Server Audit: MDS Bug Detect by kernel journalctl

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Server Audit: MDS Bug Detect by kernel journalctl

Postby Leckbush » Wed Jul 03, 2019 3:29 pm

Hi, Im just auditing and viewing some logs on the server for possible threats.

Upon running the command for debugging kernel log:
Code: Select all
jounalctl -p notice -b


I found this line:
Code: Select all
Jul 03 12:33:26 (Hidden) kernel: MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.


I follow the link and found some information about. (YES IM AWARE OF THE RECENT NEW SPECTRE EXPLOIT). When I'm reading this, mitigation was recommended there, updating the microcode for the CPU from Intel. Open SuSE said that its provided on their package "ucode-intel" or "microcode_ctl". They also recommending turning off the hyper threading to mitigate shared cache on HT. Should I?

Here's the link for the SuSE CVE:
https://www.kernel.org/doc/html/latest/ ... n/mds.html
https://www.suse.com/support/kb/doc/?id=7023736

My question is how do I implement this? this microcode update (buffer / port flush feature) and other eles

Current Operation on company is:
5 Agent doing manual dial (sometimes predictive)

Current CPU: i74790 4C/8T

Thanks in advance!
Server 1: ViciBox v.8.1.2 181002 | Single Machine | VERSION: 2.14-580c BUILD: 190406-1615| Asterisk 13.21.1-vici
i7-4790K - 16GB DDR3 - 1TB HDD
Leckbush
 
Posts: 126
Joined: Sat May 12, 2018 6:35 pm
Location: Philippines

Re: Server Audit: MDS Bug Detect by kernel journalctl

Postby Leckbush » Wed Jul 03, 2019 3:41 pm

OTHER INFO:

Upon checking:
Code: Select all
nano /sys/devices/system/cpu/vulnerabilities/mds


Current Line is:
Code: Select all
Mitigation: Clear CPU buffers; SMT vulnerable


So reading deep through the kernel provided link (https://www.kernel.org/doc/html/latest/ ... n/mds.html) The CPU already has the microcode and Mitigation for it is already there, Am I right?

In concern to SMT, documentation said there:
"The kernel does not by default enforce the disabling of SMT, which leaves SMT systems vulnerable when running untrusted code. The same rationale as for L1TF applies."

SMT is default enable on kernel, should I disable it? or leave it enable? should I full mitigate the MDS vulnerability on Kernel Command Line by running this:

Code: Select all
mds=full,nosmt

Which means full mitigation.
Server 1: ViciBox v.8.1.2 181002 | Single Machine | VERSION: 2.14-580c BUILD: 190406-1615| Asterisk 13.21.1-vici
i7-4790K - 16GB DDR3 - 1TB HDD
Leckbush
 
Posts: 126
Joined: Sat May 12, 2018 6:35 pm
Location: Philippines

Re: Server Audit: MDS Bug Detect by kernel journalctl

Postby williamconley » Wed Jul 03, 2019 4:45 pm

Attacks against the MDS vulnerabilities can be mounted from malicious non priviledged user space applications running on hosts or guest.


Let me get this straight: You allow applications from third parties to run on your Vicidial server in user space? Why?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Server Audit: MDS Bug Detect by kernel journalctl

Postby Leckbush » Thu Jul 04, 2019 11:46 am

No I'm not. No third party are running on vicidial server. If you mean is if there is any services I install third party to the OS. Our server is full vanilla. No addons or anything.
Server 1: ViciBox v.8.1.2 181002 | Single Machine | VERSION: 2.14-580c BUILD: 190406-1615| Asterisk 13.21.1-vici
i7-4790K - 16GB DDR3 - 1TB HDD
Leckbush
 
Posts: 126
Joined: Sat May 12, 2018 6:35 pm
Location: Philippines

Re: Server Audit: MDS Bug Detect by kernel journalctl

Postby williamconley » Tue Jul 09, 2019 11:52 pm

In that case, this exploit is unrelated to your server.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to Support

Who is online

Users browsing this forum: Bing [Bot] and 109 guests