• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Create a VM ($25 Credit)
  • Buy a Domain
  • 1 Month free Back Blaze Backup
  • Other Deals
    • Domain Email
    • Nixstats Server Monitoring
    • ewww.io Auto WordPress Image Resizing and Acceleration
  • About
  • Links

IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

  • Cloud
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.
    • Setting up a Vultr VM and configuring it
    • All Cloud Articles
  • Dev
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to setup pooled MySQL connections in Node JS that don’t disconnect
    • NodeJS code to handle App logins via API (using MySQL connection pools (1000 connections) and query parameters)
    • Infographic: So you have an idea for an app
    • All Development Articles
  • MySQL
    • Using the free Adminer GUI for MySQL on your website
    • All MySQL Articles
  • Perf
    • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Measuring VM performance (CPU, Disk, Latency, Concurrent Users etc) on Ubuntu and comparing Vultr, Digital Ocean and UpCloud – Part 1 of 4
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Setting up a website to use Cloudflare on a VM hosted on Vultr and Namecheap
    • All Performance Articles
  • Sec
    • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
    • Using OWASP ZAP GUI to scan your Applications for security issues
    • Setting up the Debian Kali Linux distro to perform penetration testing of your systems
    • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
    • PHP implementation to check a password exposure level with Troy Hunt’s pwnedpasswords API
    • Setting strong SSL cryptographic protocols and ciphers on Ubuntu and NGINX
    • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
    • All Security Articles
  • Server
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All Server Articles
  • Ubuntu
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Useful Linux Terminal Commands
    • All Ubuntu Articles
  • VM
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All VM Articles
  • WordPress
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
    • How to backup WordPress on a host that has CPanel
    • Moving WordPress to a new self managed server away from CPanel
    • Moving a CPanel domain with email to a self managed VPS and Gmail
    • All WordPress Articles
  • All

patch

Ubuntu 16.04: Spectre, Meltdown Security Vulnerabilities (and how to patch).

January 10, 2018 by Simon

Below is a post about the Spectre and Meltdown Security vulnerabilities and mostly how it relates to Ubuntu.

Spectre and Meltdown Background

Google Project Zero found a server-side hardware bug (undocumented feature) that allows reading of privileged memory by leveraging a CPU (and possibly any GPU and SOC) feature to execute code ahead of time in “if” code branches before the result of the “if” case is known. This execute code ahead of demand feature was added to speed up processors to assists the FETCH, DECODE, EXECUTE and WRITE-BACK stages in the execution pipeline preparation.

Processors hate reading from main memory (it is too slow) so if data can be PREFETCHED or CACHED before being executed in the CPU allowing the CPU can do more work. This bug/flaw is not really a bug/flaw IMHO but an insecure efficiency feature.

Read more on the Spectre and Meltdown bug here at Wired.

CPU History

Aside: Check out the Red Hill Hardware guide and the evolution (documentation) of early CPU’s.

  • Intel 4004
  • Intel 286
  • Intel 386
  • Intel 486
  • Pentium and 686
  • AMD Athlon
  • Further Reading

You can read more about the Pentium 4’s cache, rapid execution engine and instruction set additions to learn more about the evolution of CPU efficiency here.

Making processors faster (adding more MHZ) may be futile if the cache is too small or slow, and simply adding more cache can increase costs. Branch prediction was a way to increase performance (by using idle clock cycles or saving clock cycles) without adding extra cache or silicone (extra cost). I suspect in the future branch prediction and read ahead features may be locked down or processor manufacturers may swing back to adding more MHZ/Cores/Cache.

Anandtech https://www.anandtech.com have a great article on branch prediction (I can’t find the article now but will add it when I find it later) but this guide gives the gist.

CPU 101

A CPU is much like a checkout area at a grocery store, and a multi-core CPU is like a grocery store with multiple checkouts.

  • Things (processing and reading to/from memory) happen sequentially (per core).
  • Only one item can be scanned (processed) at a time (per core).
  • Customers trolleys and items are like program threads and items to scan (to be calculated in the CPU).
  • Customers trolleys (programs with things to calculate) line up and wait for the CPU (attendant) to scan (execute) items. PRE-FETCH and other CPU tasks help organize data related to instructions.
  • One checkout line (core) cannot read or affect items at another checkout (thread safety).

When a price check is called on an item (causing huge delays while the price is being checked by a runner (reading from main memory)) the checkout attendant (CPU core) processes the next items at the checkout (items in the processor execution pipeline). Branch predicting will read ahead in idle times to prevent idle delays or cache-misses to prevent slowdown. Processors usually make sure things are in the processors L3, L2 or L1 memory before they are executed but some commands with pre-requisite data cannot be pre-cached.

CPU instruction information

Here is a list of x86 instructions

Troy Hunt in Weekly Update 68 https://www.troyhunt.com/weekly-update-68/ mentioned a twitter thread by Graham Sutherland (@gsuberland) https://twitter.com/gsuberland/status/948907452786933762 that summaries speculative execution more succinctly. Meltdown and Spectre bugs are due to the speculative execution in the processor.

