As recently announced in a previous article I wanted to write a couple of guides on how to mitigate Spectre and Meltdown vulnerabilities in GNU/Linux and UNIX environments. It is always a good and I hope a standard practice to have your systems patched and if they aren’t for whatever the reason (that legacy thing you’re carrying on for ages) you may take the necessary extra steps to protect your environment. I never planned to do any article on patching anything. Nowadays it’s a no brainier and operating systems have provided the necessary tools for this to be easy and as smooth as possible. So why this article?
Spectre and Meltdown are both hardware vulnerabilities. Major ones. They are meaningful for several reasons among them the world wide impact since they affect Intel and AMD systems which are ubiquitous. And second because patching hardware is not as easy, for the manufacturer and for the users or administrators in charge of the systems. There is still no known exploit around left out in the open hitting servers or desktops anywhere. The question is not if it will ever happen. The question is when will it happen. And it may be sooner than later. This is why big companies, governments and people in charge of big deployments are patching or have already patched their systems. But have you done it to your system? I know you have a firewall. Have you thought about CVE-2018-3639? This particular one could make your browser being a vector to get into your system. So, no, there is no reason to skip this.
If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.
Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.
Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.
Mind Vultr supports FreeBSD on their VPS offer.
Patching these set of vulnerabilities implies some more steps and concerns than updating the operating system. If you are a regular Windows user I find rare you to be here and many of the things you will read may be foreign to you. I am not planning to do a guide on Windows systems since I believe someone else has or will do it and will do it better than me since I am not a pro Windows user. However there is one basic and common thing for all OS’s when dealing with Spectre and Meltdown and that is a microcode update is necessary for the OS patches to effectively work.
What is microcode? You can read the Wikipedia article but in short it is basically a layer of code that allows chip manufacturers to deal with modifications on the hardware they’ve produced and the operating systems that will manage that hardware. Since there’s been some issues (namely Spectre and Meltdown) Intel and AMD respectively have released a series of microcode updates to address those problems. First series did come with serious problems and some regressions, to the point GNU/Linux producers stopped releasing the microcode updates through their release channels for updates and placed the ball on Intel’s roof. Patching fast does always include risks, specially when dealing with hardware. OS vendors have resumed their microcode update releases so all seems to be fine now.
In order to update the microcode we’re faced with two options. Download the most recent BIOS release from our vendor, provided it patches the Spectre and Meltdown vulnerabilities, or patch it from the OS. If your hardware vendor has decided not to provide support on your hardware you are forced to use the latter solution. Yes, you can still keep your hardware. They usually come accompanied with a “release notes” file where there are some explanatory notes on what is fixed, what is new, etc. To make the search easy for you a news site collected the vendors list and linked the right support pages for anyone to look. In some scenarios it would be desirable not to replace the whole BIOS but just update the microcode from the OS side. In my case I should update an HP Proliant ML110 G7 box and the download link for that would be this.
With Ubuntu, as with many other mainstream distributions, there are two tools to update CPU microcode updates. For intel the program to install is intel-microcode and for AMD the tool is named amd64-microcode. Before doing anything we’ll first check the microcode version we are running.
albert@HP:~$ cat /proc/cpuinfo | grep microcode
microcode : 0x2d
microcode : 0x2d
microcode : 0x2d
microcode : 0x2d
albert@HP:~$
We will now check if it’s an updated one patching Spectre and Meltdown or not. It’s now time to grab the Intel’s latest manual (supposing you’re using that vendor instead of AMD) and compare the result we’ve received to what they’ve published. This is a necessary step I haven’t seen on many guides to patch Spectre and Meltdown. Launching commands does not guarantee the desired result necesseraly. I am still learning this the hard way.
This is the link we’ll use to check our CPU and microcode:
https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf
The CPU I am patching here is an Intel Xeon E3-1220 v3 belonging to an HP Proliant ML 110 G7. If you check on the table the microcode in use now is what Intel calls “Pre-mitigation production MCU”. So this CPU is behind the desired microcode version. Next, the desired update and hopefully the result will be in Intel’s parlance: “New Production MCU Rev”.
Happily enough an update on microcode has landed today and when I launched a regular update on Ubuntu a package to update intel-microcode has appeared. Hopefully this will solve the issue. However the command you should launch to manually update just the microcode would be:
sudo apt install intel-microcode – if you happen to use Intel CPU’s
sudo apt install amd64-microcode – if you use AMD CPU’s.
After installing the package reboot your machine in order to fully load the new installed microcode and check again the version in use.
albert@HP:~$ cat /proc/cpuinfo | grep microcode
microcode : 0x2e
microcode : 0x2e
microcode : 0x2e
microcode : 0x2e
albert@HP:~$
As you can see the microcode version has changed from 0x1f value to 0x20. Again if we check the result with the microcode guide from Intel (if you use AMD use other resources to find out the right version). We will find out the CPU is running a patched version of microcode, what Intel calls: “New Production MCU Rev.”
Note: This box is running Ubuntu 18.04 LTS and today August 28th Canonical has released this microcode. For previous supported versions of Ubuntu (16.04 LTS and 14.04 LTS) the procedure is the same and microcode updates had been released. Check out the security advisories published from the vendor for more details.
If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.
Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.
Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.
Mind Vultr supports FreeBSD on their VPS offer.