Differences between revisions 6 and 9 (spanning 3 versions)
Revision 6 as of 2018-02-15 20:13:50
Size: 2379
Editor: ?OlaLundqvist
Comment:
Revision 9 as of 2018-02-15 23:39:26
Size: 42
Editor: PaulWise
Comment: typo
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
=== Information leak via speculative execution side channel attacks ===
In January 2018, [[https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html|security researchers announced]] a new class of side channel attacks that impact most processors, including processors from Intel, AMD, ARM and IBM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory.

To address the issue in Debian, updates to the kernel, processor microcode, hypervisor, and various other userspace packages will be needed. These updates are being announced in Debian Long Term Security Announcements as they are available.

There are three separate vulnerabilities involved:

[[https://security-tracker.debian.org/tracker/CVE-2017-5753|CVE-2017-5753]] Spectre Variant 1, Bounds Check Bypass

[[https://security-tracker.debian.org/tracker/CVE-2017-5715|CVE-2017-5715]] Spectre Variant 2, Branch Target Injection

[[https://security-tracker.debian.org/tracker/CVE-2017-5754|CVE-2017-5754]] Meltdown Variant 3, Rogue Data Cache Load

The Spectre and Meltdown vulnerabilities have varying impacts in different environments, and the mitigations available can be difficult to understand.

This article will be updated periodically with new information as it becomes available, until the issues have been resolved.

=== Notes ===

Spectre Variant 2 can be exploited both locally (within the same OS) and through the virtualization guest boundary. Fixes require CPU microcode/firmware to activate. Subscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor.

=== Current Status ===

As announced in [[https://lists.debian.org/debian-lts-announce/2018/01/msg00004.html|DLA-1232-1]] Meltdown (CVE-2017-5754) has been fixed in the Linux kernel for 64 bit architecture. There is currently no known fix for 32 bit architecture.

=== Related information ===

Redhat has released [[https://access.redhat.com/security/vulnerabilities/speculativeexecution|good information]] that describe the issue further. Most information in this article is applicable to Debian wheezy as well.

Xen project has made an [[http://xenbits.xen.org/xsa/advisory-254.html|advisory]] on how to handle these issues in a Xen virtualization environment.
#REDIRECT DebianSecurity/SpectreMeltdown