From owner-freebsd-security-notifications@freebsd.org Tue Nov 12 19:12:06 2019
Return-Path: <owner-freebsd-security-notifications@freebsd.org>
Delivered-To: freebsd-security-notifications@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2E5491B6073
for <freebsd-security-notifications@mailman.nyi.freebsd.org>;
Tue, 12 Nov 2019 19:12:06 +0000 (UTC)
(envelope-from security-advisories@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
[IPv6:2610:1c1:1:6074::16:84])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
server-signature RSA-PSS (4096 bits)
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "freefall.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 47CHRp0VPxz3wh5;
Tue, 12 Nov 2019 19:12:06 +0000 (UTC)
(envelope-from security-advisories@freebsd.org)
Received: by freefall.freebsd.org (Postfix, from userid 945)
id 0A6751178; Tue, 12 Nov 2019 19:12:06 +0000 (UTC)
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-19:25.mcepsc
Reply-To: freebsd-security@freebsd.org
Precedence: bulk
Message-Id: <20191112191206.0A6751178@freefall.freebsd.org>
Date: Tue, 12 Nov 2019 19:12:06 +0000 (UTC)
X-BeenThere: freebsd-security-notifications@freebsd.org
X-Mailman-Version: 2.1.29
List-Id: "Moderated Security Notifications \[moderated,
low volume\]" <freebsd-security-notifications.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security-notifications>,
<mailto:freebsd-security-notifications-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security-notifications/>
List-Post: <mailto:freebsd-security-notifications@freebsd.org>
List-Help: <mailto:freebsd-security-notifications-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications>,
<mailto:freebsd-security-notifications-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 19:12:06 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:25.mcepsc Security Advisory
The FreeBSD Project
Topic: Machine Check Exception on Page Size Change
Category: core
Module: kernel
Announced: 2019-11-12
Credits: Intel
Affects: All supported versions of FreeBSD.
Corrected: 2019-11-12 18:03:26 UTC (stable/12, 12.1-STABLE)
2019-11-12 18:13:04 UTC (releng/12.1, 12.1-RELEASE-p1)
2019-11-12 18:13:04 UTC (releng/12.0, 12.0-RELEASE-p12)
2019-11-12 18:04:28 UTC (stable/11, 11.3-STABLE)
2019-11-12 18:13:04 UTC (releng/11.3, 11.3-RELEASE-p5)
CVE Name: CVE-2018-12207
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The Intel machine check architecture is a mechanism to detect and report
hardware errors, such as system bus errors, ECC errors, parity errors, and
others. This allows the processor to signal the detection of a machine
check error to the operating system.
II. Problem Description
Intel discovered a previously published erratum on some Intel platforms can
be exploited by malicious software to potentially cause a denial of service
by triggering a machine check that will crash or hang the system.
III. Impact
Malicious guest operating systems may be able to crash the host.
IV. Workaround
No workaround is available. Systems not running untrusted guest virtual
machines are not impacted.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch
# fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch.asc
# gpg --verify mcepsc.12.1.patch.asc
[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch
# fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch.asc
# gpg --verify mcepsc.12.0.patch.asc
[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch.asc
# gpg --verify mcepsc.11.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r354650
releng/12.1/ r354653
releng/12.0/ r354653
stable/11/ r354651
releng/11.3/ r354653
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://software.intel.com/security-software-guidance/software-guidance/machine-check-error-avoidance-page-size-change>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:25.mcepsc.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl3K+khfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIWdA//dTBwRIejd8vkgB/6wCLfXARU2Nw9je69JwfvpC/3BzkV+oD9rwoL7ltk
NtOIu6otRmGnGHvC19WQ/JdlHUgtoxaxB26ROoU5BCYPJL7dU48T6l6RLbNXdMC4
MxU3mgbiDrVw9hhh42qKNVQ+ZzpMjgUPN1WRCyKQNlG7jNm5a8BvBaK0mFYkLdEw
9u+kNpXdaC9Ip45JI4QVS+jyK5JqFYWZw4SlB6AggcMO93QySzWWx4ZjXafw+0EK
