Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Canonical
on 14 August 2018

Ubuntu updates for L1 Terminal Fault vulnerabilities


  • For up-to-date patch, package, and USN links, please click here

Today Intel announced a new side channel vulnerability known as L1 Terminal Fault. Raoul Strackx, Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and researchers from Intel discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that’s executing on the CPU core. Processors from other vendors are not known to be affected by L1TF.

Three CVEs have been assigned to this issue:

* CVE-2018-3615 for Intel Software Guard Extensions (Intel SGX)

* CVE-2018-3620 for operating systems and System Management Mode (SMM)

* CVE-2018-3646 for impacts to virtualization

For technical details regarding this issue, please refer to the L1TF KnowledgeBase articlethe Linux kernel documentation, and the L1TF Mitigation guidance published by Intel.

Hardware OEMs are releasing BIOS updates containing the updated Intel microcode. Check with your OEM’s website to see if a BIOS update is available for your machine. Ubuntu updates for the intel-microcode package are also being made available. Microcode updates are not required for this issue due to a software fallback mode present in the Ubuntu kernel updates.

Kernel updates are being released for the following supported Ubuntu series:

    • 18.04 LTS (Bionic)
    • 16.04 LTS (Xenial)
    • 14.04 LTS (Trusty)
  • 12.04 ESM (Precise)

Optimised kernels based on any of the above series were also released, including linux-aws, linux-azure, linux-gcp, and hardware enablement kernels. Updated cloud images have also been built and published to ensure a consistent Ubuntu experience.

Updated Ubuntu kernels have the ability to report how the system is currently affected by L1TF. To check your system, read the contents of the

/sys/devices/system/cpu/vulnerabilities/l1tf

file. You must apply kernel updates and reboot if the file does not exist as that indicates that your kernel does not have mitigations in place for L1TF.

Processors that aren’t vulnerable to L1TF will report the following:

$ cat /sys/devices/system/cpu/vulnerabilities/l1tf

Not affected

The file will contain the following contents for processors that do not support Intel Hyper-Threading or where Hyper-Threading has been disabled:

$ cat /sys/devices/system/cpu/vulnerabilities/l1tf

Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled

Processors that have Hyper-Threading support enabled will indicate that SMT is vulnerable when used in conjunction with Intel Virtualization Technology (VMX):

$ cat /sys/devices/system/cpu/vulnerabilities/l1tf

Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable

Intel processors that lack VMX support will not report VMX status:

$ cat /sys/devices/system/cpu/vulnerabilities/l1tf

Mitigation: PTE Inversion

We recommend that you apply available updates at your earliest convenience. We encourage Ubuntu users who seek more information to contact an Ubuntu Advantage support representative for an in-depth discussion relative to your use cases.

Related posts


eslerm
19 November 2024

Needrestart local privilege escalation vulnerability fixes available

Ubuntu Article

Qualys discovered vulnerabilities which allow a local attacker to gain root privileges in the needrestart package (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, and CVE-2024-11003) and a related issue in libmodule-scandeps-perl (CVE-2024-10224). The vulnerabilities affect Debian, Ubuntu and other Linux distributions. Canonical’s securit ...


Luci Stanescu
26 September 2024

CUPS Remote Code Execution Vulnerability Fix Available

Ubuntu Article

Four CVE IDs have been assigned that together form an high-impact exploit chain surrounding CUPS: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177. Canonical’s security team has released updates for the cups-browsed, cups-filters, libcupsfilters and libppd packages for all supported Ubuntu LTS releases. The updates remedi ...


Diogo Sousa
21 August 2024

How Ubuntu keeps you secure with KEV prioritisation

Security Article

The Known Exploited Vulnerabilities Catalog (KEV) is a database published by the US Cybersecurity and Infrastructure Security Agency (CISA) that serves as a reference to help organisations better manage vulnerabilities and keep pace with threat activity.By having a commitment to prioritise vulnerabilities contained in the KEV, Ubuntu is p ...