Language Selection

English French German Italian Portuguese Spanish

Security Patches and the Kernel (Linux)

Filed under
Linux
Security
  • Security updates for Tuesday

    Security updates have been issued by Fedora (community-mysql, crun, java-latest-openjdk, and mupdf), openSUSE (libssh2_org), and SUSE (go1.12, libseccomp, and tar).

  • New ZombieLoad Side-Channel Attack Variant: TSX Asynchronous Abort

    In addition to the JCC erratum being made public today and that performance-shifting Intel microcode update affecting Skylake through Cascade Lake, researchers also announced a new ZombieLoad side-channel attack variant dubbed "TSX Asynchronous Abort" or TAA for short.

    ZombieLoad / MDS (Microarchitectural Data Sampling) was announced back in May by researchers while today Cyberus Technology has announced a new variant focused on Intel processors with TSX (Transactional Synchronization Extensions). TSX Asynchronous Abort is a new ZombieLoad variant that was actually discovered back as part of Cyberus' originally discoveries but faced an extended embargo.

  • Linux Kernel Gets Mitigations For TSX Aync Abort Plus Another New Issue: iITLB Multihit

    The Linux kernel has just received its mitigation work for the newly-announced TSX Asynchronous Abort (TAA) variant of ZombieLoad plus revealing mitigations for another Intel CPU issue... So today in addition to the JCC Erratum and ZombieLoad TAA the latest is iITLB Multihit (NX) - No eXcuses.

    The mainline Linux kernel received mitigations for ZombieLoad TAA that work in conjunction with newly-published Intel microcode. The mitigations also now expose /sys/devices/system/cpu/vulnerabilities/tsx_async_abort for reporting the mitigation status plus a new tsx_async_abort kernel parameter. With the TAA mitigation, the system will clear CPU buffers on ring transitions.

  • LinuxBoot Continues Maturing - Now Able To Boot Windows

    LinuxBoot is approaching two years of age as the effort led by Facebook and others for replacing some elements of the system firmware with the Linux kernel.

    Chris Koch of Google presented at last month's Platform Security Summit 2019 on the initiative. The Platform Security Summit 2019 took place at the start of October at Microsoft's facilities in Redmond. LinuxBoot in recent months has been able to begin booting Windows 10, which is related to the recent reports on kexec'ing Windows from Linux. But not only is Windows booting but VMware and Xen are also now working in a LinuxBoot environment.

SUSE addresses Transactional Asynchronous Abort

Now the reaction from Red Hat and Canonical to Intel defects

  • Red Hat Responds to ZombieLoad v2 Security Vulnerabilities Affecting Intel CPUs

    Red Hat informes Softpedia today on a series of three new security vulnerabilities affecting the Intel CPU microarchitecture, but which have been already patched in the Linux kernel.

    The three new security vulnerabilities are CVE-2018-12207 (Machine Check Error on Page Size Change), CVE-2019-11135 (TSX Asynchronous Abort), as well as CVE-2019-0155 and CVE-2019-0154 (i915 graphics driver-related vulnerabilities). These are marked by Red Hat Security team as having an important and moderate security impact, which could allow attacker to gain read access to sensitive data, and which affects all supported Red Hat Enterprise Linux systems.

  • Ubuntu updates to mitigate latest Intel hardware vulnerabilities

    Today, Intel announced a group of new vulnerabilities affecting various Intel CPUs and associated GPUs, known as TSX Asynchronous Abort (CVE-2019-11135), Intel® Processor Machine Check Error (CVE-2018-12207), and two Intel i915 graphics hardware vulnerabilities (CVE-2019-0155, CVE-2019-0154).

    TSX Asynchronous Abort (TAA) is related to the previously announced MDS vulnerabilities but only affects Intel processors that support Intel® Transactional Synchronization Extensions (TSX). Due to the similarity between this issue and MDS, the mitigations for MDS are sufficient to also mitigate TAA. As such, processors which were previously affected by MDS and which have the MDS microarchitectural buffer clearing mitigations employed are not affected by TAA. For newer processors which were not affected by MDS, but which support Intel® TSX, TAA is mitigated in Ubuntu by a combination of an updated Linux kernel and Intel microcode packages which disable Intel® TSX. Where TSX is required, this can be re-enabled via a kernel command-line option (tsx=on) and in this case, the kernel will automatically employ microarchitectural buffer clearing mechanisms as used for MDS to mitigate TAA.

    Intel® Processor Machine Check Error (MCEPSC, also called iTLB multihit) is a vulnerability specific to virtualisation, where a virtual machine can cause a denial of service (system hang) to the host processor when hugepages are employed. This is mitigated in Ubuntu with an updated Linux kernel.