Official Information on Spectre and Meltdown

Spectre (Security Vulnerability Wikipedia Article)

Meltdown (Security Vulnerability Wikipedia Article)

Proof of concepts exploits in the wide

Proof of concept and exploits are no doubt in the wild (as reported by Michael Schwarz – @misc0110)

Ubuntu Impact

I have a number of Ubuntu servers and I have updated them to fix Spectre and Meltdown issues.

UpCloud is my favourite cloud provider.

  • Setting up a Vultr VM (Ubuntu) and configuring it
  • How to buy a new domain and SSL cert from NameCheap, (Ubuntu) Server from Digital Ocean and configure it
  • Creating and configuring a CentOS server on Digital Ocean
  • Creating an AWS EC2 Ubuntu 14.04 server with NGINX, Node and MySQL and phpMyAdmin

Ubuntu said here that is has been notified by Intel of this issue since November 09 2017.

Ubuntu Timeline (16.04 related snip from here)

  • 2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA.
  • 2017 Nov 20: the CRD is established as 2018-01-09.
  • 2017 Dec: the Ubuntu Security team receives notifications from additional silicon vendors about the impact to their products.
  • 2018 Jan 03: issue becomes public a few days before the CRD.
  • 2018 Jan 04: Canonical publicly communicates the planned update schedule.
  • 2018 Jan 04: Mozilla releases timing attack mitigations.
  • 2018 Jan 05: Ubuntu Firefox updates are made available in USN 3516-1.
  • 2018 Jan 07: Candidate kernels are beginning to be made available for testing at ppa:canonical-kernel-team/pti. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds. Kernels currently available are as follows. We will continue to update this table as more become available:
  • Package: linux, Version: 4.4.0-108.131, Series: Xenial 16.04
  • -2018 Jan 09: NVIDIA driver updates published, see USN-3521-1.
  • Cloud image updates.
  • Core image updates.

At this time it looks like this has been fixed on Ubuntu 16.04 LTS (Xenial Xerus) with released (57.0.4+build1-0ubuntu0.16.04.1). Consider updating your Ubuntu servers.

You can follow the Ubuntu CVE listing here to be ahead of future security issues.
https://people.canonical.com/~ubuntu-security/cve/main.html

Spectre and Meltdown related Ubuntu CVE’s

Spectre – CVE-2017-5715

Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html

Spectre – CVE-2017-5753

Description: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

Ubuntu-Description: Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory.

Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html

Meltdown – CVE-2017-5754

Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

Ubuntu-Description: Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory.

Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html

Links

Ubuntu Security News https://usn.ubuntu.com/usn/

Subscribe to the Ubuntu Security Announcement Distribution List https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Ubuntu CVE Tracker (Main) http://people.canonical.com/~ubuntu-security/cve/main.html

Links from CVE articles

https://spectreattack.com/
https://meltdownattack.com/
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
http://www.amd.com/en/corporate/speculative-execution
https://developer.arm.com/support/security-update
https://www.qemu.org/2018/01/04/spectre/
https://usn.ubuntu.com/usn/usn-3516-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://nvidia.custhelp.com/app/answers/detail/a_id/4611
https://usn.ubuntu.com/usn/usn-3521-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
https://github.com/IAIK/KAISER
https://gruss.cc/files/kaiser.pdf
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html

FYI: Ubuntu 17.04 will not be getting the Spectre and Meltdown fixes, this is a good reason why not to use a non-LTS (long time support) release of Ubuntu (abandoned after 9 months):
https://lists.ubuntu.com/archives/ubuntu-announce/2018-January/000227.html

How to update Ubuntu

As always backup your server and configuration first (consider taking a snapshot). I run the following command to update my system and reboot.

Warning: Some packages may overwrite in-production configuration files (or break production servers) so take your time updating, use test servers (green and blue or dev, test and prod) and only upgrade production when you are ready.

sudo apt update && sudo apt upgrade && shutdown -r now

fyi: AWS related Speculative Execution post: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

Impact on Future Program Build Times

Twitter user Peter Czanik (@PCzanik https://twitter.com/PCzanik) reports that compile times that fix speculative execution have increased his build times from 4 minutes to 21 minutes.

Windows Impacts

Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

OSX Impacts
Report: Intel CPUs suffer from major security flaw, fix could bring notable performance hit to macOS

Web Browser and JavaScript Impacts

General

Here’s what every Chrome user should do in the wake of #Spectre

http://mashable.com/2018/01/04/google-chrome-spectre-precaution-meltdown/

Microsoft reveals how Spectre updates can slow your PC down

https://www.theverge.com/2018/1/9/16868290/microsoft-meltdown-spectre-firmware-updates-pc-slowdown

Microsoft halts AMD Meltdown and Spectre patches after reports of unbootable PCs

Review: https://twitter.com/search?q=spectre%20meltdown

Viewing the Change log of updatable packages

View the changelog of updatable packages for a certain Cve.

sudo apt-get update

sudo apt-get changelog ntp | grep CVE-2017-5715

The output will show matches of updatable packages that match.

