Howto patch Spectre Vulnerability CVE-2017-5753/CVE-2017-5715 on Linux

Avery serious security problem has been found in the Intel/AMD/ARM CPUs. Spectre CPU Vulnerability CVE-2017-5753/CVE-2017-5715 breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. How do I protect my Linux server and laptop/desktop against such attack?

A very serious security problem has been found and patched in the Linux kernel. It was announced on 3rd January 2018. It was independently discovered and reported by various teams including Google Project Zero. Spectre is harder to exploit than Meltdown CPU bug, but it is also harder to mitigate.

What is the Spectre security bug in Intel/AMD/ARM cpus?

From the Google blog:
So far, there are three known variants of the issue:

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

From RHEL page:

The first two variants abuse speculative execution to perform bounds-check bypass (CVE-2017-5753), or by utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively. Collectively these are known as “Spectre”. Both variants rely upon the presence of a precisely-defined instruction sequence in the privileged code, as well as the fact that memory accesses may cause allocation into the microprocessor’s level 1 data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use these two flaws to read privileged memory by conducting targeted cache side-channel attacks. These variants could be used not only to cross syscall boundary (variant 1 and variant 2) but also guest/host boundary (variant 2).

A list of affected Linux distro by Spectre Vulnerabilitys

1. Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5)
2. Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6)
3. Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7)
4. RHEV-M 4.0
5. RHEV-M for Servers
6. Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
7. Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7
8. Red Hat Enterprise MRG 2
9. Red Hat OpenStack Platform v 8/9/10/11/12
10. Debian Linux wheezy
11. Debian Linux jessie
12. Debian Linux stretch
13. Deiban Linux buster, sid
14. SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
15. SUSE OpenStack Cloud 6
16. Openstack Cloud Magnum Orchestration 7
17. SUSE Container as a Service Platform ALL
18. SUSE Linux Enterprise High Availability 12 SP2/SP3
19. SUSE Linux Enterprise Live Patching 12
20. SUSE Linux Enterprise Module for Public Cloud 12
21. SUSE Linux Enterprise Server 11 SP3-LTSS
22. SUSE Linux Enterprise Server 11 SP4
23. SUSE Linux Enterprise Software Development Kit 11/12 SP3/SP4
24. SUSE Linux Enterprise for SAP 12 SP1
25. SUSE Linux Enterprise 11
26. SUSE Linux Enterprise 12
27. OpenSuse Linux based upon SUSE 12/11
28. Fedora Linux 26
29. Fedora Linux 27
30. Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

This page documents a current security event affecting many modern microprocessor designs. Information may change rapidly as the event progresses, and more info or commands added here soon. Please note that a patch for Debian/Ubuntu/CentOS/Fedora and many distros are not released yet. No patches are available for Spectre yet. The Linux kernel team is working on Retpoline. It will be released soon. When you run ‘apt-get upgrade’ or ‘yum update’ command make sure kernel package such as linux-image (Debian/Ubunt) kernel (RHEL) are updated. You also need microcode update from CPU vendor.

While the updates AWS/Google and other cloud performs protect underlying infrastructure, in order to be fully protected against these issues, you must also patch your instance operating systems including Linux distros, MS-Windows and desktop operating system such as macOS, Windows and more.

Before updating system…

First, always keep backups. Second, note down the Linux kernel version running the following command:
$ uname -r

Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

Type the following yum command:
$ uname -r
3.10.0-693.11.1.el7.x86_64
$ sudo yum update
Sample outputs (from my RHEL 7.x box):

Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-693.11.6.el7 will be installed
---> Package kernel-tools.x86_64 0:3.10.0-693.11.1.el7 will be updated
---> Package kernel-tools.x86_64 0:3.10.0-693.11.6.el7 will be an update
---> Package kernel-tools-libs.x86_64 0:3.10.0-693.11.1.el7 will be updated
---> Package kernel-tools-libs.x86_64 0:3.10.0-693.11.6.el7 will be an update
--> Finished Dependency Resolution
 
Dependencies Resolved
 
=========================================================================================
 Package             Arch     Version               Repository                      Size
=========================================================================================
Installing:
 kernel              x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms    43 M
Updating:
 kernel-tools        x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms   5.1 M
 kernel-tools-libs   x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms   5.1 M
 
Transaction Summary
=========================================================================================
Install  1 Package
Upgrade  2 Packages
 
Total download size: 53 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): kernel-tools-3.10.0-693.11.6.el7.x86_64.rpm                | 5.1 MB  00:00:00     
(2/3): kernel-tools-libs-3.10.0-693.11.6.el7.x86_64.rpm           | 5.1 MB  00:00:00     
(3/3): kernel-3.10.0-693.11.6.el7.x86_64.rpm                      |  43 MB  00:00:00     
-----------------------------------------------------------------------------------------
Total                                                        65 MB/s |  53 MB  00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : kernel-tools-libs-3.10.0-693.11.6.el7.x86_64                          1/5 
  Updating   : kernel-tools-3.10.0-693.11.6.el7.x86_64                               2/5 
  Installing : kernel-3.10.0-693.11.6.el7.x86_64                                     3/5 
  Cleanup    : kernel-tools-3.10.0-693.11.1.el7.x86_64                               4/5 
  Cleanup    : kernel-tools-libs-3.10.0-693.11.1.el7.x86_64                          5/5 
  Verifying  : kernel-tools-libs-3.10.0-693.11.6.el7.x86_64                          1/5 
  Verifying  : kernel-tools-3.10.0-693.11.6.el7.x86_64                               2/5 
  Verifying  : kernel-3.10.0-693.11.6.el7.x86_64                                     3/5 
  Verifying  : kernel-tools-3.10.0-693.11.1.el7.x86_64                               4/5 
  Verifying  : kernel-tools-libs-3.10.0-693.11.1.el7.x86_64                          5/5 
 
Installed:
  kernel.x86_64 0:3.10.0-693.11.6.el7                                                    
 
Updated:
  kernel-tools.x86_64 0:3.10.0-693.11.6.el7                                              
  kernel-tools-libs.x86_64 0:3.10.0-693.11.6.el7                                         
 
Complete!

You must reboot your Linux server using shutdown/reboot command:
$ sudo reboot
$ uname -r
3.10.0-693.11.6.el7.x86_64
Verify all 3 CVEs (you must see output:
$ rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
Sample outputs:

- [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
....
...
- [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
....
..
- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}

Run the following dnf command if you are using a Fedora Linux:
$ sudo dnf --refresh update kernel
OR
sudo dnf update
Reboot the Linux box:
$ sudo reboot

Fix the Spectre on a Debian/Ubuntu Linux

Use the following apt-get command/apt command:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo shutdown -r 0

Fix the Spectre on an Amazon Linux running on AWS

Just run yum command:
# yum update kernel
# reboot

Fix the Spectre on an Arch Linux

Just run pacman command:
# pacman -Syu
# reboot

Spectre & Meltdown Checker

After reboot make sure your Linux server/box patched and not vulnerable any more with spectre-meltdown-checker.sh.

How to apply microcode update supplied by Intel on Linux

See “How to install/update Intel microcode firmware on Linux” for more info.