Language Selection

English French German Italian Portuguese Spanish

Security Patches and the Kernel (Linux)

Filed under
Linux
Security
  • Security updates for Tuesday

    Security updates have been issued by Fedora (community-mysql, crun, java-latest-openjdk, and mupdf), openSUSE (libssh2_org), and SUSE (go1.12, libseccomp, and tar).

  • New ZombieLoad Side-Channel Attack Variant: TSX Asynchronous Abort

    In addition to the JCC erratum being made public today and that performance-shifting Intel microcode update affecting Skylake through Cascade Lake, researchers also announced a new ZombieLoad side-channel attack variant dubbed "TSX Asynchronous Abort" or TAA for short.

    ZombieLoad / MDS (Microarchitectural Data Sampling) was announced back in May by researchers while today Cyberus Technology has announced a new variant focused on Intel processors with TSX (Transactional Synchronization Extensions). TSX Asynchronous Abort is a new ZombieLoad variant that was actually discovered back as part of Cyberus' originally discoveries but faced an extended embargo.

  • Linux Kernel Gets Mitigations For TSX Aync Abort Plus Another New Issue: iITLB Multihit

    The Linux kernel has just received its mitigation work for the newly-announced TSX Asynchronous Abort (TAA) variant of ZombieLoad plus revealing mitigations for another Intel CPU issue... So today in addition to the JCC Erratum and ZombieLoad TAA the latest is iITLB Multihit (NX) - No eXcuses.

    The mainline Linux kernel received mitigations for ZombieLoad TAA that work in conjunction with newly-published Intel microcode. The mitigations also now expose /sys/devices/system/cpu/vulnerabilities/tsx_async_abort for reporting the mitigation status plus a new tsx_async_abort kernel parameter. With the TAA mitigation, the system will clear CPU buffers on ring transitions.

  • LinuxBoot Continues Maturing - Now Able To Boot Windows

    LinuxBoot is approaching two years of age as the effort led by Facebook and others for replacing some elements of the system firmware with the Linux kernel.

    Chris Koch of Google presented at last month's Platform Security Summit 2019 on the initiative. The Platform Security Summit 2019 took place at the start of October at Microsoft's facilities in Redmond. LinuxBoot in recent months has been able to begin booting Windows 10, which is related to the recent reports on kexec'ing Windows from Linux. But not only is Windows booting but VMware and Xen are also now working in a LinuxBoot environment.

SUSE addresses Transactional Asynchronous Abort

Now the reaction from Red Hat and Canonical to Intel defects

  • Red Hat Responds to ZombieLoad v2 Security Vulnerabilities Affecting Intel CPUs

    Red Hat informes Softpedia today on a series of three new security vulnerabilities affecting the Intel CPU microarchitecture, but which have been already patched in the Linux kernel.

    The three new security vulnerabilities are CVE-2018-12207 (Machine Check Error on Page Size Change), CVE-2019-11135 (TSX Asynchronous Abort), as well as CVE-2019-0155 and CVE-2019-0154 (i915 graphics driver-related vulnerabilities). These are marked by Red Hat Security team as having an important and moderate security impact, which could allow attacker to gain read access to sensitive data, and which affects all supported Red Hat Enterprise Linux systems.

  • Ubuntu updates to mitigate latest Intel hardware vulnerabilities

    Today, Intel announced a group of new vulnerabilities affecting various Intel CPUs and associated GPUs, known as TSX Asynchronous Abort (CVE-2019-11135), Intel® Processor Machine Check Error (CVE-2018-12207), and two Intel i915 graphics hardware vulnerabilities (CVE-2019-0155, CVE-2019-0154).

    TSX Asynchronous Abort (TAA) is related to the previously announced MDS vulnerabilities but only affects Intel processors that support Intel® Transactional Synchronization Extensions (TSX). Due to the similarity between this issue and MDS, the mitigations for MDS are sufficient to also mitigate TAA. As such, processors which were previously affected by MDS and which have the MDS microarchitectural buffer clearing mitigations employed are not affected by TAA. For newer processors which were not affected by MDS, but which support Intel® TSX, TAA is mitigated in Ubuntu by a combination of an updated Linux kernel and Intel microcode packages which disable Intel® TSX. Where TSX is required, this can be re-enabled via a kernel command-line option (tsx=on) and in this case, the kernel will automatically employ microarchitectural buffer clearing mechanisms as used for MDS to mitigate TAA.

