Kernel Vulnerability Mitigation Issue
Parker, James [USA]
Parker_James2 at bah.com
Wed May 12 17:55:35 UTC 2021
Good afternoon Ubuntu Kernel Team!
I'm James, a System Administrator with Booz Allen Hamilton, and we've been having some kernel vulnerability issues we think you will hopefully be able to assist us with getting to a resolution of some sort.
After a lengthy back and forth discussion with the AWS Support Center, they pointed us to the Ubuntu Kernel Team, so I'm reaching out about some vulnerabilities in several of the Ubuntu OS kernels that we're having trouble with getting the mitigations to take effect. We can discuss the majority of the details in follow-on conversations, but for starters here is the basic gist of what we've done so far in a chart that shows most of our tests with the results.
The following AWS EC2 instance types, Ubuntu OS, and kernel versions have been tested in a virtual environment. These have all been scanned (as a privileged user) with Greenbone's OpenVAS vulnerability scanner with the latest feeds, which resulted in the below CVE vulnerabilities missing mitigations. These same vulnerabilities also showed up in the 'lscpu' command, (see lscpu output below).
Despite our various attempts to add the recommended mitigations to the /etc/default/grub file, running the update-grub command, and power-cycling the AWS EC2 Instances, we continue to see these kernel vulnerabilities showing up in the results of 'lscpu' and OpenVAS scans as missing mitigations and are looking for a way to apply the mitigations or update to a different kernel that is not vulnerable for these EC2 Instance typens (Primarily Intel Xeon CPUs):
OS Version
Kernel Version
AWS EC2 Instance Type
Kernel Vulnerabilities
(missing mitigations)
Ubuntu 18.04.5 LTS
4.15.0-2000-aws-fips
t3.medium
iTLB, MDS, SSB, TAA
Ubuntu 20.04.2 LTS
4.15.0-2000-aws-fips
t3.medium
iTLB, MDS, SSB, TAA
Ubuntu 20.04.2 LTS
5.12.0-051200-generic
m5.xlarge
Not Scanned
Ubuntu 20.04.2 LTS
5.4.0-1022-aws
t3.large
SSB, iTLB, MDS
Ubuntu 20.04.2 LTS
5.4.0-1045-aws
t3.large
SSB, iTLB, MDS
Ubuntu 20.04.2 LTS
5.4.0-1047-aws
t3.large
SSB, iTLB, MDS
Ubuntu 20.04.2 LTS
5.4.0-1047-aws
t3.small
SSB, iTLB, MDS
Ubuntu 20.04.2 LTS
5.4.0-72-generic
t3.large
SSB, iTLB, MDS, TAA
Ubuntu 20.04.2 LTS
5.8.0-50-generic
m5.xlarge
SSB, MDS
Ubuntu 20.04.2 LTS
5.8.0-50-generic
t3.large
SSB, MDS, TAA
Ubuntu 20.04.2 LTS
5.8.0-50-generic
c5.xlarge
SSB, MDS
Ubuntu 20.04.2 LTS
5.8.0-50-generic
inf1.xlarge
SSB, MDS
Ubuntu 20.04.2 LTS
5.8.0-50-generic
t3.large
SSB, MDS
Ubuntu 20.04.2 LTS
5.8.0-50-generic
t3.xlarge
SSB, MDS, TAA
Ubuntu 20.04.2 LTS
5.8.0-50-generic
r5.xlarge
SSB, MDS, TAA
Ubuntu 20.04.2 LTS
5.8.0-50-generic
c5n.4xlarge
SSB, MDS, TAA
Ubuntu 20.04.2 LTS
5.8.0-50-generic
t3.large
MDS, SSB
Ubuntu 20.04.2 LTS
5.8.0-50-generic
t3.small
MDS, SSB, TAA
*See the section on "Choice of Processors" at this link for more details about the various AWS EC2 Instance Types and which CPU it's using: Amazon EC2<https://aws.amazon.com/ec2/?hp=tile&so-exp=below&ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc>
LSCPU Output:
root at ubuntu:~# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
Address sizes: 46 bits physical, 48 bits virtual
CPU(s): 16
On-line CPU(s) list: 0-15
Thread(s) per core: 2
Core(s) per socket: 8
Socket(s): 1
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 85
Model name: Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
Stepping: 7
CPU MHz: 3100.427
BogoMIPS: 4999.97
Hypervisor vendor: KVM
Virtualization type: full
L1d cache: 256 KiB
L1i cache: 256 KiB
L2 cache: 8 MiB
L3 cache: 35.8 MiB
NUMA node0 CPU(s): 0-15
Vulnerability Itlb multihit: KVM: Mitigation: VMX unsupported
Vulnerability L1tf: Mitigation; PTE Inversion
Vulnerability Mds: Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
Vulnerability Meltdown: Mitigation; PTI
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2: Mitigation; Full generic retpoline, STIBP disabled, RSB filling
Vulnerability Srbds: Not affected
Vulnerability Tsx async abort: Not affected
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss
ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc
_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer ae
s xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti fsgsbase tsc_adjust b
mi1 avx2 smep bmi2 erms invpcid mpx avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512b
w avx512vl xsaveopt xsavec xgetbv1 xsaves ida arat pku ospke
OpenVAS Results:
[cid:image003.jpg at 01D74736.7A9EEA00]
Is there a way to mitigate these vulnerabilities in the AWS EC2 instances? Or do you have any recommendations as far as configuration settings or a specific kernel we should be using, etc.?
Please let us know if you have any questions regarding this issue.
Thank you.
v/r
James Parker
Lead Technologist
Booz | Allen | Hamilton
---------------------------------------------
Mobile: 865.607.5117
Desk: 240.547.2981
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210512/0d0a91a4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 80810 bytes
Desc: image003.jpg
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210512/0d0a91a4/attachment-0001.jpg>
More information about the kernel-team
mailing list