Meltdown and Specter: When an entire Red Hat does back…


Red Hat released updates that reinstate previous Spectre Vulnerability patches (Variant 2, also known as CVE-2017-5715) when the company's customers reported that some systems failed to boot.

"Red Hat no longer provides microcodes to deal with Specter, in variant 2, because of the unbalanced factors that have created and are causing our clients' systems to start up." the company said.

Instead of updating, Red Hat recommends that each customer contact the OEM hardware provider to repair the CVE-2017-5715 vulnerability by system.Red Hat

In addition to Red Hat Enterprise Linux distribution, other RHEL-based distributions, such as CentOS and Scientific Linux, will be affected by Red Hat's decision to reinstate previous updates for Specter Variant 2. So anyone using RHEL and distribution forks should also contact the CPU / OEM vendors.

Remember that CVE-2017-5715 is the identification number for one of the three errors known as Meltdown (CVE-2017-5754) and Specter (Variant 1 - CVE-2017-5753, but also Variant 2 - CVE-2017- 5715).

Most experts reported that only Meltdown and 1 Specter Variant could theoretically be addressed through an updated version of the OS, but Specter Variant 2 requires parallel updates to the firmware / BIOS / microcode to be fully repaired.

As we have said to you previous publication, Werner Haas, a Cyberus Technology spokesman and member of one of the three independent groups that discovered and reported Meltdown, said that achieving total protection against Specter is not simple and probably involves an "ongoing process" with corrections to software and hardware modifications.

"The Specter scenario is not that simple, as cross-application attacks are unlikely without even OS participation," said Haas.

"Therefore, a general solution like Meltdown seems unlikely. Therefore, I expect combined repairs to hardware / software defects along with the warning that the fight against Spectre will be an ongoing process. "

The Specter repair process is complex and difficult for all hardware and software vendors. So the withdrawal of updates from Red Hat and the company's patching proposal from CPU makers and OEMs is no surprise.

Microsoft had to stop developing Specter updates on AMD computers after they encountered similar problems that prevented PCs from booting. The company released these updates much later after working with AMD to troubleshoot.

Intel faces the same problems in older Broadwell and Haswell processors.

Let us mention that immediately after the announcement of the vulnerabilities CERT announced that the only way to repair Meltdown and Spectre was to replace the CPU.

"The underlying vulnerability is mainly driven by CPU architecture design choices," CERT researchers wrote. "The complete removal of the vulnerability requires the replacement of the vulnerable CPU."

A little later, and without knowing who was playing under the table, CERT recalled, and an Intel representative Agnes Kwan said: "CERT updated the vulnerability note to correct some inaccuracies."

Of course, we would not expect Intel to declare anything different, since the CERT report's assumption would cause strong turbulence in the company, with the corresponding cost.

 

Registration in iGuRu.gr via Email

Enter your email to subscribe to the email notification service for new posts.


Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News iGuRu.gr at Google news