- This topic has 2 replies, 3 voices, and was last updated Apr 6-10:46 am by caprea.
-
Posts
-
Robin
Titel: edited for clarity on user request.
Just updated antiX-19.3_386-full on frugal install again after restoring the system from an older backup to the most recent kernel and did a complete system upgrade. When looking into the system info I feel somewhat uneasy now:
CPU: Info: Single Core model: Intel Pentium M bits: 32 type: MCP arch: M Dothan family: 6 model-id: D (13) stepping: 8 microcode: 20 cache: L2: 2 MiB bogomips: 1596 Speed: 800 MHz min/max: 800/1733 MHz Core speed (MHz): 1: 800 Flags: acpi apic bts clflush cmov cpuid cx8 de dts est fpu fxsr mca mce mmx msr mtrr nx pae pbe pge pse pti sep ss sse sse2 tm tm2 tsc vme Vulnerabilities: Type: itlb_multihit status: KVM: Vulnerable Type: l1tf mitigation: PTE Inversion Type: mds status: Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled Type: meltdown mitigation: PTI Type: spec_store_bypass status: Vulnerable Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization Type: spectre_v2 mitigation: Full generic retpoline, STIBP: disabled, RSB filling Type: srbds status: Not affected Type: tsx_async_abort status: Not affectedSo there are 3 severe vulnerabilities left, if I read this output correctly.
Type: itlb_multihit status: KVM: Vulnerable
Type: mds status: Vulnerable
Type: spec_store_bypass status: VulnerableThe intel microcode installed seems to be most recent version available:
$ apt-cache policy intel-microcode intel-microcode: Installiert: 3.20220207.1~deb10u1 Installationskandidat: 3.20220207.1~deb10u1 Versionstabelle: *** 3.20220207.1~deb10u1 100 100 /var/lib/dpkg/statusDid I miss the correct kernel update to be safe from the vulnerabilities?
Kernel: 4.19.0-222-antix.1-686-smp-pae i686 bits: 32 compiler: gcc v: 8.3.0Or is this specific kernel not completely patched against these three types of vulnerability? Should I install a different one?
- This topic was modified 1 year, 1 month ago by ModdIt.
Windows is like a submarine. Open a window and serious problems will start.
ModdIt
Hi Robin,
I guess the question is more than forum members can answer or are as unsure as I am.You can find info and how to mitigate for first two on kernel org, the third one seems somewhat more complex,
if your initread was renewed as it should be after a kernel update and error stays same there are some boot parameter
which can be added, but really slow down the system.
If you do not allow others access to your system, ensure UFW blocks incoming connections, exception to an internal IP,
wherever possible keep java disabled when browsing it seems you need not worry much.
I am not even sure if such an old processor receives microcode.
best info I found on third vunerability was at Buntu security.https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html https://www.kernel.org/doc/html/v5.3/admin-guide/hw-vuln/mds.html https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4
caprea
You can also install the spectre-meltdown-checker
which gives a somehow much clearer result.
- You must be logged in to reply to this topic.
