulate the microcode update. In other words, some will actually have to wait for an actual BIOS update for it to be enabled by the Win OS.
     
  12. boombastik

    boombastik Registered Member

    Joined:
    Oct 7, 2010
    Posts:
    259
    Location:
    Greece
    First of all the windows patch two attacks.

    1)Rogue data cache load.
    This patched software and are ok to go.
    If your cpu is haswell and newer the windows activates also PCID perfomance optimization and the perfomance hit is smaller. I know that the x58 socket westmere xeon has support for PCID but windows dont activate it, as i think that is so no good as newer cpus.

    2)Branch target injection.
    This need software and firmware update to work as intented.
    The OS already patched this but to work for all variants you need and a microcode cpu update.

    the only microcodes tha intel released is theese:

    Intel has released all these microcodes for this until now:
    sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
    sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
    sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
    sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
    sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
    sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648
    sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648
    sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384
    sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304
    sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304

    I personally moded my bios with haswell microcode 23 and it is buggy and i returned to 22.


    VMWare driver to simulate the microcode update dont work for this security patch because it is to slow when loading.
    Generally the os patch microcode offers less bug fixes from the bios microcode is not the same.
     
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,438
    Location:
    Outer space
    I tried updating 2 PC's with the VMware driver, a Core2Duo and a first gen i3. Both are listed on the Intel 20180108 microcode page. For the i3, logs show microcode update is not needed. For the C2D, it shows succesfully updated, however SpecuCheck still shows "disabled due to Lack of Microcode Update = yes".


    Working PoC against an Intel SGX enclave:
    https://github.com/lsds/spectre-attack-sgx

    I don't think Windows will roll out microcode updates.(Except for MS's own hardware like Surface). You're dependent on whether you manufacterer will provide a bios update.
    (Or perhaps it can be done through the VMware driver or potentionally some other tool developed in the future.)

    Yes, hypervisors are also affected, see for example Xen Security Advisory.
    https://xenbits.xen.org/xsa/advisory-254.html
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    36,102
    Ashampoo blog-entry: Meltdown and Spectre: the great processor disaster

    Ashampoo® Spectre Meltdown CPU Checker
    January 10, 2018
    Ashampoo Spectre Meltdown CPU Checker
    https://www.ghacks.net/2018/01/15/ashampoo-spectre-meltdown-cpu-checker/
    Warning: This tool changes the Powershell Execution policy of "CurrentUser" to "Bypass" and doesn't change it back to the previous setting (maybe it will be fixed with a newer version, but i haven't checked it yet with the latest version [v1.1.1]). It is preferred to set it to "Default" ("Restricted" is the default):
    Code:
    (Powershell with Administrator privileges)
    To see the ExecutionPolicy:
    Get-ExecutionPolicy -list
    If CurrentUser is shown as "Bypass", it should be changed:
    Set-ExecutionPolicy -ExecutionPolicy Default -Scope CurrentUser
    
     
    Last edited: Jan 15, 2018
  15. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Thanks - I'm a bit perplexed if Windows can't rollout microcode updates since Linux can, and Intel has admitted Bios upgrade ain't practical. As you say, we may get utilities or the VMware driver might work. I'm not sure I'll ever get a bios upgrade.

    I've been looking at VMware Workstation regarding their updates, I think they're in a slightly different position to Xen as a type-2 hypervisor. Fairly professional response from them so far, though I think the story has a long way to go, particularly for things like Tools.
     
  16. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,050
    Location:
    Europe, UE citizen
    There is an Intel schedule to fix ?
     
  17. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    If you are advocating that, you are a security expert.
    That is definitely the way to go online and keep everything else on an offline computer. If they want our private data so bad, make them work for it.
     
  18. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,009
    Location:
    DC Metro Area
    "Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers

    Ubuntu Xenial 16.04 users who updated to receive the Meltdown and Spectre patches are reporting they are unable to boot their systems and have been forced to roll back to an earlier Linux kernel image.

    The issues were reported by a large number of users on the Ubuntu forums, Ubuntu's Launchpad bug tracker, and Reddit thread. Only Ubuntu users running the Xenial 16.04 series appear to be affected..."

    https://www.bleepingcomputer.com/ne...using-boot-issues-for-ubuntu-16-04-computers/
     
  19. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,864
    Location:
    Italy
  20. plat1098

    plat1098 Guest

    Yeah, I checked again for other one--Skylake i7 6700k-- like it was via Powershell in post 278. Speaking of which, I have "block powershell .exe" enabled in OSArmor so this CPU checker is stopped unless OSA is disabled. Oh well, curiosity gets the better of you sometimes. :rolleyes:
    cpu vuln.PNG
     
  21. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    599
    Location:
    UK
    Microsoft could patch the microcode if they wanted to. They have done in the past. There may be further updates to Windows so we'll see. Unfortunately the VMware driver doesn't help as it is. I have tried changing it to load earlier when windows boots but I have not got it to work yet.
     
  22. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Thanks. Well, if MS don't patch with the available microcode, and Intel can't be bothered to update the BIOS on a 7yo mobo, then I'll be switching to a Linux host, which I was planning anyway.

    But only when the dust settles, I'm not rushing into this given the understandable level of BSOD we're seeing.
     
  23. mary7

    mary7 Registered Member

    Joined:
    Oct 17, 2017
    Posts:
    57
    Location:
    Italy
    The PC with cpu pentium b960 with ashampoo results vulnerable forse spectre so why it isn t in The Intel List of CPU Affected?
     
  24. plat1098

    plat1098 Guest

    On older machine I was VERY concerned about drastic CPU downgrades with any upcoming updates for the Spectre flaw:

    spectre haswell.PNG

    SPEC POWERSHELL.PNG

    I ran two different tools to crosscheck results. So, I'm still concerned for the multitudes, particularly affected by the AMD/BSOD issue. But understandably, this is a real relief. Never hurts to double check.
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,864
    Location:
    Italy
    WOW !!:thumb:

    What is the OS and the Hardware of your PC?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.