Processors
Intel® Processors, Tools, and Utilities
14399 Discussions

Regarding MDS (ZombieLoad) vulnerability

DBoob
Beginner
2,150 Views

We’ve recently updated kernel patch and then we ran the vulnerability scan but its showing below message.

We already encaged Redhat but they suggesting us to contact hardware support.

 

Please check and suggest us

 

Message :

 

This script (v1.0) is primarily designed to detect

CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, and CVE-2019-11091

on supported Red Hat Enterprise Linux systems and kernel packages.

Result may be inaccurate for other RPM based systems.

 

Detected CPU vendor: Intel

CPU: Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz

CPU model: 45 (0x2d)

Running kernel: 3.10.0-957.21.2.el7.x86_64

Architecture: x86_64

Virtualization: vmware

 

Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown

 

* CPU microcode update is not detected

 

OS details :

 

[root@XXXXX tmp]# cat /etc/redhat-release

Red Hat Enterprise Linux Server release 7.4 (Maipo)

[root@XXXXX tmp]# uname -a

Linux XXXX 3.10.0-957.21.2.el7.x86_64 #1 SMP Tue May 28 09:26:43 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[root@fgtd-learn-rhel74-app001 tmp]#

 

 

Redhat response :

 

Hello,

 

Per your sosreport we see that your processor is listed as:

$ cat /proc/cpuinfo

model name   : Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz

stepping    : 2

Per Intel's website, more information regarding your processor:

https://ark.intel.com/content/www/us/en/ark/products/64584/intel-xeon-processor-e5-2660-20m-cache-2-20-ghz-8-00-gt-s-intel-qpi.html

This is listed as:

Product Collection Intel® Xeon® Processor E5 Family

Code Name Products formerly Sandy Bridge EP 

As per the following KCS Article:

Is CPU microcode available to address MDS (ZombieLoad) CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 via the microcode_ctl package? 

https://access.redhat.com/articles/4138151

Red Hat does not provide microcode for this CPU Model + stepping combination. While the article does list multiple E5-2660 models and Sandy Bridge, none of them correlate with the stepping or architecture that matches. You may need to obtain a microcode update from Intel for this processor.

Just a note: I did check your microcode_ctl package to verify it is up to date, unfortunately as previously mentioned, our microcode_ctl package does not cover your CPU.

Generally Red Hat provides microcode on a best effort basis. While the following CVE does not pertain to this case, the information regarding Red Hat's microcode still applies:

Is CPU microcode available to address CVE-2017-5715 via the microcode_ctl package?

https://access.redhat.com/articles/3436091

The relevant information in the article is as follows:

"Historically, Red Hat has provided updated microcode, developed by our microprocessor partners, as a customer convenience. Red Hat temporarily suspended this practice in January 2018 while microcode stabilized.

Red Hat is once again providing an updated Intel microcode package, microcode_ctl, and AMD microcode package, linux-firmware, to customers in order to simplify deployment processes and minimize downtime.

Red Hat will continue to update these microcode packages as necessary. Please contact your hardware vendor to determine whether more recent BIOS/firmware updates are recommended, as additional improvements may be available."

As microcode is provided as a convenience, unfortunately there are no ETAs on if/when we will receive microcode for your specific processor. This is yet another reason why we suggest checking with your vendor for updated microcode. Although we may package microcode, it can also be outdated by what the vendor may have available.

Please let me know if you have any additional questions or concerns regarding anything stated here.

0 Kudos
1 Solution
SergioS_Intel
Moderator
1,446 Views
Hello DBoob, In regards to SA-00233 there is a guide for the Microcode Update posted here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf The update shows Sandy Bridge Server EN/EP/EP4S as Production Status: Planned and it is on a TBA (To Be Announced) state. Last day revised on the SA was on 06/17/2019. Our recommendation would be keeping an eye on the SA website: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html Or contacting us in the future for updates. Best regards, Sergio S. Intel Customer Support Technician Under Contract to Intel Corporation

View solution in original post

0 Kudos
6 Replies
SergioS_Intel
Moderator
1,446 Views
Hello DBoob, Thank you for contacting Intel Customer Support. When it comes up to microcode updates, there are two ways of getting them: One: OS vendor (RedHat in this case obtains the microcode from Intel directly and push them via OS updates) Two: BIOS update (board vendor) The latest microcode updates for a manual push on a Linux OS can be obtained from github: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files There is also a document with the microcode update guide here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf This shows the planned microcode updates for the different processors Intel manufactures. So from our side that it what we can share with the customer. Other than that he needs to reach out to OS vendor. Redhat in this case. Please do not hesitate to contact us again if you need further assistance. Best regards, Sergio S. Intel Customer Support Technician Under Contract to Intel Corporation
0 Kudos
DBoob
Beginner
1,446 Views
Hi Sergio, Thank You for your email !!! Per your recommendation, We’ve updated OS patch and then we ran the vulnerability scan and resulted was vulnerable for Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz. Then we encaged Redhat and They suggesting us contact vendor if they have any latest microcode patch available for Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz. We just wanted to know, The CVE(CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, and CVE-2019-11091) was included fix the MDS (ZombieLoad) vulnerability(Intel-SA-00233) for Intel® Xeon® Processor E5 V0 Family. Best Regards, Dhanasekar Boobalan ll Specialist ll Blackboard – Compute/Linux CSS Corp ll 7th Floor, Block A6, Shriram Gateway (SEZ) ||16, GST Road || New Perungalathur || Chennai || India || Cell : +91 9786060209 ll www.csscorp.com<http://www.csscorp.com/>
0 Kudos
SergioS_Intel
Moderator
1,446 Views

Hello DBoob,

 

I am following your question and would like to know if you need more assistance.

 

Best regards,

 

Sergio S.

 

Intel Customer Support Technician

Under Contract to Intel Corporation

 

0 Kudos
SergioS_Intel
Moderator
1,446 Views
Hello DBoob, Let me check with my upper-level support on your question and we will get back to you. Best regards, Sergio S. Intel Customer Support Technician Under Contract to Intel Corporatio
0 Kudos
SergioS_Intel
Moderator
1,447 Views
Hello DBoob, In regards to SA-00233 there is a guide for the Microcode Update posted here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf The update shows Sandy Bridge Server EN/EP/EP4S as Production Status: Planned and it is on a TBA (To Be Announced) state. Last day revised on the SA was on 06/17/2019. Our recommendation would be keeping an eye on the SA website: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html Or contacting us in the future for updates. Best regards, Sergio S. Intel Customer Support Technician Under Contract to Intel Corporation
0 Kudos
SergioS_Intel
Moderator
1,446 Views

Hello DBoob,

 

In case you need more assistance feel free to contact us back.

 

Best regards,

Sergio S.

 

Intel Customer Support Technician

Under Contract to Intel Corporation

0 Kudos
Reply