Wednesday, August 15, 2018

L1 Terminal Fault: Privileged memory access vulnerability in Intel CPUs



Update (08/22)


The regressions affecting Ubuntu 14.04 have been fixed in kernel 3.13.0-116.163. Please check below for instructions on how to upgrade the Ubuntu 14.04 kernel.

Update (08/21)


Bitnami has now released all the Debian based images with the new kernel available. Updates are being propagated to the Bitnami Launchpads and the different Cloud Platforms.

Update (08/20)


Debian stretch's packages have been published to fix the security issue described here. The Bitnami team is working on publishing our solutions as soon as possible. If you have a running Debian instance, please upgrade the packages by following the documentation included below. 


Update (08/17)


A regression has been detected in Ubuntu 14.04 in certain instance types, which causes a kernel panic during boot time. More details can be found in Launchpad. Users are advised not to upgrade the kernel in Ubuntu 14.04 until a fix is released.

For users running other operating systems, it is highly recommended to create a full backup of the disk before upgrading the kernel version.

Update (08/16)


Bitnami has now released all the Ubuntu, Red Hat, CentOS and Oracle Linux based images with the new kernel available. Updates are being propagated to the Bitnami Launchpads and the different Cloud Platforms.

Description


On August 14th 2018, three vulnerabilities affecting x86 processors manufactured by Intel were disclosed:
The security issue is referred to as L1 Terminal Fault (L1TF) by the industry, and as “Foreshadow” by the security researcher.

The L1 Terminal Fault security issue exploits critical vulnerabilities in modern processors. It allows attackers to access sensitive data in a personal computer or third party clouds.

With L1TF, a malicious program can exploit an operating system’s Page Table by reading the data referenced to the virtual memory, before the CPU is able to confirm that a page table entry is valid. Once the Page Table Entry is set as invalid, the CPU signals a Terminal Fault to the OS.

L1 Terminal Fault affects the following systems:

  • Operating systems running virtual machines.
  • Cloud instances: Depending on the cloud provider's infrastructure, it might be even possible to steal data from other customers.


Our team is working on updating all the affected Virtual Machines and Cloud Images available through Bitnami in all our cloud providers. This will ensure that all new launches will be secured against this issue.

At this time, there are patches available for the following operating systems:
  • Debian
  • Ubuntu
  • Oracle Linux
  • Red Hat Enterprise Linux
  • CentOS
  • Amazon Linux
If you are running a Bitnami stack, or you have any running server or virtual machine, we encourage you to apply these patches immediately in order to avoid exploitation of this security issue. You need to update the operating system yourself.

In order to update your operating system, you must follow the instructions below (depending on your distribution or operating system):
  • Debian 9, Ubuntu 14, Ubuntu 16 and 18: Create a full backup of the disk, and then execute the command below.
sudo apt-get update && sudo apt-get dist-upgrade
  • Oracle Linux, Red Hat, CentOS and Amazon Linux: Create a full backup of the disk, and then execute the command below.
sudo yum update
  • Windows and macOS:
Update your system packages when the operating system suggests it. Enable the "Check for updates" option in Windows to get the latest updates and patches.

Once you have completed the steps above, you will have the updated kernel/operating system version after rebooting your server. If you are running on a Linux server, execute the following command to restart it:

sudo shutdown -r now 'Kernel upgrade requires reboot'

NOTE: If, after rebooting, you cannot access the instance via browser or SSH, it is highly likely that the cloud provider assigned a new dynamic IP address to your instance. In this case, enter your cloud provider administration panel to check the new IP address.

If you have any questions about this process, please post to our community support forum and we will be happy to help!

Check out the official Foreshadow site [4] and the RedHat article explaining the attack [5], for more information.

More information can be found in the following links: