KernelCare Blog

Contents

About the Zombieload/MDS Vulnerability

Patch Release Schedule


About the Zombieload/MDS Vulnerability

Vulnerabilities are becoming like celebrities, with freaky names and their own websites.

The latest ones to hit the scene are Zombieload, RIDL and Fallout, also known as Microarchitectural Data Sampling, (MDS for short), discovered by Intel and researched by academic departments at security-focused institutions around the world. These vulnerabilities are in the same vein as Spectre and Meltdown, being design flaws that reveal data. Zombieload is particularly worrying because it affects all Intel Core and Xeon CPUs manufactured since 2011.

There are four distinct vulnerability registrations combining to make a Zombieload exploit possible: CVE–2018–12126, CVE–2018–12127, CVE–2018–12130, and CVE–2019–11091. Look at the codes and you’ll see three were registered last year. The issue has been kept under wraps, a practice known as Coordinated Disclosure, to stop ‘bad actors’ exploiting vulnerabilities before the rest of us can defend against them. Microsoft, Amazon AWS and Google have all mitigated the problem in their data centers, being in the ‘inner circle’ of companies benefiting from advance notice of such problems. Anyone else has to wait for an update from their OS vendor.

KernelCare started testing live patches for MDS on Friday, May 17, rolling them out for the main distributions first, others later. For the latest news, follow us on @KernelCare.

While we are working on patches for you - watch the video with the insights regarding MDS from Igor Seletskiy:

How to mitigate the MDS/Zombieload Vulnerability

a) If you are running on hardware

To mitigate this vulnerability, you will need to take 3 steps that require no reboot if you follow the instructions below:

Step 1:

Update Microcode without a reboot

Microcode is the code that runs inside the CPU itself and is handled by Intel. Microcode update is usually done on reboot: you get the new kernel, it will have new microcode and when the kernel boots it will install new microcode into CPU.

You can update microcode without reboot using our instructions.

Step 2:

Disable Hyperthreading without a reboot

If you don't disable the CPU simultaneous multithreading (SMT) - you will still have an issue that attacker can read the data of the same CPU.

With KernelCare you can disable Hyperthreading without a reboot using our instructions.

Step 3:

Apply KernelCare patches

Even if you have done steps 1 and 2, you must still update the Linux Kernel to ensure that the local user can not read the data you are running on the CPU.

With KernelCare you can do that without rebooting. Sign up for the free 30-days trial.

b) If you are running on a Virtual Machine

You only need to patch the Linux Kernel inside the VM. Make sure that your host node is updated as well which is typically done by your service provider.

If you are using your KernelCare - your patches will be delivered automatically by KernelCare and you don't need to do anything extra.

If not - this is the right time to sign up for the free 30-days trial.

MDS/Zombieload Vulnerability Patch Release Schedule

Updated Friday, May 24

The KernelCare patch release schedule is shown below. Release schedules are subject to change. Check here regularly or get in touch with our helpdesk.

Released to production:

  • CentOS 6
  • CentOSPlus for CentOS 6
  • CloudLinux OS 6
  • Ubuntu 18.04 LTS (Bionic Beaver)
  • Ubuntu 16.04 LTS (Xenial Xerus)
  • Oracle Enterprise Linux 6
  • Oracle Enterprise Linux 7
  • Oracle UEK 3
  • OpenVZ
  • Proxmox VE
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

Patches from the production feed will be applied automatically.

Released to the test feed:

  • CentOS 7
  • CentOSPlus for CentOS 7
  • Cloud Linux 6 hybrid

To install patches from the test feed, run the command:

kcarectl --test --update

When production updates are available, KernelCare will use the regular feed automatically.

Due Friday, May 24

  • Debian 8
  • Debian 9
  • CloudLinux OS 7
  • Oracle Enterprise Linux 

Due Monday, May 27

  • Amazon Linux 1
  • Amazon Linux 2
  • CentOS 7
  • CentOSPlus for CentOS 7
  • Oracle UEK 4
  • Oracle UEK 5
  • Ubuntu 14.04 LTS (Trusty Tahr)
New call-to-action

Organizations use cloud services like AWS to be more agile and more profitable. This doesn’t stop them spending millions of dollars on cybersecurity, investing in network defense and end-point protection, hiring consultants, and purchasing threat intelligence reports.

But companies still get hacked, and still suffer data breaches and server compromises, often traceable to out-of-date software, either at the application level, or in the OS itself.

Read More

Introduction

Software is complex and constantly changing. Bugs are inevitable. Before the internet age, bugs were just faults to fix. Now, they are opportunities, one of the ways hackers get unauthorized access to systems. The cybersecurity industry thrives on this threat. Their products 'defend' and 'protect' but cannot plug a simple security loophole: the exploitation of vulnerabilities that persist in outdated and unpatched operating systems and applications.

This article reviews the background to this problem, and gives tips to remedy it using unattended update packages for Ubuntu, Red Hat and Fedora, and live patching solutions from KernelCare, Kgraft, Ksplice, and Livepatch.

Read More

Linux kernel updates are a fact of life–as dull as taxes and only slightly less inconvenient than death. Newly discovered security vulnerabilities in the Linux kernel seem to appear with monotonous regularity. In most but not all cases, the patches needed to fix them follow swiftly after. There is work involved in installing the latest Linux kernel security patches, and danger if you delay–leave it too long and threat actors might take advantage of the period of vulnerability.

Read More

It is Fall in the Northern Hemisphere, and everyone’s out gazing into the clear dark skies when they should be indoors looking after their servers. Why? 

Because yet another 10-year-old flaw has been found in the Linux kernel, this time in the create_elf_tables() function, that, when subject to an integer overflow condition, can allow root-level privileged code to run. 

Read More

We’ve just published a Technical White Paper called KernelCare: Live Kernel Patching for Linux. It covers what KernelCare is, how it works and why you need it. We give an overview of setting up custom patch servers, both within and without firewalls, and we show what the patch management GUI looks like. We explain what delayed and sticky patches are, take a quick look at automating patch monitoring (through Nagios, Zabbix or the REST API) and show how to integrate with Rapid7 Nexpose.

It’s a great overview of KernelCare and a good, compact source of reference information. You can get a copy here.