VoS8ByQ5nTlCVqq+hok+yVEz42mZ9AFSE1E1n3pe5TFZZmxF+NcDVMw324eLWUY3
pVX3S6Y0dCtKKvpyy2WIMrBV4Ro5BX3nQXJINdwCo2IlBRvJgK7u0wK3P0ionsJk
Hc4x3sjZQm9Rhb8qqOh01wb7MjmGMWX/nlyishF6MAmnIV3dXctMaG00CSsIMbv9
jtx5v8uSGUHXb8bGYa6QLxaNN1gV6ZLMne1HLunkP7sCX9NYfibjkBXSIfNAkQTn
MFrz9LLgy1K+8s2D1yFJZeyAZMWZ82yc14FSbux21pZS8MURpFt0OBYymAlzn0/J
fhFEKg7rjKBuIBKjDycu9K8+s8h5TIGDROmgQojeqHm6wmlqyGVIPsREyBcCEvwM
16pasZC9s5C7aoSvzDExekR+LQOc8jVZ80KjNGmMga41tSANKTQ=
=9nRn
-----END PGP SIGNATURE-----
From owner-freebsd-security-notifications@freebsd.org Tue Nov 12 19:17:22 2019
Return-Path: <owner-freebsd-security-notifications@freebsd.org>
Delivered-To: freebsd-security-notifications@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 71C0E1B724B
for <freebsd-security-notifications@mailman.nyi.freebsd.org>;
Tue, 12 Nov 2019 19:17:22 +0000 (UTC)
(envelope-from security-advisories@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
[IPv6:2610:1c1:1:6074::16:84])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
server-signature RSA-PSS (4096 bits)
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "freefall.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 47CHYt2W7Qz3yJr;
Tue, 12 Nov 2019 19:17:22 +0000 (UTC)
(envelope-from security-advisories@freebsd.org)
Received: by freefall.freebsd.org (Postfix, from userid 945)
id 36E461493; Tue, 12 Nov 2019 19:17:22 +0000 (UTC)
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-19:26.mcu
Reply-To: freebsd-security@freebsd.org
Precedence: bulk
Message-Id: <20191112191722.36E461493@freefall.freebsd.org>
Date: Tue, 12 Nov 2019 19:17:22 +0000 (UTC)
X-BeenThere: freebsd-security-notifications@freebsd.org
X-Mailman-Version: 2.1.29
List-Id: "Moderated Security Notifications \[moderated,
low volume\]" <freebsd-security-notifications.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security-notifications>,
<mailto:freebsd-security-notifications-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security-notifications/>
List-Post: <mailto:freebsd-security-notifications@freebsd.org>
List-Help: <mailto:freebsd-security-notifications-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications>,
<mailto:freebsd-security-notifications-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 19:17:22 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:26.mcu Security Advisory
The FreeBSD Project
Topic: Intel CPU Microcode Update
Category: 3rd party
Module: Intel CPU microcode
Announced: 2019-11-12
Credits: Intel
Affects: All supported versions of FreeBSD running on certain
Intel CPUs.
CVE Name: CVE-2019-11135, CVE-2019-11139, CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130, CVE-2018-11091,
CVE-2017-5715
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
- From time to time Intel releases new CPU microcode to address functional
issues and security vulnerabilities. Such a release is also known as a
Micro Code Update (MCU), and is a component of a broader Intel Platform
Update (IPU). FreeBSD distributes CPU microcode via the devcpu-data port
and package.
II. Problem Description
Starting with version 1.26, the devcpu-data port/package includes updates and
mitigations for the following technical and security advisories (depending
on CPU model).
Intel TSX Updates (TAA) CVE-2019-11135
Voltage Modulation Vulnerability CVE-2019-11139
MD_CLEAR Operations CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2018-11091
TA Indirect Sharing CVE-2017-5715
EGETKEY CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2018-11091
JCC SKX102 Erratum
Updated microcode includes mitigations for CPU issues, but may also cause a
performance regression due to the JCC erratum mitigation. Please visit
http://www.intel.com/benchmarks for further information.
Please visit http://www.intel.com/security for detailed information on
these advisories as well as a list of CPUs that are affected.
III. Impact
Operating a CPU without the latest microcode may result in erratic or
unpredictable behavior, including system crashes and lock ups. Certain
issues listed in this advisory may result in the leakage of privileged
system information to unprivileged users. Please refer to the security
advisories listed above for detailed information.
