Following three attacks have been identified:
- CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipe-lining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets.
This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. It needs to be addressed for all SUSE Linux Enterprise processor architectures, Intel and AMD x86_64, IBM Power, IBM Z and 64-bit ARM.
- CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mis-predicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753.
This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries.
Mitigation is done with help of Linux Kernel fixes on the Intel/AMD x86_64 and IBM Z architectures. On x86_64, this requires also updates of the CPU microcode packages, delivered in separate updates.
SUSE has shipped microcode updates for Intel and AMD processors that supply control of the “indirect branch speculation” feature, please also check your CPU and hardware vendors firmware / BIOS download pages for updates.
For IBM Power and IBM Z the required firmware updates are supplied over regular channels by IBM.
As this feature can have a performance impact, it can be disabled using the “nospec” kernel command line option on x86_64 and “nobp” on IBM Z.
- CVE-2017-5754: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.
This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach described in the “KAISER” paper.
The terms used here are “KAISER” / “Kernel Address Isolation” and “PTI” / “Page Table Isolation”.
The update does this on the Intel x86_64 and IBM Power architecture. Updates are also necessary for the ARM architecture, but will be delivered in the second round of updates.
This feature can be enabled / disabled by the “pti=[on|off|auto]” or “nopti” command line options. More details can be found in the “Additional information” section.