How to mitigate the Spectre and Meltdown vulnerabilities on Linux systems?

Alan Cox shared a link from AMD's blog: https://www.amd.com/en/corporate/speculative-execution

Variant One: Bounds Check Bypass

Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.

Variant Two: Branch Target Injection

Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.

Variant Three: Rogue Data Cache Load

Zero AMD vulnerability due to AMD architecture differences.

It would be good to have confirmation of these AMD's statements by a third party though.

The 'mitigation' on affected systems, would require a new kernel and a reboot, but on many distributions there is not yet released packages with the fixes:

  • https://www.cyberciti.biz/faq/patch-meltdown-cpu-vulnerability-cve-2017-5754-linux/

Debian:

  • https://security-tracker.debian.org/tracker/CVE-2017-5715
  • https://security-tracker.debian.org/tracker/CVE-2017-5753
  • https://security-tracker.debian.org/tracker/CVE-2017-5754

Other sources of information I found:

  • https://lists.bufferbloat.net/pipermail/cerowrt-devel/2018-January/011108.html
  • https://www.reddit.com/r/Amd/comments/7o2i91/technical_analysis_of_spectre_meltdown/

January 27, 2018 Intel Microcode breaks some systems

The Intel Microcode Update 2018-01-08 to address speculative execution branching security holes broke some systems. This effected many Ubuntu systems from January 8th to January 21st. On January 22, 2018 Ubuntu released an update that puts back older Microcode from 2017-07-07.

If you experienced problems with updates, reinstalled Ubuntu and turned off updates between 2018-01-08 and 2018-01-22 you may want to try Ubuntu automatic updates again.

January 16, 2018 update Spectre in 4.14.14 and 4.9.77

If you are already running Kernel versions 4.14.13 or 4.9.76 like I am it's a no-brainer to install 4.14.14 and 4.9.77 when they come out in a couple of days to mitigate the Spectre security hole. The name of this fix is Retpoline and doesn't have the severe performance hit previously speculated:

Greg Kroah-Hartman has sent out the latest patches for the Linux 4.9 and 4.14 point releases, which now include the Retpoline support.

This X86_FEATURE_RETPOLINE is enabled for all AMD/Intel CPUs. For full support you also need to be building the kernel with a newer GCC compiler containing -mindirect-branch=thunk-extern support. The GCC changes landed in GCC 8.0 yesterday and is in the process of potentially being back-ported to GCC 7.3.

Those wanting to disable the Retpoline support can boot the patched kernels with noretpoline.

Without getting into details of JavaScript here is how to immediately avoid the Meltdown hole (and as of January 10 2018, Spectre protection)

January 12, 2018 update

Initial protection from Spectre is here and will be improved in weeks and months to come.

Linux Kernels 4.14.13, 4.9.76 LTS, and 4.4.111 LTS

From this Softpedia article:

Linux kernels 4.14.13, 4.9.76 LTS, and 4.4.111 LTS are now available for download from kernel.org, and they include more fixes against the Spectre security vulnerability, as well as some regressions from the Linux 4.14.12, 4.9.75 LTS, and 4.4.110 LTS kernels released last week, as some reported minor issues.

These issues appear to be fixed now, so it's safe to update your Linux-based operating systems to the new kernel versions released today, which include more x86 updates, some PA-RISC, s390, and PowerPC (PPC) fixes, various improvements to drivers (Intel i915, crypto, IOMMU, MTD), and the usual mm and core kernel changes.

Many users had problems with Ubuntu LTS updates on January 4, 2018 and January 10, 2018. I've been using 4.14.13 for a couple of days without any problems however YMMV.


January 7, 2018 update

Greg Kroah-Hartman wrote a status update on the Meltdown and Spectre Linux Kernel security holes yesterday. Some may call him the second most powerful man in the Linux world right next to Linus. The article addresses stable kernels (discussed below) and LTS kernels which the majority of Ubuntu users have.


Linux Kernels 4.14.11, 4.9.74, 4.4.109, 3.16.52, and 3.2.97 Patch Meltdown Flaw

From this article:

Users are urged to update their systems immediately

Jan 4, 2018 01:42 GMT · By Marius Nestor

Linux kernel maintainers Greg Kroah-Hartman and Ben Hutchings have released new versions of the Linux 4.14, 4.9, 4.4, 3.16, 3.18, and 3.12 LTS (Long Term Support) kernel series that apparently patch one of the two critical security flaws affecting most modern processors.

The Linux 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91, and 3.2.97 kernels are now available to download from the kernel.org website, and users are urged to update their GNU/Linux distributions to these new versions if they run any of those kernel series immediately. Why update? Because they apparently patch a critical vulnerability called Meltdown.

As reported earlier, Meltdown and Spectre are two exploits that affect nearly all devices powered by modern processors (CPUs) released in the past 25 years. Yes, that means almost all mobile phones and personal computers. Meltdown can be exploited by an unprivileged attacker to maliciously obtain sensitive information stored in kernel memory.

Patch for Spectre vulnerability still in the works

While Meltdown is a serious vulnerability which can expose your secret data, including passwords and encryption keys, Spectre is even worse, and it's not easy to fix. Security researchers say it will haunt us for quite some time. Spectre is known to exploit the speculative execution technique used by modern CPUs to optimize performance.

Until the Spectre bug is patched too, it is strongly recommended that you at least update your GNU/Linux distributions to any of the newly released Linux kernel versions. So search the software repositories of your favorite distro for the new kernel update and install it as soon as possible. Don't wait until it's too late, do it now!


I had been using Kernel 4.14.10 for a week so downloading and booting Ubuntu Mainline Kernel version 4.14.11 wasn't too much of a concern for me.

Ubuntu 16.04 users might be more comfortable with 4.4.109 or 4.9.74 kernel versions which were released at the same time as 4.14.11.

If your regular updates do not install the Kernel version you desire you can do it manually following this Ask Ubuntu answer: https://askubuntu.com/questions/879888/how-do-i-update-kernel-to-the-latest-mainline-version/879920#879920


4.14.12 - What a difference a day makes

Less than 24 hours after my initial answer a patch was released to fix 4.14.11 kernel version that they may have rushed out. Upgrading to 4.14.12 is recommended for all 4.14.11 users. Greg-KH says:

I'm announcing the release of the 4.14.12 kernel.

All users of the 4.14 kernel series must upgrade.

There are a few minor issues still known with this release that people have run into. Hopefully they will be resolved this weekend, as the patches have not landed in Linus's tree.

For now, as always, please test your in environment.

Looking at this update not very many lines of source code were changed.


This flaw can be exploited remotely by visiting a JavaScript website.

Indeed. So, one sensible mitigation is to disable JavaScript in your web browsers, or to use web browsers that do not support JavaScript.

Most browsers that do support JavaScript have a setting for disabling it. Alternatively, if you wish to maintain a whitelist of sites or domains for which to allow JavaScript, then there are various add-ons that can assist, such as uBlock Origin and NoScript.

N.B. It should go without saying that disabling/restricting JavaScript should not be your only mitigation. You should additionally review (and probably apply) any relevant kernel fixes and other security updates once they are written, tested and published. On Debian-derived distributions, use commands such as sudo apt update, sudo apt list-upgradable, and sudo apt upgrade.

Update: don't take my word for it. Alan Cox says much the same:

What you do need to care about big time is javascript because the exploit can be remotely used by javascript on web pages to steal stuff from your system memory. ... consider things like Adblockers and extensions like noscript that can stop a lot of junk running in the first place. Do that ASAP. When OS updates appear apply them. (Source)