CloudLinux - CloudLinux Blog - MDS: We’re on the case
CloudLinux OS Blog

By accepting you will be accessing a service provided by a third-party external to https://www.cloudlinux.com/

MDS: We’re on the case

mds2

You may have heard the news about the latest Intel CPU vulnerability, MDS, or more popularly, Zombieload. We have too, and we're working on releases for CloudLinux OS 6 & 7. We'll release them to Beta today, Stable tomorrow.

The vulnerability is similar to Meltdown and Spectre, in that it involves the exploitation of speculative execution features in Intel CPUs, specifically using a technique known as Microarchitectural Data Sampling. It affects Intel Xeon and Core CPUs going back to 2011, but was only discovered recently.

Follow our blog to get all the instructions on how to apply the latest updates against this vulnerability. More information related MDS you can find in the latest blog post from KernelCare team

Beta: СloudLinux 7 and CloudLinux 6 Hybrid kernel ...
WHMCS plugin version 1.3.5 is here
 

Comments 16

Guest - Jonathan on Wednesday, 15 May 2019 17:24

Will the patches be coming to CL kernel via kernelcare?

Will the patches be coming to CL kernel via kernelcare?
Kateryna Obiidykhata on Wednesday, 15 May 2019 17:39

Hello Jonathan,
the patches will be delivered as regular kernel update in beta version, today. Regarding the KernelCare patches for the other popular distributions, ETA - Friday.

Hello Jonathan, the patches will be delivered as regular kernel update in beta version, today. Regarding the KernelCare patches for the other popular distributions, ETA - Friday.
Eric on Wednesday, 15 May 2019 19:26

Hope this doesn't include another performance hit. At this rate, we'll need supercomputers to keep up with overhead of these patches. For lights out servers, I often wonder how vulnerable our machines really are and are these patches necessary in a server-only configuration?

Hope this doesn't include another performance hit. At this rate, we'll need supercomputers to keep up with overhead of these patches. For lights out servers, I often wonder how vulnerable our machines really are and are these patches necessary in a server-only configuration?
Inessa Atmachian on Thursday, 16 May 2019 13:28

Hi Eric,

We do not have reports about performance hit.

Regarding vulnerability estimation, you can check /sys/devices/system/cpu/vulnerabilities/mds file content (for Intel processors)

The possible values in this file are:

========================================= =================================
‘Not affected’ The processor is not vulnerable

‘Vulnerable’ The processor is vulnerable, but no mitigation enabled

‘Vulnerable: Clear CPU buffers attempted’ The processor is vulnerable but microcode is not updated.
The mitigation is enabled on a best effort basis.
See :ref:`vmwerv`

‘Mitigation: CPU buffer clear’ The processor is vulnerable and the CPU buffer clearing mitigation is enabled.

Hi Eric, We do not have reports about performance hit. Regarding vulnerability estimation, you can check /sys/devices/system/cpu/vulnerabilities/mds file content (for Intel processors) The possible values in this file are: ========================================= ================================= ‘Not affected’ The processor is not vulnerable ‘Vulnerable’ The processor is vulnerable, but no mitigation enabled ‘Vulnerable: Clear CPU buffers attempted’ The processor is vulnerable but microcode is not updated. The mitigation is enabled on a best effort basis. See :ref:`vmwerv` ‘Mitigation: CPU buffer clear’ The processor is vulnerable and the CPU buffer clearing mitigation is enabled.
Guest - Tommy on Friday, 17 May 2019 01:32

For a normal cpanel server running on a dedicated hardware, should I still disable hyperthreading?

For a normal cpanel server running on a dedicated hardware, should I still disable hyperthreading?
Inessa Atmachian on Friday, 17 May 2019 07:46

Hi Tommy,

Until a kernel update, it is necessary after -- is possible. CPU bug allows to read data between CPU threads, so it affects an HW and VM. Therefore, switched-on HT for VM is an additional possibility to attack an application on different VM’s.

Hi Tommy, Until a kernel update, it is necessary after -- is possible. CPU bug allows to read data between CPU threads, so it affects an HW and VM. Therefore, switched-on HT for VM is an additional possibility to attack an application on different VM’s.
Guest - Tommy on Friday, 17 May 2019 08:21

Is a normal cloudlinux server with cagefs affected with hyperthreading active after we done the microcode update and kernel update?

Is a normal cloudlinux server with cagefs affected with hyperthreading active after we done the microcode update and kernel update?
Inessa Atmachian on Friday, 17 May 2019 09:29

If you've already updated your kernel with our latest patch (CloudLinux 6 -- https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-6-kernel-is-available-with-a-fix-for-mds-vulnerability, CloudLinux 7 -- https://www.cloudlinux.com/cloudlinux-os-blog/entry/loudlinux-7-and-cloudlinux-6-hybrid-kernel-is-available-with-a-fix-for-mds-vulnerability) and you have activated CageFS and Hyperthreading enabled, your server is not affected with MDS vulnerability, but can be opened to other vulnerabilities undiscovered yet.

You can perform MDS vulnerability diagnosis by running

/sys/devices/system/cpu/vulnerabilities/mds

Please note that CageFS can prevent filesystem attacks, but MDS is a memory attack.