Ubuntu Cloud Tips

Read my guide on Useful Linux Terminal Commands https://fearby.com/article/useful-linux-terminal-commands/

Read my guide on how to setting up a Vultr VM (Ubuntu) and configuring it https://fearby.com/article/setting-vultr-vm-configuring/

Good luck.

Scott Manley’s breakdown of Spectre and Meltdown

More Reading

Anandtech – Understanding Meltdown & Spectre: What To Know About New Exploits That Affect Virtually All CPUs.

More Fearby.com Reading

  • Run and Ubuntu Security scan with Lynis
  • WordFence security plugin for WordPress
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Setting up additional server storage on cloud servers (block storage on Vultr)

Donate and make this blog better

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.4 Scott Manleys link

v1.3 Added Anandtech article.

v1.2 Wired link.

v1.1 view the changelog of updatable packages.

v1.0 Initial Copy.

Hope this helps someone.

Filed Under: SpectreMeltdown Tagged With: 16.04, Branch, cpu, CVE, Execulative Execution, How, Meltdown, patch, security, Spectre, to, ubuntu, Vulnerabilities

Primary Sidebar

Poll

What would you like to see more posts about?
Results

Support this Blog

Create your own server today (support me by using these links

Create your own server on UpCloud here ($25 free credit).

Create your own server on Vultr here.

Create your own server on Digital Ocean here ($10 free credit).

Remember you can install the Runcloud server management dashboard here if you need DevOps help.

Advertisement:

Tags

2FA (9) Advice (17) Analytics (9) App (9) Apple (10) AWS (9) Backup (21) Business (8) CDN (8) Cloud (49) Cloudflare (8) Code (8) Development (26) Digital Ocean (13) DNS (11) Domain (27) Firewall (12) Git (7) Hosting (18) IoT (9) LetsEncrypt (7) Linux (21) Marketing (11) MySQL (24) NGINX (11) NodeJS (11) OS (10) Performance (6) PHP (13) Scalability (12) Scalable (14) Security (45) SEO (7) Server (26) Software (7) SSH (7) ssl (17) Tech Advice (9) Ubuntu (39) Uncategorized (23) UpCloud (12) VM (45) Vultr (24) Website (14) Wordpress (25)

Disclaimer

Terms And Conditions Of Use All content provided on this "www.fearby.com" blog is for informational purposes only. Views are his own and not his employers. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. Never make changes to a live site without backing it up first.

Advertisement:

Footer

Popular

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Add Google AdWords to your WordPress blog

Security

  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • Setting up DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare
  • Set up Feature-Policy, Referrer-Policy and Content Security Policy headers in Nginx
  • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
  • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
  • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
  • Beyond SSL with Content Security Policy, Public Key Pinning etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Run an Ubuntu VM system audit with Lynis
  • Securing Ubuntu in the cloud
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider

Code

  • How to code PHP on your localhost and deploy to the cloud via SFTP with PHPStorm by Jet Brains
  • Useful Java FX Code I use in a project using IntelliJ IDEA and jdk1.8.0_161.jdk
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider
  • How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic
  • Installing Android Studio 3 and creating your first Kotlin Android App
  • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
  • How to use Sublime Text editor locally to edit code files on a remote server via SSH
  • Creating your first Java FX app and using the Gluon Scene Builder in the IntelliJ IDEA IDE
  • Deploying nodejs apps in the background and monitoring them with PM2 from keymetrics.io

Tech

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Is OSX Mojave on a 2014 MacBook Pro slower or faster than High Sierra
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • The case of the overheating Mac Book Pro and Occam’s Razor
  • Useful Linux Terminal Commands
  • Useful OSX Terminal Commands
  • Useful Linux Terminal Commands
  • What is the difference between 2D, 3D, 360 Video, AR, AR2D, AR3D, MR, VR and HR?
  • Application scalability on a budget (my journey)
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.

Wordpress

  • Replacing Google Analytics with Piwik/Matomo for a locally hosted privacy focused open source analytics solution
  • Setting web push notifications in WordPress with OneSignal
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Wordfence Security Plugin for WordPress
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
  • Moving WordPress to a new self managed server away from CPanel
  • Moving WordPress to a new self managed server away from CPanel

General

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Using the WinSCP Client on Windows to transfer files to and from a Linux server over SFTP
  • Connecting to a server via SSH with Putty
  • Setting web push notifications in WordPress with OneSignal
  • Infographic: So you have an idea for an app
  • Restoring lost files on a Windows FAT, FAT32, NTFS or Linux EXT, Linux XFS volume with iRecover from diydatarecovery.nl
  • Building faster web apps with google tools and exceed user expectations
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..

Copyright © 2023 · News Pro on Genesis Framework · WordPress · Log in

Some ads on this site use cookies. You can opt-out if of local analytics tracking by scrolling to the bottom of the front page or any article and clicking "You are not opted out. Click here to opt out.". Accept Reject Read More
GDPR, Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT