Meltdown and Spectre Patches for ClearOS, ClearVM and ClearBOX
By now you've heard of the Meltdown and the Spectre suite of flaws — three variants of attack vectors exist and their related vulnerabilities that affect all Intel and some AMD and ARM processors. This bugs are hardware bugs and affect servers, workstations, and some handheld devices. To be clear, this is a hardware bug but we are taking steps to mitigate the damage that can be done by they hardware flaws.
ClearOS
Starting today, all ClearOS 7 systems that are set to get automatic updates will begin to receive patches to help mitigate the risks associated with Meltdown and Spectre.
Please click on the URL below for instructions on how to determine the Kernel version of your system.
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_determining_your_running_kernel_version
If your system report shows the version number or higher, your ClearOS system has received the needed patches for Meltdown and Spectre. You will need to run the following or later to have the patches that deal with Meltdown and Spectre:
If your system does not have this kernel running, perform the following:
Because this patch makes significant changes to the kernel which cannot be updated in a dynamic way to the running kernel, you will need to schedule a system reboot during a maintenance window (or as soon as possible) for the patches to take full effect.
ClearVM
Because of the difficulty with upstream patch availability with ClearVM, users of ClearVM will be required to migrate to the newer version of ClearVM that will be releasing in the January/February timeframe. To ensure that this exploit cannot be executed on your ClearVM environment, please ensure that local access to the ClearVM node and any VMs running under ClearVM is isolated to trusted users. As an immediate workaround in critical environments or those that are exposed in ways in which this exploit can be implemented, users of ClearVM can migrate their virtual machines to ClearOS under KVM and libvirt for the time being. Users of ClearVM with support options from ClearCenter can get support with this path if immediate resolution is required before the general release of the next ClearVM platform.
ClearBOX
The type 2 variant of these exploits may require updates to your firmware of ClearBOX. We are still in the process of analyzing whether ClearOS sufficiently covers the patching requirements all by itself or if there are specific hardware-related patches that are required. Please stay tuned, inquire in the forums, or contact ClearCenter if you have a qualifying and current support subscription with ClearCenter.
Looking Forward:
Intel and other hardware manufacturers are looking for ways to apply firmware updates that could also help mitigate risk, but ClearOS and other OS providers are working independently to help protect users of affected server, workstation, laptop, and tablet gear. It's important to know that Meltdown and Spectre are processor hardware-related bugs that can't be completely fixed by software patches. However, there are a number of ways software patches can minimize the risk associated with these exploits and ClearCenter is committed to doing everything we can to mitigate any potential damage from Meltdown and Spectre. We will continue to release additional patches in the future to further help reduce your exposure to Meltdown and Spectre.
Potential Impact on System Performance:
Because of the nature of these vulnerabilities, the patch to address Meltdown include methods that segment memory pages. The result is that all patched systems with the Meltdown vulnerability may see a decrease in performance. This issue impacts many platforms including all versions of Linux, MacOSX, and Windows. We expect ClearOS systems to see a 5% to 20%+ decrease in speeds related to operations dealing in non-user space of memory.
Our advice is to let the automatic patches update your system and take the performance hit. However If you are willing to take some risk, it is possible to bypass the system patches and not take the performance hit. To read more about tuning the variables that disable the security fix and re-enable the perform capabilities which are exploitable, click here to visit the Redhat notes related to the patch they produced which was adopted in ClearOS.
Support:
If you have an included support package with ClearCenter and your system is negatively impacted by the fix, feel free to open a ticket related to your specific performance issue.
By now you've heard of the Meltdown and the Spectre suite of flaws — three variants of attack vectors exist and their related vulnerabilities that affect all Intel and some AMD and ARM processors. This bugs are hardware bugs and affect servers, workstations, and some handheld devices. To be clear, this is a hardware bug but we are taking steps to mitigate the damage that can be done by they hardware flaws.
