Installing package intel-microcode in Debian 10 (Buster) mitigates
most vulnerabilities as per spectre-meltdown-checker. However,
CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated
after reboot, with spectre-meltdown-checker --explain (executed as su) >pointing to missing microcode upgrades.
According to the Debian package description of intel-microcode, the
two vulnerabilities are fixed in the current version of the package.
This occurs in exactly the same way on two different machines, one
with an i5-3320M CPU and another one with an E3-1235L v5.
If I remember correctly, I was all green as per
spectre-meltdown-checker in Debian 9 (Stretch).
On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote:intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed
Installing package intel-microcode in Debian 10 (Buster) mitigates
most vulnerabilities as per spectre-meltdown-checker. However,
CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated
after reboot, with spectre-meltdown-checker --explain (executed as
su) pointing to missing microcode upgrades.
According to the Debian package description of intel-microcode, the
two vulnerabilities are fixed in the current version of the package.
This occurs in exactly the same way on two different machines, one
with an i5-3320M CPU and another one with an E3-1235L v5.
If I remember correctly, I was all green as per
spectre-meltdown-checker in Debian 9 (Stretch).
What version of intel-microcode do you have installed?
On 08.01.21 22:34, Michael Stone wrote:
On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote: >>>Installing package intel-microcode in Debian 10 (Buster) mitigatesfrom Debian non-free repository
most vulnerabilities as per spectre-meltdown-checker. However, >>>CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated
after reboot, with spectre-meltdown-checker --explain (executed as
su) pointing to missing microcode upgrades.
According to the Debian package description of intel-microcode,
the two vulnerabilities are fixed in the current version of the
package.
This occurs in exactly the same way on two different machines, one
with an i5-3320M CPU and another one with an E3-1235L v5.
If I remember correctly, I was all green as per
spectre-meltdown-checker in Debian 9 (Stretch).
What version of intel-microcode do you have installed? >intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed
On Fri, Jan 08, 2021 at 10:48:30PM +0100, Christoph Pflügler wrote:
On 08.01.21 22:34, Michael Stone wrote:
On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote:intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed
Installing package intel-microcode in Debian 10 (Buster) mitigates
most vulnerabilities as per spectre-meltdown-checker. However,
CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated
after reboot, with spectre-meltdown-checker --explain (executed as
su) pointing to missing microcode upgrades.
According to the Debian package description of intel-microcode, the
two vulnerabilities are fixed in the current version of the package.
This occurs in exactly the same way on two different machines, one
with an i5-3320M CPU and another one with an E3-1235L v5.
If I remember correctly, I was all green as per
spectre-meltdown-checker in Debian 9 (Stretch).
What version of intel-microcode do you have installed?
from Debian non-free repository
With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the
checker reports green for those checks on my test system. Do you have
the latest spectre-meltdown-checker, and are you running it as root?
If I run the current version as an unprivileged user those checks come
up red (presumably because it can't read the cpu registers it is
trying to read).
STATUS:Â VULNERABLEÂ (your CPU supports SGX and the microcode is notup to date)
STATUS:Â VULNERABLEÂ (an up-to-date CPU microcode is needed tomitigate this vulnerability)
On 08.01.21 23:40, Michael Stone wrote:
On Fri, Jan 08, 2021 at 10:48:30PM +0100, Christoph Pflügler wrote:spectre-meltdown-checker:all/buster 0.42-1 uptodate, installed from
On 08.01.21 22:34, Michael Stone wrote:
On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote:intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed
Installing package intel-microcode in Debian 10 (Buster) mitigates
most vulnerabilities as per spectre-meltdown-checker. However,
CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated
after reboot, with spectre-meltdown-checker --explain (executed as
su) pointing to missing microcode upgrades.
According to the Debian package description of intel-microcode, the
two vulnerabilities are fixed in the current version of the package. >>>>>
This occurs in exactly the same way on two different machines, one
with an i5-3320M CPU and another one with an E3-1235L v5.
If I remember correctly, I was all green as per
spectre-meltdown-checker in Debian 9 (Stretch).
What version of intel-microcode do you have installed?
from Debian non-free repository
With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the
checker reports green for those checks on my test system. Do you have
the latest spectre-meltdown-checker, and are you running it as root?
