Following on the footsteps of Red Hat, Canonical also announced today that it has prepared updates for all of its supported Ubuntu Linux releases to mitigate the latest Intel CPU security vulnerabilities.
As we reported earlier, Intel announced today that several new security vulnerabilities are affecting various of its Intel CPU microarchitectures, as well as associated GPUs. These vulnerabilities are known as TSX Asynchronous Abort (CVE-2019-11135), Intel Processor Machine Check Error (CVE-2018-12207), and Intel i915 graphics hardware vulnerabilities (CVE-2019-0155, CVE-2019-0154).
The first security vulnerability, TSX Asynchronous Abort (TAA), is related to the previously announced MDS (Microarchitectural Data Sampling) vulnerabilities. However, Canonical’s Alex Murray explains that it only affects Intel processors that support the Intel Transactional Synchronization Extensions (TSX). As such, the existing MDS mitigations will also mitigate TAA.
“For newer processors which were not affected by MDS, but which support Intel TSX, TAA is mitigated in Ubuntu by a combination of an updated Linux kernel and Intel microcode packages which disable Intel TSX,” said Murray. “Where TSX is required, this can be re-enabled via a kernel command-line option (tsx=on) and in this case, the kernel will automatically employ microarchitectural buffer clearing mechanisms as used for MDS to mitigate TAA.”
On the other hand, the Intel Processor Machine Check Error (MCEPSC) vulnerability, which is also known as iTLB multihit, is specific to virtualization, allowing a virtual machine to cause a denial of service (system hang) to the host processor when employing hugepages. This security vulnerability will be mitigated in Ubuntu with an updated Linux kernel, said Canonical.
Keep your Ubuntu systems up to date
The other two vulnerabilities affecting Intel i915 graphics processors allow unprivileged users to either elevate their privileges on the affected systems and expose sensitive information from the Linux kernel or cause a denial of service (system hang). Canonical will mitigate these flaws by releasing a combination of firmware and Linux kernel driver updates for all affected Ubuntu releases. More details are available here.
Canonical recommends all users to update their system and keep them up to date at all times. Kernel patches are available for Ubuntu 19.10 as linux-image 5.3.0-22.24, Ubuntu 19.04 as linux-image 5.0.0-35.38, Ubuntu 18.04 LTS as linux-image 4.15.0-69.78 or linux-image 5.0.0-35.38~18.04.1, Ubuntu 16.04 LTS as linux-image 4.4.0-168.197 or linux-image 4.15.0-69.78~16.04.1, and for the Intel firmware as intel-microcode 3.20191112-0ubuntu.