ClearOS
Starting today, all ClearOS 7 systems that are set to get automatic updates will begin to receive patches to help mitigate the risks associated with Meltdown and Spectre.
Please click on the URL below for instructions on how to determine the Kernel version of your system.
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_determining_your_running_kernel_version
If your system report shows the version number or higher, your ClearOS system has received the needed patches for Meltdown and Spectre. You will need to run the following or later to have the patches that deal with Meltdown and Spectre:
ClearOS 7: 3.10.0-693.11.6.v7 or later
ClearOS 6: 2.6.32-696.18.7.v6 or later
ClearOS 5 and ClarkConnect: These are End of Life products and should be reinstalled with a newer version of ClearOS. Contact ClearCenter sales for more information.
If your system does not have this kernel running, perform the following:
yum updateBecause this patch makes significant changes to the kernel which cannot be updated in a dynamic way to the running kernel, you will need to schedule a system reboot during a maintenance window (or as soon as possible) for the patches to take full effect.
rebootClearVM
Because of the difficulty with upstream patch availability with ClearVM, users of ClearVM will be required to migrate to the newer version of ClearVM that will be releasing in the January/February timeframe. To ensure that this exploit cannot be executed on your ClearVM environment, please ensure that local access to the ClearVM node and any VMs running under ClearVM is isolated to trusted users. As an immediate workaround in critical environments or those that are exposed in ways in which this exploit can be implemented, users of ClearVM can migrate their virtual machines to ClearOS under KVM and libvirt for the time being. Users of ClearVM with support options from ClearCenter can get support with this path if immediate resolution is required before the general release of the next ClearVM platform.
ClearBOX
The type 2 variant of these exploits may require updates to your firmware of ClearBOX. We are still in the process of analyzing whether ClearOS sufficiently covers the patching requirements all by itself or if there are specific hardware-related patches that are required. Please stay tuned, inquire in the forums, or contact ClearCenter if you have a qualifying and current support subscription with ClearCenter.
Looking Forward:
Intel and other hardware manufacturers are looking for ways to apply firmware updates that could also help mitigate risk, but ClearOS and other OS providers are working independently to help protect users of affected server, workstation, laptop, and tablet gear. It's important to know that Meltdown and Spectre are processor hardware-related bugs that can't be completely fixed by software patches. However, there are a number of ways software patches can minimize the risk associated with these exploits and ClearCenter is committed to doing everything we can to mitigate any potential damage from Meltdown and Spectre. We will continue to release additional patches in the future to further help reduce your exposure to Meltdown and Spectre.
Potential Impact on System Performance:
Because of the nature of these vulnerabilities, the patch to address Meltdown include methods that segment memory pages. The result is that all patched systems with the Meltdown vulnerability may see a decrease in performance. This issue impacts many platforms including all versions of Linux, MacOSX, and Windows. We expect ClearOS systems to see a 5% to 20%+ decrease in speeds related to operations dealing in non-user space of memory.
Our advice is to let the automatic patches update your system and take the performance hit. However If you are willing to take some risk, it is possible to bypass the system patches and not take the performance hit. To read more about tuning the variables that disable the security fix and re-enable the perform capabilities which are exploitable, click here to visit the Redhat notes related to the patch they produced which was adopted in ClearOS.
Support:
If you have an included support package with ClearCenter and your system is negatively impacted by the fix, feel free to open a ticket related to your specific performance issue.
Share this post:
Responses (10)
-
Accepted Answer
For more detail on these vulnerabilities, please consult the following from Redhat:
CVE-2017-5753 (variant #1/Spectre) is a Bounds-checking exploit during branching. This issue is fixed with a kernel patch. Variant #1 protection is always enabled; it is not possible to disable the patches. Red Hat’s performance testing for variant #1 did not show any measurable impact.
Source: Redhat
CVE-2017-5715 (variant #2/Spectre) is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software. This vulnerability requires both updated microcode and kernel patches. Variant #2 behavior is controlled by the ibrs and ibpb tunables (noibrs/ibrs_enabled and noibpb/ibpb_enabled), which work in conjunction with the microcode.
