• [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:26.mcu

    From FreeBSD Security Advisories@21:1/5 to All on Tue Nov 12 20:00:01 2019
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ============================================================================= FreeBSD-SA-19:26.mcu Security Advisory
    The FreeBSD Project

    Topic: Intel CPU Microcode Update

    Category: 3rd party
    Module: Intel CPU microcode
    Announced: 2019-11-12
    Credits: Intel
    Affects: All supported versions of FreeBSD running on certain
    Intel CPUs.
    CVE Name: CVE-2019-11135, CVE-2019-11139, CVE-2018-12126,
    CVE-2018-12127, CVE-2018-12130, CVE-2018-11091,
    CVE-2017-5715


    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    I. Background

    - From time to time Intel releases new CPU microcode to address functional issues and security vulnerabilities. Such a release is also known as a
    Micro Code Update (MCU), and is a component of a broader Intel Platform
    Update (IPU). FreeBSD distributes CPU microcode via the devcpu-data port
    and package.

    II. Problem Description

    Starting with version 1.26, the devcpu-data port/package includes updates and mitigations for the following technical and security advisories (depending
    on CPU model).

    Intel TSX Updates (TAA) CVE-2019-11135
    Voltage Modulation Vulnerability CVE-2019-11139
    MD_CLEAR Operations CVE-2018-12126
    CVE-2018-12127
    CVE-2018-12130
    CVE-2018-11091
    TA Indirect Sharing CVE-2017-5715
    EGETKEY CVE-2018-12126
    CVE-2018-12127
    CVE-2018-12130
    CVE-2018-11091
    JCC SKX102 Erratum

    Updated microcode includes mitigations for CPU issues, but may also cause a performance regression due to the JCC erratum mitigation. Please visit http://www.intel.com/benchmarks for further information.

    Please visit http://www.intel.com/security for detailed information on
    these advisories as well as a list of CPUs that are affected.

    III. Impact

    Operating a CPU without the latest microcode may result in erratic or unpredictable behavior, including system crashes and lock ups. Certain
    issues listed in this advisory may result in the leakage of privileged
    system information to unprivileged users. Please refer to the security advisories listed above for detailed information.

    IV. Workaround

    To determine if TSX is present in your system, run the following:

    1. kldload cpuctl

    2. cpucontrol -i 7 /dev/cpuctl0

    If bits 4 (0x10) and 11 (0x800) are set in the second response word (EBX),
    TSX is present.

    In the absence of updated microcode, TAA can be mitigated by enabling the
    MDS mitigation:

    3. sysctl hw.mds_disable=1

    Systems must be running FreeBSD 11.3, FreeBSD 12.1, or later for this to
    work.

    *IMPORTANT*
    If your use case can tolerate leaving the CPU issues unmitigated and cannot tolerate a performance regression, ensure that the devcpu-data package is
    not installed or is locked at 1.25 or earlier.

    # pkg delete devcpu-data

    or

    # pkg lock devcpu-data

    Later versions of the LLVM and GCC compilers will include changes that partially relieve the peformance impact.

    V. Solution

    Install the latest Intel Microcode Update via the devcpu-data port/package, version 1.26 or later.

    Updated microcode adds the ability to disable TSX. With updated microcode
    the issue can still be mitigated by enabling the MDS mitigation as
    described in the workaround section, or by disabling TSX instead:

    1. kldload cpuctl

    2. cpucontrol -i 7 /dev/cpuctl0

    If bit 29 (0x20000000) is set in the fourth response word (EDX), then the
    0x10a MSR is present.

    3. cpucontrol -m 0x10a /dev/cpuctl0

    If bit 8 (0x100) of the response word is set, your CPU is not vulnerable to
    TAA and no further action is required.

    If bit 7 (0x80) is cleared, then your CPU does not have updated microcode
    that facilitates TSX to be disabled. The only remedy available is to
    enable the MDS mitigation, as documented above.

    4. cpucontrol -m 0x122=3 /dev/cpuctl0

    Repeat step 4 for each numbered CPU that is present.

    A future kernel change to FreeBSD will provide automatic detection and mitigation for TAA.

    LLVM 9.0 will be updated in FreeBSD 13-current to address the JCC
    peformance impact. Updates to prior versions of LLVM are currently being evaluated.

    VI. Correction details

    There are currently no changes in FreeBSD to address this issue.

    VII. References

    <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11139> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11091> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715> <URL:https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/>
    <URL:https://software.intel.com/security-software-guidance/software-guidance/intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort>
    <URL:https://www.intel.com/content/www/us/en/support/articles/000055650.html>

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc> -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl3LArVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJGQQ//ad41YWDAdgBMTWiF56qeySqElIOHt/mLt06s2WW9ceUoJpKW8rKwA4hi sjuDlj4vg8ohdiFaZhTxX/smQi3BS+M0xi40fFFgMRR7HuVh11l6bPr+DoUH/Zi+ E5aiAilOlv/WUAxIrdx0ZlHPkjZ9vfSIPbiqmIkdlFEl4QCuusMRqXKNxaIzzk/K rzabCN4NsQPk0SYIZ9l+tZ6JxOOeRaYn+aCjzlbkiYR+wttIaH9nTECx2Rj7XvSw 9Ng/Mq0M6QsTV/jKfQDRMxRnNfnzF7865uBQYxZNFY9VP5Z21CcqMT54ia5NgcG8 8Bn2fnM3HcK5LUW3DRnsLhAi6XX0EuX5VMdYvx20aQUj/k8f6a0cPmtSqUVkpU/K ZcmLd4X+YS/o3UZnRY9OZOEb+kmZE/Yr8f/hR8tmle6FCPS1YLtkwDn3qg/oQA03 B5rLmzc+x32XZC0dn/HRZTLc4TXQLij0kZpuxiDmbEJmdARDWsl+e0VdBuQdD3Hr Q2QvhSVvQgwue8vclfIQVElSZpW93HuyyR8O8ugofwcOt7XwI7k+8ZfrjkjHMPGZ QW/i0FQJx4Kup70bzOubb3VEQ7cwAJtE1dvY55oaulDexq3RVMW7oEsvd84X2K8O G3+YOZLMrvM1kFskRt067rttbJfMXvstMSHCCfGSqA7fdth6VNQ=
    =KAsu
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-announce@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-announce
    To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)