If you've already updated your kernel with our latest patch (CloudLinux 6 -- https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-6-kernel-is-available-with-a-fix-for-mds-vulnerability, CloudLinux 7 -- https://www.cloudlinux.com/cloudlinux-os-blog/entry/loudlinux-7-and-cloudlinux-6-hybrid-kernel-is-available-with-a-fix-for-mds-vulnerability) and you have activated CageFS and Hyperthreading enabled, your server is not affected with MDS vulnerability, but can be opened to other vulnerabilities undiscovered yet. You can perform MDS vulnerability diagnosis by running /sys/devices/system/cpu/vulnerabilities/mds Please note that CageFS can prevent filesystem attacks, but MDS is a memory attack.
Guest - Jeff on Friday, 17 May 2019 16:27

On multiple E3 and E5 cpu servers, there seems to be a problem with microcode_ctl.

Yum log shows
May 16 02:23:26 Updated: 2:microcode_ctl-1.17-33.11.el6_10.x86_64

Server rebooted after microcode update and new kernel installed

DMESG reports
MDS: Vulnerable: Clear CPU buffers attempted, no microcode

https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf says "Production" for cpus in question

Redhat comment said "The microcode_clt package has been supplied straight from Intel to us. It has the most currently publicly available updates from them (newer updates are planned for additional CPUs over the coming days/weeks, and we'll reissue package accordingly). "
https://access.redhat.com/security/vulnerabilities/mds

Help:

Why is the microcode_ctl not matching the latest intel guidance pdf?

On multiple E3 and E5 cpu servers, there seems to be a problem with microcode_ctl. Yum log shows May 16 02:23:26 Updated: 2:microcode_ctl-1.17-33.11.el6_10.x86_64 Server rebooted after microcode update and new kernel installed DMESG reports MDS: Vulnerable: Clear CPU buffers attempted, no microcode https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf says "Production" for cpus in question Redhat comment said "The microcode_clt package has been supplied straight from Intel to us. It has the most currently publicly available updates from them (newer updates are planned for additional CPUs over the coming days/weeks, and we'll reissue package accordingly). " https://access.redhat.com/security/vulnerabilities/mds Help: Why is the microcode_ctl not matching the latest intel guidance pdf?
Guest - MDS on Friday, 17 May 2019 18:50

[email protected] ~]# cat /sys/devices/system/cpu/vulnerabilities/mds
cat: /sys/devices/system/cpu/vulnerabilities/mds: No such file or directory

The system kernel is up-to-date at version “3.10.0-962.3.2.lve1.5.25.6.el7”.

Intel(R) Xeon(R) CPU E5-2420 0

Thanks

[email protected] ~]# cat /sys/devices/system/cpu/vulnerabilities/mds cat: /sys/devices/system/cpu/vulnerabilities/mds: No such file or directory The system kernel is up-to-date at version “3.10.0-962.3.2.lve1.5.25.6.el7”. Intel(R) Xeon(R) CPU E5-2420 0 Thanks
Ivan Zhmud on Friday, 17 May 2019 22:19

You should install latest patched kernel 3.10.0-962.3.2.lve1.5.25.8
https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-7-and-cloudlinux-6-hybrid-kernel-is-available-with-a-fix-for-mds-vulnerability
This checker /sys/devices/system/cpu/vulnerabilities/mds will be exist

You should install latest patched kernel 3.10.0-962.3.2.lve1.5.25.8 https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-7-and-cloudlinux-6-hybrid-kernel-is-available-with-a-fix-for-mds-vulnerability This checker /sys/devices/system/cpu/vulnerabilities/mds will be exist
Ivan Zhmud on Friday, 17 May 2019 22:35

Hello, Jeff.
Could you provide full CPU id string to check an update?
Thanks in advance!

Hello, Jeff. Could you provide full CPU id string to check an update? Thanks in advance!
Fabian Marsiglione on Monday, 03 June 2019 17:33

Hello

After last kernel installed and running : cat /sys/devices/system/cpu/vulnerabilities/mds

I get : Mitigation: Clear CPU buffers; SMT vulnerable

what it means? apparently is still vulnerable?

Thanks

Hello After last kernel installed and running : cat /sys/devices/system/cpu/vulnerabilities/mds I get : Mitigation: Clear CPU buffers; SMT vulnerable what it means? apparently is still vulnerable? Thanks
Igor Seletskiy on Monday, 03 June 2019 17:48

Hello Fabian,

To fully mitigate MDS, you have to disable SMT (hyperthreading). This message means that you haven't disabled SMT/hyperthreading yet.

Hello Fabian, To fully mitigate MDS, you have to disable SMT (hyperthreading). This message means that you haven't disabled SMT/hyperthreading yet.
Fabian Marsiglione on Monday, 03 June 2019 18:15

Thanks Igor!

Any simple tutorial to disable hyperthreading? it can affect the server perofrmance?

I see this tutorial .. https://www.golinuxhub.com/2018/01/how-to-disable-or-enable-hyper.html
It can be done in Centos 7 with CL 7 ?

Thanks
Fabian

Thanks Igor! Any simple tutorial to disable hyperthreading? it can affect the server perofrmance? I see this tutorial .. https://www.golinuxhub.com/2018/01/how-to-disable-or-enable-hyper.html It can be done in Centos 7 with CL 7 ? Thanks Fabian
Ivan Zhmud on Tuesday, 04 June 2019 11:36

Hello Fabian.
We described the performance impact and how to disable HT in the article https://www.cloudlinux.com/cloudlinux-os-blog/entry/let-us-subject-mds-vulnerability-to-the-glare-of-truth-1
You can find there much useful information about your question.

Hello Fabian. We described the performance impact and how to disable HT in the article https://www.cloudlinux.com/cloudlinux-os-blog/entry/let-us-subject-mds-vulnerability-to-the-glare-of-truth-1 You can find there much useful information about your question.
Already Registered? Login Here
Guest
Sunday, 09 August 2020

Captcha Image