CVE-2017-5754 (variant #3/Meltdown) is an exploit that uses speculative cache loading to allow a local attacker to be able to read the contents of memory. This issue is corrected with kernel patches. Variant #3 behavior is controlled by the pti tunable (nopti/pti_enabled). -
Accepted Answer
Original research on these bugs was provided by the Project Zero team at Google:
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html -
Accepted Answer
Dear Dave,
Thank for the info. I did yum update (and got some updates, auto-update is also on all the time) and also restarted the system (Clearos Business 7.4). Though, I am still on 3.10.0-693.2.2.v7.x86_64 and not 3.10.0-693.11.6.v7 or later.
Am I too impatient or do I need to activate some test repositories for that?
Thank you.
Best wishes,
Robert -
Accepted Answer
I've asked the release manager a similar question. Right now it is in the hands of the community and we are validating any problems that may have occurred with the dissemination of the package. It should be promoted soon. Like you, I am eager for the package in the verified repos. I have several projects that require them before I can push, for example, a new Q1 ISO for Home, Business, and Community that includes the newer kernel and rolled up packages for 2018. -
Accepted Answer
-
Accepted Answer
The following are links to the Common Vulnerabilities and Exposures (CVE) documentation on ClearOS.com:
CVE-2017-5715
CVE-2017-5753
CVE-2017-5754 -
Accepted Answer
I am on ClearOS 7.4.0 Final and kernel 3.10.0-514.26.2.v7.x86_64. yum update did not give me a new kernel. Even yum update --enablerepo=* does not give me a newer kernel than this.
Here are the repos that I have:
-rw-r--r-- 1 root root 892 Dec 15 11:08 centos-sclo-scl-rh-unverified.repo
-rw-r--r-- 1 root root 916 Dec 15 11:08 centos-sclo-scl-unverified.repo
-rw-r--r-- 1 root root 2452 Dec 15 11:08 centos-unverified.repo
-rw-r--r-- 1 root root 2739 Oct 25 11:35 clearos-centos.repo
-rw-r--r-- 1 root root 438 Dec 15 11:08 clearos-centos-sclo-scl-rh.repo
-rw-r--r-- 1 root root 501 Oct 25 11:35 clearos-epel.repo
-rw-r--r-- 1 root root 433 Sep 13 14:19 clearos-fast-updates.repo
-rw-r--r--. 1 root root 2352 Jul 22 2017 clearos.repo
-rw-r--r-- 1 root root 910 Dec 15 11:08 epel-unverified.repo
-rw-rw-r-- 1 root root 156 Jun 28 2017 plex.repo
How do I get the kernel update? -
Accepted Answer
Please don't run "yum update" with "--enablerepo=*". You can bring in al sorts of rubbish - if it even works. I had to pull some tricks with my repos to make the command work at all and I only ever do it like that when searching for packages.
What is the output of:
If you can see kernel-3.10.0-693.11.6.v7.x86_64 listed from the first command and the version does not appear in the second command, please reboot for the latest kernel to take effect.rpm -q kernel
uname -r -
Accepted Answer
In case you have not been watching the IT news over the past couple of months, this Intel thing just goes on and on. As was covered by Wired Magazine, it has been a total train wreck.
What we have done so far is to follow RedHat; when they released their original fix, we followed suit. They subsequently withdrew their patch as it was causing issues with stability. If you had crashes and reboots during that timeframe, my apologies. Now, it seems, Intel is ready to push some new firmware. This will only benefit the security of recent processors...what a joke.
In the meantime, keep your systems buttoned up. And cross your fingers or whatever else you can do to give yourself peace over this situation that is largely, still unresolved.
As this affects kernel space, you will likely need to reboot after this patch in order to determine whether it affects your system positively or negatively. Feel free to post your experiences. Especially if you are using virtualization on ClearOS.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »