LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-21-2019, 03:16 AM   #1
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Rep: Reputation: 76
MDS Zombieload protection on Ubuntu


Hi,

I'm a little bit unsure about how to patch my Ubuntu servers and my Ubuntu Desktop for that matter. I've installed the intel-microcode package 3.20190514.0ubuntu0.18.04.2 and kernel version 4.15.0-50 (server version), recommended by Ubuntu here: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS

I've done that on a virtual machine running in an unpatched vsphere. I've downloaded a mdstool-cli to check if this has been mitigated, but I get:
Code:
Micro-architectural Data Sampling:
 * Line Fill Buffers (MFBDS): Vulnerable
 * Store Buffers (MSBDS): Vulnerable
 * Load Ports (MLPDS): Vulnerable
 * Uncached Memory (MDSUM): Vulnerable
 * SMT: Unaffected
 * MD_CLEAR: Not Available
I get the exact same thing on my Ubuntu Desktop, although I'm running the latest kernel 4.18.0-20 and the latest version of intel-microcode.

On my desktop (so baremetal, as it were):
Quote:
cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable
On my Ubuntu-VM running on vsphere:
Quote:
cat /sys/devices/system/cpu/vulnerabilities/mds
Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
The same thing I get on Ubuntu 18.04 running as a VM in virtualbox on the same desktop pc.

So the VM doesn't know the status of hyperthreading, if I understand correctly.


Any ideas how I can patch my Ubuntu desktops/servers?

Last edited by vincix; 05-21-2019 at 01:05 PM.
 
Old 05-21-2019, 01:00 PM   #2
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Original Poster
Rep: Reputation: 76
If I understand correctly, it doesn't really make any sense installing the intel-microcode package on the VM, because those firmware changes are obviously not going to be applied on the baremetal server's processor. I wonder, still, if it changes anything (whatever virtual version the hypervisor is presenting to the virtual machine, for instance) or if it simply ignored.

So on the virtual machines themselves only the kernel versions would remain to be updated, while on the hypervisor the kernel version, the microcode (intel-microcode on linux) and if necessary the qemu and libvirt (for hypervisors which use kvm).
 
Old 07-09-2019, 05:12 AM   #3
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Original Poster
Rep: Reputation: 76
Nobody has any opinion on that? I still haven't been able to get a straight answer
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Canonical Releases Ubuntu Updates to Mitigate New MDS Security Vulnerabilities LXer Syndicated Linux News 0 05-15-2019 01:51 PM
LXer: Linux vs. Zombieload LXer Syndicated Linux News 0 05-15-2019 12:33 PM
Converting MDF/MDS image files to iso? minm Linux - Newbie 6 10-17-2009 10:02 AM
.mds and .mdf to iso xIEatxChildrenx Linux - Software 2 03-11-2005 01:01 PM
CD image with .mds/.mdf extention nnsg Linux - Software 21 11-11-2004 07:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration