security

meltdown/spectre security patches

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.

Meltdown

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.

CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

Spectre

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.

CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

Parrot Response

The Parrot team has released the following security updates to fix these vulnerabilities:

 

intel-microcode (3.20171215.1)

* Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367) New upstream microcodes to partially address CVE-2017-5715
 + Updated Microcodes:
 sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
 sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
 sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
 sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
 sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
 sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648
 sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648
 sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384
 sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304
 sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304
 * Implements IBRS and IBPB support via new MSR (Spectre variant 2 mitigation, indirect branches). Support is exposed through cpuid(7).EDX.
 * LFENCE terminates all previous instructions (Spectre variant 2 mitigation, conditional branches).

Update imported from Debian without further rework.

firefox (57.0.4-1)

* New upstream release.
 * Fixes for mfsa2018-01, mitigating "Spectre" side-channel attack.

Update imported from Debian without further rework.

 

linux (4.14.12-2parrot12)

* New upstream stable update:
 - x86/cpufeatures: Add X86_BUG_CPU_INSECURE
 - x86/mm/pti: Disable global pages if PAGE_TABLE_ISOLATION=y
 - x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3
 switching
 - x86/mm/pti: Add infrastructure for page table isolation
 - x86/pti: Add the pti= cmdline option and documentation
 * [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)
 (CVE-2017-5754)
<partial changelog>

The package was reworked by the team, and was compiled on a secure and isolated build infrastructure.

The full changelog for the linux kernel package is available at /usr/share/doc/linux/changelog.Debian.gz
or online at dev.parrotsec.org

We suggest our users to dist-upgrade and reboot the system as soon as possible.