|
version 1.2, 2019/05/14 17:22:54
|
version 1.6, 2019/05/14 17:44:03
|
|
Line 1
|
Line 1
|
| #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514 |
[[!meta title="Intel MDS"]] |
| |
|
| |
#NetBSD Security Update for the amd64 port (x86_64 architecture) - 20190514 |
| |
|
| ###Description |
###Description |
| Details and mitigation information about a sub-class of speculative execution |
Details and mitigation information about a sub-class of speculative execution |
|
Line 7 side-channel vulnerabilities called Micr
|
Line 8 side-channel vulnerabilities called Micr
|
| hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as |
hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as |
| well as the 2nd Generation Intel® Xeon® Scalable Processor Family. |
well as the 2nd Generation Intel® Xeon® Scalable Processor Family. |
| |
|
| Please refer to the Intel Security Advisory 00233 is located at: |
Please refer to the Intel Security Advisory 00233 located at: |
| https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html |
[Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html). |
| |
|
| This update is mitigation for the following CVEs: |
This update is mitigation for the following CVEs: |
| |
|
| ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS) |
###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS) |
| * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127 |
* Microarchitectural Load Port Data Sampling (MLPDS), CVE-2018-12127 |
| > CVSS: -6.5 Medium |
> CVSS: 6.5 Medium |
| |
|
| * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126 |
* Microarchitectural Store Buffer Data Sampling (MSBDS), CVE-2018-12126 |
| > CVSS: -6.5 Medium |
> CVSS: 6.5 Medium |
| |
|
| * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130 |
* Microarchitectural Fill Buffer Data Sampling (MFBDS), CVE-2018-12130 |
| > CVSS: - 6.5 Medium |
> CVSS: 6.5 Medium |
| |
|
| * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091 |
|
| > CVSS: – 3.8 Low |
|
| |
|
| |
* Microarchitectural Uncacheable Data Sampling (MDSUM), CVE-2019-11091 |
| |
> CVSS: 3.8 Low |
| |
|
| ##Status of the Fix |
##Status of the Fix |
| **NetBSD-7, and all the anterior releases, have no planned fixes.** |
|
| |
NetBSD-7, and all the anterior releases, have no planned fixes. |
| |
|
| [[!table data=""" |
[[!table data=""" |
| Port |Vendor/Model |MDS |NetBSD-8 |NetBSD-current |
Port |Vendor/Model |MDS |NetBSD-8 |NetBSD-current |
| amd64 |Intel |Vulnerable |Fixed [VERW][smtoff] |Fixed [VERW][smtoff] |
amd64 |Intel |Vulnerable |Fixed [VERW][smtoff] |Fixed [VERW][smtoff] |
| """]] |
"""]] |
| |
|
| |
|
| ###Mitigation |
###Mitigation |
| |
|
| The mitigation for MDS depends on the Intel CPU model and available microcode |
The mitigation for MDS depends on the Intel CPU model and available microcode |
| or motherboard BIOS revision. |
or motherboard BIOS revision. |
| |
|
|
Line 50 can put **smtoff=YES** in your */etc/rc.
|
Line 51 can put **smtoff=YES** in your */etc/rc.
|
| ###Enabling the mitigation |
###Enabling the mitigation |
| |
|
| The two following sysctls are now available: |
The two following sysctls are now available: |
| machdep.mds.mitigated = {0/1} user-settable |
|
| machdep.mds.method = {string} constructed by the kernel |
|
| |
|
| If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically. |
|
| |
|
| To manually enable the check, use sysctl -w machdep.mds.mitigated=1. NetBSD |
|
| will then determine if it can apply the available mitigation. When set to 0, then |
|
| NetBSD will disable the mitigation. |
|
| |
|
| ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not. |
|
| |
|
| |
|
| |
|
| #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514 |
|
| |
|
| |
|
| ###Description |
|
| Details and mitigation information about a sub-class of speculative execution |
|
| side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting |
|
| hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as |
|
| well as the 2nd Generation Intel® Xeon® Scalable Processor Family. |
|
| |
|
| Please refer to the Intel Security Advisory 00233 is located at: |
|
| https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html |
|
| |
|
| This update is mitigation for the following CVEs: |
|
| |
|
| ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS) |
|
| * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127 |
|
| > CVSS: -6.5 Medium |
|
| |
|
| * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126 |
[[!template id=programlisting text=""" |
| > CVSS: -6.5 Medium |
machdep.mds.mitigated = {0/1} user-settable |
| |
machdep.mds.method = {string} constructed by the kernel |
| * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130 |
|
| > CVSS: - 6.5 Medium |
|
| |
|
| * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091 |
|
| > CVSS: – 3.8 Low |
|
| |
|
| |
|
| ##Status of the Fix |
|
| **NetBSD-7, and all the anterior releases, have no planned fixes.** |
|
| |
|
| [[!table data=""" |
|
| Port |Vendor/Model |MDS |NetBSD-8 |NetBSD-current |
|
| amd64 |Intel |Vulnerable |Fixed [VERW][smtoff] |Fixed [VERW][smtoff] |
|
| """]] |
"""]] |
| |
|
| |
|
| ###Mitigation |
|
| The mitigation for MDS depends on the Intel CPU model and available microcode |
|
| or motherboard BIOS revision. |
|
| |
|
| Should a motherboard manufacturer not have a BIOS update with the MDS fix for |
|
| the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest |
|
| microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. |
|
| |
|
| You may also want to disable SMT/HyperThreading to address certain aspects of |
|
| the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you |
|
| can put **smtoff=YES** in your */etc/rc.conf* file. |
|
| |
|
| ###Enabling the mitigation |
|
| |
|
| The two following sysctls are now available: |
|
| machdep.mds.mitigated = {0/1} user-settable |
|
| machdep.mds.method = {string} constructed by the kernel |
|
| |
|
| If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically. |
If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically. |
| |
|
| To manually enable the check, use sysctl -w machdep.mds.mitigated=1. NetBSD |
To manually enable the check, use "sysctl -w machdep.mds.mitigated=1". NetBSD |
| will then determine if it can apply the available mitigation. When set to 0, then |
will then determine if it can apply the available mitigation. When set to 0, then |
| NetBSD will disable the mitigation. |
NetBSD will disable the mitigation. |
| |
|
| ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not. |
Note: "method" will then show a "[VERW]" if it is enabled, and "(none)" if not. |
![[BACK]](/icons/back.gif){kind=icon}
Return to intel_mds.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / security