View Issue Details

IDProjectCategoryView StatusLast Update
0016147CentOS-6microcode_ctlpublic2019-06-05 12:34
Reportermaksimov_d 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0016147: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
DescriptionEnvironment:
OS - CentOS release 6.10 (Final)
Kernel - 2.6.32-754.14.2.el6.x86_64
CPU - Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
microcode_ctl - 1.17-33.11.el6_10.x86_64
microcode - 1070

Hello!
We have problems with the latest version of the microcode_ctl package, which was supposed to close the vulnerabilities mentioned in the topic.
When using the specified environment, we receive information that the processor is still subject to vulnerability.

[root~]# cat /sys/devices/system/cpu/vulnerabilities/mds
Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable

[root~]# dmesg | grep -i microcode
MDS: Vulnerable: Clear CPU buffers attempted, no microcode
microcode: CPU0 sig=0x306e4, pf=0x1, revision=0x42d
platform microcode: firmware: requesting intel-ucode/06-3e-04

[root~]# grep -m2 -E "model name|microcode" /proc/cpuinfo
model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
microcode : 1070

At the same time, if we install the latest release of CentOS 7 on this server using the same CPU model, we will receive information that the vulnerability for this processor is closed. That is, the necessary microcode updates for this processor model are present.

[root@~]# cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable

[root@~]$ dmesg | grep -i microcode
[    4.628420] MDS: Vulnerable: Clear CPU buffers attempted, no microcode
[    6.070661] microcode: sig=0x206d7, pf=0x1, revision=0x714
[    6.071737] microcode: Microcode Update Driver: v2.2.

[root@~]# uname -r
3.10.0-957.12.2.el7.x86_64

Please let us know if we can expect to receive microcode updates for CentOS 6, similar to those available on CentOS 7. And in what time frame should we expect the corresponding update?
Tags2.6.32-754.14.2.el6.x86_64, microcode_ctl

Activities

toracat

toracat

2019-06-04 23:59

manager   ~0034599

CentOS rebuilds the source code available from Red Hat without modifications except for debranding. Therefore you should check the status of CVE's upstream. For example, CVE-2018-12130 is detailed here:

https://access.redhat.com/security/cve/cve-2018-12130

You'd see references to RHEL-6. For example, kernel update for EL6 relevant to this CVE is here:

https://access.redhat.com/errata/RHSA-2019:1169

and so on.
maksimov_d

maksimov_d

2019-06-05 11:50

reporter   ~0034602

I apologize, the wrong conclusion was originally attached for the case with CentOS 7. This is how the output looks for the same processor in the case of CentOS 7:

  cat /sys/devices/system/cpu/vulnerabilities/mds
    Mitigation: Clear CPU buffers; SMT vulnerable


And this:

[root@~]# dmesg | grep -i micro
    [ 0.000000] microcode: microcode updated early to revision 0x42e, date = 2019-03-14
    [ 3.500784] microcode: sig=0x306e4, pf=0x1, revision=0x42e
    [ 3.501522] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba

That is, as you can see, in the case of CentOS 7, there is the required microcode
maksimov_d

maksimov_d

2019-06-05 12:34

reporter   ~0034603

The centos 7 in dmesg also has the following conclusion:
[ 3.933815] MDS: Mitigation: Clear CPU buffers
[ 4.113446] MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.

Issue History

Date Modified Username Field Change
2019-06-04 14:35 maksimov_d New Issue
2019-06-04 14:50 maksimov_d Tag Attached: 2.6.32-754.14.2.el6.x86_64
2019-06-04 14:51 maksimov_d Tag Attached: microcode_ctl
2019-06-04 23:59 toracat Note Added: 0034599
2019-06-05 11:50 maksimov_d Note Added: 0034602
2019-06-05 12:34 maksimov_d Note Added: 0034603