I planned to update Arch every 10 days but since updating some 3 days ago, news of a massive vulnerability in the chip processor all computers use came out. There are two demonstrated attacks called Meltdown and Specter. So let me use the language of the OpenSuse security patch email here to explain what these are.
CVE-2017-5753 / "SpecŧreAttack": Local attackers on systems with modern
CPUs featuring deep instruction pipelining could use attacker
controllable speculative execution over code patterns in the Linux
Kernel to leak content from otherwise not readable memory in the same
address space, allowing retrieval of passwords, cryptographic keys and
other secrets.
This problem is mitigated by adding speculative fencing on affected code
paths throughout the Linux kernel.
- CVE-2017-5715 / "SpectreAttack": Local attackers on systems with modern
CPUs featuring branch prediction could use mispredicted branches to
speculatively execute code patterns that in turn could be made to leak
other non-readable content in the same address space, an attack similar
to CVE-2017-5753.
This problem is mitigated by disabling predictive branches, depending
on CPU architecture either by firmware updates and/or fixes in the
user-kernel privilege boundaries.
Please also check with your CPU / Hardware vendor on updated firmware
or BIOS images regarding this issue.
As this feature can have a performance impact, it can be disabled using
the "nospec" kernel commandline option.
- CVE-2017-5754 / "MeltdownAttack": Local attackers on systems with modern
CPUs featuring deep instruction pipelining could use code patterns in
userspace to speculative executive code that would read
otherwise read protected memory, an attack similar to CVE-2017-5753.
This problem is mitigated by unmapping the Linux Kernel from the user
address space during user code execution, following a approach called
"KAISER". The terms used here are "KAISER" / "Kernel Address Isolation"
and "PTI" / "Page Table Isolation".
Note that this is only done on affected platforms.
This feature can be enabled / disabled by the "pti=[on|off|auto]" or
"nopti" commandline options.
Linux distros have pushed patches so I'm doing an update today. I'm updating my mirrors first with.
$ reflector --latest 8 --protocol https --sort rate --save /etc/pacman.d/mirrorlist
Then I update my system with --
$ pacman -Syu
I should be receiving the same patch that OpenSuse pushed to their users.
Comments