How do I migitate vulnerabilities that spectre-meltdown-checker identifies?

[decuser]

I read in the FAQ about checking for vulnerabilities using spectre-meltdown-checker. I ran it and was surprised to only find one in red, labeled VULNERABLE. My Thinkpad T430 is pretty old. Here is the relevant section:

Code: Select all

CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)'
* Mitigated according to the /sys interface:  NO  (Vulnerable: No microcode)
* SRBDS mitigation control is supported by the kernel:  YES  (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
* SRBDS mitigation control is enabled and active:  NO 
> STATUS:  VULNERABLE  (Your CPU microcode may need to be updated to mitigate the vulnerability)

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:KO

I then checked my system for intel-microcode:

Code: Select all

amd64-microcode/stable,now 3.20181128.1 amd64 [installed]
  Processor microcode firmware for AMD CPUs

intel-microcode/stable,now 3.20200609.2~deb10u1 amd64 [installed]
  Processor microcode firmware for Intel CPUs

iucode-tool/stable,now 2.3.1-1 amd64 [installed]
  Intel processor microcode tool

Cool - 20200609 is pretty recent..., but apparently not recent enough :)

When I googled the CVE, I found that NIST had just recently published the finding (2020-06-15): https://nvd.nist.gov/vuln/detail/CVE-2020-0543

A few questions:
Will this eventually be addressed by a microcode update?
Do I, as a user, need to do much besides update on a regular basis?
Are there other mitigations that I need to do?

Ciao.

[JayM]

Please read How To Ask For Help then run MX Tools/Quick System Info, then simply right-click paste into a reply. (Quick System Info automatically copies the information to your clipboard, already formatted properly for pasting into the forum so all you have to do is a right-click/ paste, not a copy/paste or anything else. Just run that app then paste in the forum.) Click the link in my signature for detailed instructions. Thanks.

[Head_on_a_Stick]

The vulnerability is mitigated with the latest intel-microcode and kernel packages (available from the Debian buster repositories): https://security-tracker.debian.org/tra ... -2020-0543

Unfortunately MX does not install the kernel metapackage that will ensure it is kept updated. If security is a priority then I would strongly recommend installing the kernel metapackage so that you don't have to manually change to a new kernel ABI version when it becomes available:

Code: Select all

sudo apt install linux-image-amd64

Otherwise just install the new version manually:

Code: Select all

sudo apt install linux-image-4.19.0-9-amd64

[JayM]

Actually, kernel 4.19.0-9 is a departure from previous policy of not updating the kernel as part of MX Updater. This one will be updated with new vuln mitigations as they come out. Kernel 4.19.0-6 won't.

I wanted to know specifically what kernel the OP was using though, before I told him to install 4.19.0-9 in case he's using one of the 5.x kernels. That's why I wanted to see his QSI.

[Stevo]

We've pushed -2 updates to the 5.6 AHS kernel and the backported 4.19.118 kernel for MX 18 that cover the exploit, too, which should auto-update if the user has the -1 version of those kernels installed. We've advised MX 18 4.19 kernel users to keep atop of the updates.

Meanwhile, Debian's spectre-meltdown-checker hasn't even been updated yet to show that new exploit. I did a pull from its github repo to get the newer code.

Hey, if you can't test for it, no problems, right? Hmmm...that sure sounds familiar.