IV. Workaround
To determine if TSX is present in your system, run the following:
1. kldload cpuctl
2. cpucontrol -i 7 /dev/cpuctl0
If bits 4 (0x10) and 11 (0x800) are set in the second response word (EBX),
TSX is present.
In the absence of updated microcode, TAA can be mitigated by enabling the
MDS mitigation:
3. sysctl hw.mds_disable=1
Systems must be running FreeBSD 11.3, FreeBSD 12.1, or later for this to
work.
*IMPORTANT*
If your use case can tolerate leaving the CPU issues unmitigated and cannot
tolerate a performance regression, ensure that the devcpu-data package is
not installed or is locked at 1.25 or earlier.
# pkg delete devcpu-data
or
# pkg lock devcpu-data
Later versions of the LLVM and GCC compilers will include changes that
partially relieve the peformance impact.
V. Solution
Install the latest Intel Microcode Update via the devcpu-data port/package,
version 1.26 or later.
Updated microcode adds the ability to disable TSX. With updated microcode
the issue can still be mitigated by enabling the MDS mitigation as
described in the workaround section, or by disabling TSX instead:
1. kldload cpuctl
2. cpucontrol -i 7 /dev/cpuctl0
If bit 29 (0x20000000) is set in the fourth response word (EDX), then the
0x10a MSR is present.
3. cpucontrol -m 0x10a /dev/cpuctl0
If bit 8 (0x100) of the response word is set, your CPU is not vulnerable to
TAA and no further action is required.
If bit 7 (0x80) is cleared, then your CPU does not have updated microcode
that facilitates TSX to be disabled. The only remedy available is to
enable the MDS mitigation, as documented above.
4. cpucontrol -m 0x122=3 /dev/cpuctl0
Repeat step 4 for each numbered CPU that is present.
A future kernel change to FreeBSD will provide automatic detection and
mitigation for TAA.
LLVM 9.0 will be updated in FreeBSD 13-current to address the JCC
peformance impact. Updates to prior versions of LLVM are currently being
evaluated.
VI. Correction details
There are currently no changes in FreeBSD to address this issue.
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11139>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11091>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715>
<URL:https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/>
<URL:https://software.intel.com/security-software-guidance/software-guidance/intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort>
<URL:https://www.intel.com/content/www/us/en/support/articles/000055650.html>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl3LArVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJGQQ//ad41YWDAdgBMTWiF56qeySqElIOHt/mLt06s2WW9ceUoJpKW8rKwA4hi
sjuDlj4vg8ohdiFaZhTxX/smQi3BS+M0xi40fFFgMRR7HuVh11l6bPr+DoUH/Zi+
E5aiAilOlv/WUAxIrdx0ZlHPkjZ9vfSIPbiqmIkdlFEl4QCuusMRqXKNxaIzzk/K
rzabCN4NsQPk0SYIZ9l+tZ6JxOOeRaYn+aCjzlbkiYR+wttIaH9nTECx2Rj7XvSw
9Ng/Mq0M6QsTV/jKfQDRMxRnNfnzF7865uBQYxZNFY9VP5Z21CcqMT54ia5NgcG8
8Bn2fnM3HcK5LUW3DRnsLhAi6XX0EuX5VMdYvx20aQUj/k8f6a0cPmtSqUVkpU/K
ZcmLd4X+YS/o3UZnRY9OZOEb+kmZE/Yr8f/hR8tmle6FCPS1YLtkwDn3qg/oQA03
B5rLmzc+x32XZC0dn/HRZTLc4TXQLij0kZpuxiDmbEJmdARDWsl+e0VdBuQdD3Hr
Q2QvhSVvQgwue8vclfIQVElSZpW93HuyyR8O8ugofwcOt7XwI7k+8ZfrjkjHMPGZ
QW/i0FQJx4Kup70bzOubb3VEQ7cwAJtE1dvY55oaulDexq3RVMW7oEsvd84X2K8O
G3+YOZLMrvM1kFskRt067rttbJfMXvstMSHCCfGSqA7fdth6VNQ=
=KAsu
-----END PGP SIGNATURE-----