CloudLinux OS Blog - MDS: We’re on the case
CloudLinux OS Blog

Featured 

MDS: We’re on the case

mds2

You may have heard the news about the latest Intel CPU vulnerability, MDS, or more popularly, Zombieload. We have too, and we're working on releases for CloudLinux OS 6 & 7. We'll release them to Beta today, Stable tomorrow.

The vulnerability is similar to Meltdown and Spectre, in that it involves the exploitation of speculative execution features in Intel CPUs, specifically using a technique known as Microarchitectural Data Sampling. It affects Intel Xeon and Core CPUs going back to 2011, but was only discovered recently.

Follow our blog to get all the instructions on how to apply the latest updates against this vulnerability. More information related MDS you can find in the latest blog post from KernelCare team

Beta: СloudLinux 7 and CloudLinux 6 Hybrid kernel ...
WHMCS plugin version 1.3.5 is here
 

Comments 16

Guest - Jonathan on Wednesday, 15 May 2019 17:24

Will the patches be coming to CL kernel via kernelcare?

Will the patches be coming to CL kernel via kernelcare?
Kateryna Obiidykhata on Wednesday, 15 May 2019 17:39

Hello Jonathan,
the patches will be delivered as regular kernel update in beta version, today. Regarding the KernelCare patches for the other popular distributions, ETA - Friday.

Hello Jonathan, the patches will be delivered as regular kernel update in beta version, today. Regarding the KernelCare patches for the other popular distributions, ETA - Friday.
Eric on Wednesday, 15 May 2019 19:26

Hope this doesn't include another performance hit. At this rate, we'll need supercomputers to keep up with overhead of these patches. For lights out servers, I often wonder how vulnerable our machines really are and are these patches necessary in a server-only configuration?

Hope this doesn't include another performance hit. At this rate, we'll need supercomputers to keep up with overhead of these patches. For lights out servers, I often wonder how vulnerable our machines really are and are these patches necessary in a server-only configuration?
Inessa Atmachian on Thursday, 16 May 2019 13:28

Hi Eric,

We do not have reports about performance hit.

Regarding vulnerability estimation, you can check /sys/devices/system/cpu/vulnerabilities/mds file content (for Intel processors)

The possible values in this file are:

========================================= =================================
‘Not affected’ The processor is not vulnerable

‘Vulnerable’ The processor is vulnerable, but no mitigation enabled

‘Vulnerable: Clear CPU buffers attempted’ The processor is vulnerable but microcode is not updated.
The mitigation is enabled on a best effort basis.
See :ref:`vmwerv`

‘Mitigation: CPU buffer clear’ The processor is vulnerable and the CPU buffer clearing mitigation is enabled.

Hi Eric, We do not have reports about performance hit. Regarding vulnerability estimation, you can check /sys/devices/system/cpu/vulnerabilities/mds file content (for Intel processors) The possible values in this file are: ========================================= ================================= ‘Not affected’ The processor is not vulnerable ‘Vulnerable’ The processor is vulnerable, but no mitigation enabled ‘Vulnerable: Clear CPU buffers attempted’ The processor is vulnerable but microcode is not updated. The mitigation is enabled on a best effort basis. See :ref:`vmwerv` ‘Mitigation: CPU buffer clear’ The processor is vulnerable and the CPU buffer clearing mitigation is enabled.
Guest - Tommy on Friday, 17 May 2019 01:32

For a normal cpanel server running on a dedicated hardware, should I still disable hyperthreading?

For a normal cpanel server running on a dedicated hardware, should I still disable hyperthreading?
Inessa Atmachian on Friday, 17 May 2019 07:46

Hi Tommy,

Until a kernel update, it is necessary after -- is possible. CPU bug allows to read data between CPU threads, so it affects an HW and VM. Therefore, switched-on HT for VM is an additional possibility to attack an application on different VM’s.

Hi Tommy, Until a kernel update, it is necessary after -- is possible. CPU bug allows to read data between CPU threads, so it affects an HW and VM. Therefore, switched-on HT for VM is an additional possibility to attack an application on different VM’s.
Guest - Tommy on Friday, 17 May 2019 08:21

Is a normal cloudlinux server with cagefs affected with hyperthreading active after we done the microcode update and kernel update?

