16 Aug L1TF Intel Processor vulnerabilities for Oracle Linux, Oracle VM and Microsoft Windows (Foreshadow)

After the Spectre & Meltdown vulnerabilities (see https://monin-it.be/2018/01/17/meltdown-spectre-solution-linux-windows/) at the beginning of 2018, Intel now tackled 3 applications of another big vulnerability in their microcode: the L1 Terminal Fault (L1TF) vulnerabilities.

All three applications of L1TF are speculative execution side-channel cache timing vulnerabilities:

• CVE-2018-3615: Affecting Intel Software Guard Extensions (SGX): CVSS score 7.9/10
• CVE-2018-3620: Affecting Operating Systems (OS) & System Management Mode (SMM): CVSS score 7.1/10
• CVE-2018-3646: Affecting Hypervisor Software (VMM): CVSS score 7.1/10

Problem is they get access to the L1 data cache, which is a small amount of memory within each core storing the information about what the core will likely perform next.

Intel provided some more detailed information on their website.

What should be done to solve those vulnerabilities:

• Deploy the updated Intel CPU Microcode (check with your hardware vendor for this firmware update/patch)
• Update the OS

But always be careful as the patches can impact performance. This should always be tested before.

Users of Oracle Linux and/or Oracle VM:

Oracle described the Firmware version (hardware) and the microcode_ctl package (OS) needed within Oracle MOS note 2406316.1. The microcode_ctl versions needed:

• Oracle Linux 6: 17-33.1.0.6
• Oracle Linux 7: 1-29.2.0.4
• Oracle VM 3.4: 17-33.1.0.6

The Firmware version for Oracle hardware can be found within the same Oracle MOS note. As firmware patches are unique to each server type, the website of the hardware vendor should be checked for Non-Oracle hardware.

Users of Microsoft Windows:

If you want to have the fix applied, just install the latest Windows Updates and make sure the KB created for your Windows version is listed to be installed (Updates will be pushed towards your system if it has been configured this way). For the list of KB patches which should be installed for each specific Windows version, please check https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018.

Nice to know: when running the Windows on a virtual system, if the hypervisor kernel has already the correct fixes applied, you do not have to install it on your Windows.

IMPORTANT NOTE: in some cases, it’ll be even needed to disable hyperthreading, however, this will have a big performance impact and should be tested carefully.

This article will be updated with additional information when we also receive more information from the vendors (Oracle and Microsoft).

Hopefully, you all have the information needed now to solve the L1TF (foreshadow) vulnerabilities on your servers. Monin can always help customers to apply the fixes mentioned before. Just ask us for more information about how we can help you secure your Red Hat Linux, Oracle Enterprise Linux and or Microsoft Windows so it’s patched for the L1TF (foreshadow) vulnerabilities.

Some interesting links:

• More information about the affected Intel processors: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
• Intel white paper about L1TF: https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
• Microsoft analysis and mitigation of L1 Terminal Fault (L1TF): https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/
• Microsoft Guidance to mitigate L1TF variant: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018
• Oracle L1TF information: https://blogs.oracle.com/oraclesecurity/intel-l1tf
• Foreshadow webpage: https://foreshadowattack.eu/