If I run the current version as an unprivileged user those checks come
up red (presumably because it can't read the cpu registers it is
trying to read).
Debian repository.
Yes, I executed it as root (su -> <passwd> -> spectre-meltdown-checker).
I get exactly the same results running it as an unprivileged user. This
is what spectre-meltdown-checker, run as root, shows for the two CVEs:
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:Â N/A
STATUS:Â VULNERABLEÂ (your CPU supports SGX and the microcode is notup to date)
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:Â NO
STATUS:Â VULNERABLEÂ (an up-to-date CPU microcode is needed tomitigate this vulnerability)
Linux version is also 4.19.0-13-amd64.
Both my instances are (almost) fresh installations (GNOME) based on
recently released debian-10.7.0-amd64-netinst.iso.
On 1/9/21 9:48 AM, Christoph Pflügler wrote:
I can confirm spectre-meltdown-checker reporting CVE-2018-3640 is notspectre-meltdown-checker:all/buster 0.42-1 uptodate, installed from
With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the
checker reports green for those checks on my test system. Do you have
the latest spectre-meltdown-checker, and are you running it as root?
If I run the current version as an unprivileged user those checks
come up red (presumably because it can't read the cpu registers it is
trying to read).
Debian repository.
Yes, I executed it as root (su -> <passwd> ->
spectre-meltdown-checker). I get exactly the same results running it
as an unprivileged user. This is what spectre-meltdown-checker, run as
root, shows for the two CVEs:
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:Â N/A
STATUS:Â VULNERABLEÂ (your CPU supports SGX and the microcode isnot up to date)
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:Â NO
STATUS:Â VULNERABLEÂ (an up-to-date CPU microcode is needed tomitigate this vulnerability)
Linux version is also 4.19.0-13-amd64.
Both my instances are (almost) fresh installations (GNOME) based on
recently released debian-10.7.0-amd64-netinst.iso.
being mitigated by intel-microcode on a NUC6CAYS system, full-updated Bullseye/Sid. This is a Celeron system.
However, the same intel-microcode version on same OS does mitigate this vulnerability on NUC5i7RYH and NUC8i3BEH systems.
In any case, according Intel, microcode should be updated by BIOS
On Tue, Jan 12, 2021 at 05:25:23PM +0100, Giacomo Catenazzi wrote:
In any case, according Intel, microcode should be updated by BIOS
I wonder if anyone from intel can manage to say that with a straight
face.
[ 0.000000] microcode: microcode updated early to revision 0xd6,
date = 2019-10-03
[ 0.379026] SRBDS: Vulnerable: No microcode
[ 1.625090] microcode: sig=0x506e3, pf=0x2, revision=0xd6
[ 1.625215] microcode: Microcode Update Driver: v2.2.
Seems like the microcode is applied to my CPUs. This is also supported
by numerous other CVEs getting mitigated after intel-microcode
installation.
I also tried the latest meltdown-spectre-checker (v0.44), the results
are the same (plus another red 2020 CVE).
On Wed, Jan 13, 2021 at 09:49:43PM +0100, Christoph Pflügler wrote:
[Â Â Â 0.000000] microcode: microcode updated early to revision 0xd6,
date = 2019-10-03
[Â Â Â 0.379026] SRBDS: Vulnerable: No microcode
[Â Â Â 1.625090] microcode: sig=0x506e3, pf=0x2, revision=0xd6
[Â Â Â 1.625215] microcode: Microcode Update Driver: v2.2.
Seems like the microcode is applied to my CPUs. This is also
supported by numerous other CVEs getting mitigated after
intel-microcode installation.
That's exactly the same signature I was testing with different results: microcode: sig=0x506e3, pf=0x2, revision=0xd6
The only way I can get your results is to run unprivileged, but you
said you weren't doing that. The checks for 3640 and 3615 are
basically just looking for SSBD; in the top section the line that says
"CPU indicates SSBD capability" presumably says something other than
"YES (Intel SSBD)"?
I also tried the latest meltdown-spectre-checker (v0.44), the results
are the same (plus another red 2020 CVE).
This is presumably CVE-2020-0543; if you look at the changelog for intel-microcode it discusses that issue. You can install the backports version which should fix that at the risk of a boot failure.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 61:53:02 |
Calls: | 6,654 |
Files: | 12,200 |
Messages: | 5,331,620 |