Information leak via speculative execution side channel attacks

In January 2018, security researchers announced a new class of side channel attacks that impact most processors, including processors from Intel, AMD, ARM and IBM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory.

To address the issue in Ubuntu, updates to the kernel, processor microcode, hypervisor, and various other userspace packages will be needed. These updates are being announced in Ubuntu Security Notices as they are available.

There were three original vulnerabilities involved:

Group Name Variant Description Ubuntu CVE Tracker Jan 2018 Spectre Variant 1 Bounds Check Bypass CVE-2017-5753 Jan 2018 Spectre Variant 2 Branch Target Injection CVE-2017-5715 Jan 2018 Meltdown Variant 3 Rogue Data Cache Load CVE-2017-5754





The Spectre and Meltdown vulnerabilities have varying impacts in different environments, and the mitigations available can be difficult to understand. We've prepared a Technical FAQ to help answer many common questions.

This article will be updated periodically with new information as it becomes available, until the issues have been resolved.

Current Status

From a guest and non-hypervisor bare-metal perspective, as of the Feb 21 kernel updates, as far as we are aware, the mitigations for Spectre and Meltdown on 64-bit amd64, ppc64el and s390x are feature-complete as long as all microcode, firmware and hypervisor updates underneath the system are done. However:

Ubuntu kernels have been rebuilt using retpolines on i386 and amd64 for Ubuntu 17.10, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS (linux-lts-xenial aka Hardware Enablment kernel) only. We are investigating selective rebuilds of Ubuntu userspace packages to make use of retpoline.

Additionally:

No fix is currently available for Meltdown on 32-bit x86; moving to a 64-bit kernel is the currently recommended mitigation.

No fixes are yet available for ARM platforms. Note that a relatively small number of standard ARM cores are known to be affected.

For Ubuntu hypervisors, further work will be required to expose the Spectre variant 2 mitigations to guests running on top of Ubuntu, including a qemu update and some additional kernel updates.

Kernel Mitigations

Ubuntu enables available kernel mitigations to provide a secure-by-default experience. It should be noted that the security features to mitigate these vulnerabilities can lead to a decrease in system performance. Reputable reports of published application performance data can aide in understanding the impact in various environments. Environments which do not execute untrusted code may benefit from toggling the mitigation controls to disable some or all of the kernel mitigations.

The current kernel mitigation status is as follows:





Key Meaning S1 Spectre / Variant 1 / CVE-2017-5753 S2 Spectre / Variant 2 / CVE-2017-5715 M Meltdown / Variant 3 / CVE-2017-5754 Y Updates have been published to mitigate the issue F Updates have been published to mitigate the issue but require updated firmware/microcode R Kernel compiled with Retpoline, please see the FAQ around Retpoline to better understand the extent of this mitigation - Updates are not yet available U Architecture is unsupported





Processor Firmware Availability

Ubuntu Architectures Vendor Statements Firmware Status Notes i386, amd64 Intel, AMD Available, see USN-3531-3 and USN-3690-2 Note that some users experienced lockups with the 180108 version of the intel-microcode ppc64el IBM Available from IBM s390x IBM Available from IBM armhf, arm64 ARM, Cavium Available from system vendors A relatively small number of standard ARM cores are known to be affected

Userspace Mitigations

Mitigations have been released for the following non-kernel packages:

Cloud Images

Cloud images which address CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown) are available for https://cloud-images.ubuntu.com from for the following releases:

Release Serial trusty 20180122 xenial 20180222 artful 20180222



Important notes

As release images are published in clouds many are indexed @ https://cloud-images.ubuntu.com/locator/ This tool can be used to find images with the above serials, or later, with applicable fixes.

Previously released cloud images (serial 20180109 for xenial and artful and serial 20180110 for trusty) only mitigated Meltdown

Note: A small number of systems running linux 4.4.0-108.131 were affected by LP: #1741934 which was fixed in 4.4.0-109.132. Cloud instances were not affected by the bug. Cloud images created using 4.4.0-108.131 and its derivatives (for example, linux-aws 4.4.0-1047.56) have the mitigations for Meltdown.

Kernels compiled with retpoline enabled compiler flags on amd64 and i386 are only available for Ubuntu 16.04 LTS and Ubuntu 17.10 (serial 20180222 for both).

Ubuntu Core images

Canonical officially supports reference kernel snaps for amd64 (pc-kernel), i386 (pc-kernel), rpi2/rpi3 (pi2-kernel) and dragonboard (dragonboard-kernel). Updates for affected architectures for Meltdown are available:

Kernel Snap revision Ubuntu Core image pc-kernel (amd64) 98 http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/ubuntu-core-16-amd64.img.xz pc-kernel (i386) 99 http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/ubuntu-core-16-i386.img.xz



Early Raspberry Pi 2 boards use the Cortex-A7 processor and later versions use the Cortex-A53 processor. Raspberry Pi 3 boards use the Cortex-A53 processor. 96boards Dragonboard 410c boards use the Cortex-A53. According to ARM, none of these devices support speculative execution and are therefore unaffected by Spectre and Meltdown.

None at this time.

Timeline

Additional Side Channel Issues

Since Spectre and Meltdown were disclosed, additional side channel issues have been disclosed and documented in separate KnowledgeBase articles. You can see these articles at the following URLs: