Your submission was sent successfully! Close

Jump to main content
  1. Blog
  2. Article

Canonical
on 14 August 2018

Ubuntu updates for L1 Terminal Fault vulnerabilities


  • For up-to-date patch, package, and USN links, please click here

Today Intel announced a new side channel vulnerability known as L1 Terminal Fault. Raoul Strackx, Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and researchers from Intel discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that’s executing on the CPU core. Processors from other vendors are not known to be affected by L1TF.

Three CVEs have been assigned to this issue:

* CVE-2018-3615 for Intel Software Guard Extensions (Intel SGX)

* CVE-2018-3620 for operating systems and System Management Mode (SMM)

* CVE-2018-3646 for impacts to virtualization

For technical details regarding this issue, please refer to the L1TF KnowledgeBase articlethe Linux kernel documentation, and the L1TF Mitigation guidance published by Intel.

Hardware OEMs are releasing BIOS updates containing the updated Intel microcode. Check with your OEM’s website to see if a BIOS update is available for your machine. Ubuntu updates for the intel-microcode package are also being made available. Microcode updates are not required for this issue due to a software fallback mode present in the Ubuntu kernel updates.

Kernel updates are being released for the following supported Ubuntu series:

    • 18.04 LTS (Bionic)
    • 16.04 LTS (Xenial)
    • 14.04 LTS (Trusty)
  • 12.04 ESM (Precise)

Optimised kernels based on any of the above series were also released, including linux-aws, linux-azure, linux-gcp, and hardware enablement kernels. Updated cloud images have also been built and published to ensure a consistent Ubuntu experience.

Updated Ubuntu kernels have the ability to report how the system is currently affected by L1TF. To check your system, read the contents of the

/sys/devices/system/cpu/vulnerabilities/l1tf

file. You must apply kernel updates and reboot if the file does not exist as that indicates that your kernel does not have mitigations in place for L1TF.

Processors that aren’t vulnerable to L1TF will report the following:

$ cat /sys/devices/system/cpu/vulnerabilities/l1tf

Not affected

The file will contain the following contents for processors that do not support Intel Hyper-Threading or where Hyper-Threading has been disabled:

$ cat /sys/devices/system/cpu/vulnerabilities/l1tf

Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled

Processors that have Hyper-Threading support enabled will indicate that SMT is vulnerable when used in conjunction with Intel Virtualization Technology (VMX):

$ cat /sys/devices/system/cpu/vulnerabilities/l1tf

Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable

Intel processors that lack VMX support will not report VMX status:

$ cat /sys/devices/system/cpu/vulnerabilities/l1tf

Mitigation: PTE Inversion

We recommend that you apply available updates at your earliest convenience. We encourage Ubuntu users who seek more information to contact an Ubuntu Advantage support representative for an in-depth discussion relative to your use cases.

Related posts


Canonical
26 September 2023

CVE 우선순위 지정을 통한 오픈 소스 보안

Security Security

최근 연구에 따르면 엔터프라이즈 시장의 애플리케이션 중 96%가 오픈 소스 소프트웨어를 사용합니다. 오픈 소스 환경이 점점 더 세분화됨에 따라 조직에 대한 잠재적인 보안 취약점의 영향을 평가하는 작업이 엄청날 수 있습니다. 우분투는 가장 안전한 운영 체제 중 하나로 알려져 있습니다. 하지만 그 이유는 무엇일까요? 우분투 보안팀은 매일 알려진 취약점에 대해 업데이트된 소프트웨어 패키지를 수정하고 릴리스하기 때문에 ...


Hugo Huang
20 September 2023

Start your Ubuntu Confidential VM with Intel® TDX on Google Cloud

Canonical announcements Article

Confidential computing directly addresses the question of trust between cloud providers and their customers, with guarantees of data security for guest machines enforced by the underlying hardware of the cloud. According to the Confidential Computing Consortium, confidential computing is the protection of data in use by performing computa ...


Canonical
19 September 2023

라이브패치(Livepatch)에 새로운 13개월 슬라이딩 지원 기간이 있습니다. 여러분에게 어떤 의미가 있을까요?

Security Security

라이브패치는 시스템을 즉시 재부팅할 필요 없고 런타임에 중요하고 높은 보안 커널 공통 보안 취약성 및 노출(CVE)을 수정하는 유용한 툴입니다. 그러나 정기적인 유지 관리 기간 및 재부팅을 대체하는 용도로 사용해서는 안 됩니다. 좋은 기업 정책에는 시스템이 안정적이고 안전하게 유지되도록 라이브패치와 정기적인 재부팅이 모두 포함되어야 합니다. 그 이유는 펌웨어 또는 장치 드라이버 업데이트와 같은 일부 시스템 CVE는 ...