  • This week's hardware vulnerabilities

    A set of patches has just been pushed into the mainline repository (and stable updates) for yet another set of hardware vulnerabilities. "TSX async abort" (or TAA) exposes information through the usual side channels by way of internal buffers used with the transactional memory (TSX) instructions. Mitigation is done by disabling TSX or by clearing the relevant buffers when switching between kernel and user mode. Given that this is not the first problem with TSX, disabling it entirely is recommended; a microcode update may be needed to do so, though. This commit contains documentation on this vulnerability and its mitigation.

Canonical Announces Ubuntu Updates to Mitigate Latest Intel Vuln

  • Canonical Announces Ubuntu Updates to Mitigate Latest Intel Vulnerabilities

    Following on the footsteps of Red Hat, Canonical also announced today that it has prepared updates for all of its supported Ubuntu Linux releases to mitigate the latest Intel CPU security vulnerabilities.

    As we reported earlier, Intel announced today that several new security vulnerabilities are affecting various of its Intel CPU microarchitectures, as well as associated GPUs. These vulnerabilities are known as TSX Asynchronous Abort (CVE-2019-11135), Intel Processor Machine Check Error (CVE-2018-12207), and Intel i915 graphics hardware vulnerabilities (CVE-2019-0155, CVE-2019-0154).

    The first security vulnerability, TSX Asynchronous Abort (TAA), is related to the previously announced MDS (Microarchitectural Data Sampling) vulnerabilities. However, Canonical's Alex Murray explains that it only affects Intel processors that support the Intel Transactional Synchronization Extensions (TSX). As such, the existing MDS mitigations will also mitigate TAA.

Linux vs. Zombieland v2: The security battle continues

  • Linux vs. Zombieland v2: The security battle continues

    Here's the bad news: We're going to keep seeing fundamental Intel CPU security holes popping open until every last one of the current generations of these chips is in landfills. Zombieland v2 is only the latest of a line of problems, which go back to Meltdown and Spectre. The "good" news is for now Intel and the operating system companies are staying ahead of hackers. Here's what Linux and Red Hat are doing about the latest nastiness.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Android Leftovers

Graphics: AMD, Intel, Vulkan/Flycast and NVIDIA

  • AMD Publishes Vega 7nm ISA Documentation - 300 More Pages Of GPU Docs

    Beyond AMD's open-source graphics driver stack of the past decade, part of their original open-source plans have also involved providing public (NDA-free) GPU hardware documentation. That has come with time though the documentation drops are not coordinated in-step with code drops. Out today, for example, is the ISA documentation on Vega 7nm. Back in 2017 was the timely release of the Vega ISA documentation and earlier this summer was even the RDNA 1.0 ISA documentation but missing out until now was the Vega 7nm ISA documentation.

  • Intel's Iris Gallium3D Driver Continuing To See Performance Optimizations On Mesa 20.0

    With the current Mesa 19.3 there is the Intel Gallium3D driver generally performing much better than their "classic" i965 driver and for Mesa 20.0 it looks to only make more ground as it switches over to this driver by default. Beyond the recent build system changes for supporting an Intel Gallium3D default and building it as part of the default x86/x86_64 Gallium3D drivers with hopes of soon flipping the switch for Broadwell and newer, more performance optimizations are still being done.

  • Dreamcast emulator Flycast adds a Vulkan renderer

    There seems to be quite a lot of interest in Vulkan lately, as more projects begin using it. Now we have the Dreamcast emulator Flycast adding Vulkan support. In the technical blog post announcing it on the Libretro site, it gives a bit of brief history of the Dreamcast GPU and mentions the usual "less overhead, more reliability and better performance in many cases" when it comes to using Vulkan although it's a lot more complicated to use.

  • NVIDIA have two new Linux drivers available, one stable and one Vulkan Beta

    NVIDIA continue pushing their drivers forwards with two new Linux driver updates available. Let's take a quick look. First, the stable 440.44 driver release as part of their long-lived branch. This adds support for the Quadro T2000 with Max-Q Design, you can now use the "__GL_SYNC_DISPLAY_DEVICE" environment variable for Vulkan applications and it fixes a few bugs like tearing with a G-SYNC or G-SYNC Compatible monitor when you've got something running directly on a display (like VR).

Watch these videos from the Linux App Summit

For some, the holidays are a hectic time of shopping, cooking, and a house overflowing with loved ones. For others, they’re quiet times spent with just a few friends, or even in solitude behind the warm glow of a computer monitor. And for still others, it’s a workday like any other. No matter how you end up spending the holiday season this year, there’s comfort to be found in the Linux App Summit of 2019. This summit, which combined the strengths of everyone involved in developing applications for Linux, focused on a few major topics... Read more

Most essential apps for every Linux user | 2020

When you first install a Linux distro or do a fresh install on a system, you need to install the essential apps for regular use. That is why I have prepared a quick guide list of the essential apps for every Linux user. So that you can check and go through the installation easily and get the needed apps for your better use and workflow. Read more