    Intel® Processor Machine Check Error (MCEPSC, also called iTLB multihit) is a vulnerability specific to virtualisation, where a virtual machine can cause a denial of service (system hang) to the host processor when hugepages are employed. This is mitigated in Ubuntu with an updated Linux kernel.

  • This week's hardware vulnerabilities

    A set of patches has just been pushed into the mainline repository (and stable updates) for yet another set of hardware vulnerabilities. "TSX async abort" (or TAA) exposes information through the usual side channels by way of internal buffers used with the transactional memory (TSX) instructions. Mitigation is done by disabling TSX or by clearing the relevant buffers when switching between kernel and user mode. Given that this is not the first problem with TSX, disabling it entirely is recommended; a microcode update may be needed to do so, though. This commit contains documentation on this vulnerability and its mitigation.

Canonical Announces Ubuntu Updates to Mitigate Latest Intel Vuln

  • Canonical Announces Ubuntu Updates to Mitigate Latest Intel Vulnerabilities

    Following on the footsteps of Red Hat, Canonical also announced today that it has prepared updates for all of its supported Ubuntu Linux releases to mitigate the latest Intel CPU security vulnerabilities.

    As we reported earlier, Intel announced today that several new security vulnerabilities are affecting various of its Intel CPU microarchitectures, as well as associated GPUs. These vulnerabilities are known as TSX Asynchronous Abort (CVE-2019-11135), Intel Processor Machine Check Error (CVE-2018-12207), and Intel i915 graphics hardware vulnerabilities (CVE-2019-0155, CVE-2019-0154).

    The first security vulnerability, TSX Asynchronous Abort (TAA), is related to the previously announced MDS (Microarchitectural Data Sampling) vulnerabilities. However, Canonical's Alex Murray explains that it only affects Intel processors that support the Intel Transactional Synchronization Extensions (TSX). As such, the existing MDS mitigations will also mitigate TAA.

Linux vs. Zombieland v2: The security battle continues

  • Linux vs. Zombieland v2: The security battle continues

    Here's the bad news: We're going to keep seeing fundamental Intel CPU security holes popping open until every last one of the current generations of these chips is in landfills. Zombieland v2 is only the latest of a line of problems, which go back to Meltdown and Spectre. The "good" news is for now Intel and the operating system companies are staying ahead of hackers. Here's what Linux and Red Hat are doing about the latest nastiness.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

7 free GIMP scripts and plug-ins for filters, brushes, textures and more

The free and open source photo-editing program called GIMP (GNU Image Manipulation Program) is a nice alternative to the subscription-based or boxed versions of its competition (including PhotoShop). Whether you’re a beginner with GIMP or a seasoned pro, there’s lots to love. Some of GIMP’s greatest assets are the plugins and scripts created by numerous independent programmers. At one time, there was a massive collection called the GIMP Plugin Registry, but that resource is no longer available. Consequently, you must search the Internet for GIMP plug-ins and scripts. To start you on the right track, we’ve selected our favorite plugins and scripts for you to try, with a brief description of each, and a link to the resource location. First; however, we should explain the complicated process of how to install these treasures and where to find them on the GIMP menus. Read more

Android Leftovers

Get started with Lumina for your Linux desktop

For a good number of years, there was a desktop operating system (OS) based on FreeBSD called PC-BSD. It was intended as an OS for general use, which was noteworthy because BSD development mostly focuses on servers. For most of its life, PC-BSD shipped with the KDE desktop by default, but the more KDE came to depend on Linux-specific technology, the more PC-BSD migrated away from it. PC-BSD became Trident, and its default desktop is Lumina, a collection of widgets written to use the same Qt toolkit that KDE is based upon, running on the Fluxbox window manager. You may find the Lumina desktop in your Linux distribution's software repository or in BSD's ports tree. If you install Lumina and you're already running another desktop, you may find yourself with redundant applications (two PDF readers, two file managers, and so on) because Lumina includes a few integrated applications. If you just want to try the Lumina desktop, you can install a Lumina-based BSD distribution in a virtual machine, such as GNOME Boxes. Read more

Android Leftovers