Is a normal cloudlinux server with cagefs affected with hyperthreading active after we done the microcode update and kernel update?
Inessa Atmachian on Friday, 17 May 2019 09:29

If you've already updated your kernel with our latest patch (CloudLinux 6 -- https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-6-kernel-is-available-with-a-fix-for-mds-vulnerability, CloudLinux 7 -- https://www.cloudlinux.com/cloudlinux-os-blog/entry/loudlinux-7-and-cloudlinux-6-hybrid-kernel-is-available-with-a-fix-for-mds-vulnerability) and you have activated CageFS and Hyperthreading enabled, your server is not affected with MDS vulnerability, but can be opened to other vulnerabilities undiscovered yet.

You can perform MDS vulnerability diagnosis by running

/sys/devices/system/cpu/vulnerabilities/mds

Please note that CageFS can prevent filesystem attacks, but MDS is a memory attack.

If you've already updated your kernel with our latest patch (CloudLinux 6 -- https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-6-kernel-is-available-with-a-fix-for-mds-vulnerability, CloudLinux 7 -- https://www.cloudlinux.com/cloudlinux-os-blog/entry/loudlinux-7-and-cloudlinux-6-hybrid-kernel-is-available-with-a-fix-for-mds-vulnerability) and you have activated CageFS and Hyperthreading enabled, your server is not affected with MDS vulnerability, but can be opened to other vulnerabilities undiscovered yet. You can perform MDS vulnerability diagnosis by running /sys/devices/system/cpu/vulnerabilities/mds Please note that CageFS can prevent filesystem attacks, but MDS is a memory attack.
Guest - Jeff on Friday, 17 May 2019 16:27

On multiple E3 and E5 cpu servers, there seems to be a problem with microcode_ctl.

Yum log shows
May 16 02:23:26 Updated: 2:microcode_ctl-1.17-33.11.el6_10.x86_64

Server rebooted after microcode update and new kernel installed

DMESG reports
MDS: Vulnerable: Clear CPU buffers attempted, no microcode

https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf says "Production" for cpus in question

Redhat comment said "The microcode_clt package has been supplied straight from Intel to us. It has the most currently publicly available updates from them (newer updates are planned for additional CPUs over the coming days/weeks, and we'll reissue package accordingly). "
https://access.redhat.com/security/vulnerabilities/mds

Help:

Why is the microcode_ctl not matching the latest intel guidance pdf?

On multiple E3 and E5 cpu servers, there seems to be a problem with microcode_ctl. Yum log shows May 16 02:23:26 Updated: 2:microcode_ctl-1.17-33.11.el6_10.x86_64 Server rebooted after microcode update and new kernel installed DMESG reports MDS: Vulnerable: Clear CPU buffers attempted, no microcode https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf says "Production" for cpus in question Redhat comment said "The microcode_clt package has been supplied straight from Intel to us. It has the most currently publicly available updates from them (newer updates are planned for additional CPUs over the coming days/weeks, and we'll reissue package accordingly). " https://access.redhat.com/security/vulnerabilities/mds Help: Why is the microcode_ctl not matching the latest intel guidance pdf?
Guest - MDS on Friday, 17 May 2019 18:50

[email protected] ~]# cat /sys/devices/system/cpu/vulnerabilities/mds
cat: /sys/devices/system/cpu/vulnerabilities/mds: No such file or directory

The system kernel is up-to-date at version “3.10.0-962.3.2.lve1.5.25.6.el7”.

Intel(R) Xeon(R) CPU E5-2420 0

Thanks

[email protected] ~]# cat /sys/devices/system/cpu/vulnerabilities/mds cat: /sys/devices/system/cpu/vulnerabilities/mds: No such file or directory The system kernel is up-to-date at version “3.10.0-962.3.2.lve1.5.25.6.el7”. Intel(R) Xeon(R) CPU E5-2420 0 Thanks
Already Registered? Login Here
Guest
Friday, 19 July 2019

Captcha Image