CLD-200 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-5754 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s) Meltdown

Basic Information:

Affected Package(s) linux
Deficiency Type SECURITY
Date Created 2018-01-05 21:02:05
Date Last Modified 2018-01-07 13:49:35

Version Specific Information:

Cucumber 1.0 i686 fixed in linux-4.9.75-i686-1
Cucumber 1.0 x86_64 fixed in linux-4.9.75-x86_64-1

Cucumber 1.1 i686 fixed in linux-4.9.75-i686-1
Cucumber 1.1 x86_64 fixed in linux-4.9.75-x86_64-1

Details:

THIS ANALYSIS IS ONGOING AS INFORMATION ABOUT THIS VULNERABILITY IS STILL
BREAKING. THIS PAGE WILL BE UPDATED AS MORE INFORMATION BECOMES AVAILABLE.

For information more information about the Spectre vulnerability see:
http://security.cucumberlinux.com/security/details.php?id=201
http://security.cucumberlinux.com/security/details.php?id=202

============ WARNING: THIS UPDATE IS KNOWN TO BREAK CERTAIN SYSTEMS ============

Due to the fact this this update makes a larger change to the Linux kernel than
most other kernel updates, this update has greater than usual chance of
breaking your system. This kernel update is known to cause issues in the
following environments:
 * Running inside an x86_64 KVM virtual machine on a RedHat/Centos 6 hypervisor.

If you experience issues with this kernel in a specific setup, reboot and use
your fallback kernel to until the issue can be resolved. If you experience an
issue with a setup that is not listed above, please send an email to
scott@cucumberlinux.com detailing your setup to we can add it to this list.

We apologize for this inconvenience; however, there is little anyone can do
about it since this vulnerability is extremely severe and requires a massive
change to the kernel to mitigate.

=================================== Overview ===================================

From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754:

Systems with microprocessors utilizing speculative execution and indirect
branch prediction may allow unauthorized disclosure of information to an
attacker with local user access via a side-channel analysis of the data cache.

================================ Initial Report ================================

From meltdownattack.com:

Meltdown breaks the most fundamental isolation between user applications and
the operating system. This attack allows a program to access the memory, and
thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating
system, it is not safe to work with sensitive information without the chance of
leaking the information. This applies both to personal computers as well as
cloud infrastructure. Luckily, there are software patches against Meltdown.

A full paper about the technical details of Meltdown can be found at
https://meltdownattack.com/meltdown.pdf.

============================ Additional Information ============================

Additional information about the Meltdown vulnerability can be found at
https://meltdownattack.com/.

================================= Our Analysis =================================

----- Affected Products -----
This is a hardware vulnerability, affecting almost every Intel process
manufactured since 1995. Fortunately though it is possible to mitigate the
effect of Meltdown via a software patch: KAISER (aka PAGE_TABLE_ISOLATION). The
discoverers of this vulnerability claim it can be completely patched
(https://meltdownattack.com/); however, this has been disputed (see
https://www.youtube.com/watch?v=I5mRwzVvFGE).

This vulnerability is similar to another vulnerability known as Spectre. While
this particular vulnerability (Meltdown) can be mitigated against with
software, new hardware will ultimately be necessary to completely stop the
Spectre family of vulnerabilities
(https://www.youtube.com/watch?v=I5mRwzVvFGE).

This vulnerability has been fixed in release 4.9.75 of the 4.9 Linux kernel
series. All versions of the 4.9 kernel series prior to 4.9.75 are vulnerable to
this. This includes the Linux kernel as originally packaged in Cucumber Linux
1.0 and 1.1.

This vulnerability has been fixed in the following releases in other Linux
kernel series: 4.4.110.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows for any process to access the memory of any other
running process or the kernel. This vulnerability is not limited to the Linux
kernel either; several other kernels (including Windows and Mac OS) were
previously vulnerable to this as well.

----- Fix for this Vulnerability -----
This vulnerability has been fixed by the introduction of the
PAGE_TABLE_ISOLATION feature in the Linux kernel, which was first released in
the 4.9 kernel series in 4.9.75.

================================= Our Solution =================================

We have upgraded to version 4.9.75 of the Linux kernel and enabled the new
PAGE_TABLE_ISOLATION feature of the Linux kernel.