One would think that microcode updates are basically unproblematic on modern Linux distributions. This is fundamentally correct. Nevertheless, there are always edge cases in which distribution developers may have missed something.
Using the example of Ubuntu 18.04 LTS “Bionic Beaver” in connection with the XEN Hypervisor this becomes obvious when it comes to processors microcode updates.
Ubuntu delivers updated microcode packages for both AMD and Intel. However, these are apparently not applied to the processor.
XEN Microkernel
The reason for this is not to obvious. In XEN, the host system is already paravirtualized and cannot directly influence the CPU for security reasons. Accordingly, manual attempts to change the current microcode fail.
Therefore, the XEN microkernel has to take care of the microcode patching. Instructed correctyl, it will do so at boot time.
Customize command line in Grub
For the XEN kernel to patch the microcode of the CPU, it must have access to the microcode code files at boot time and on the other hand, he must also have the order to apply them. We can achieve the latter by Grub boot loader configuration. To do so, we setup a parameter in the kernel command line.
In the case of Ubuntu 18.04 LTS, the grub configuration file can be found at /etc/default/grub.
There you should find the file xen.cfg. This is of course only the case if the XEN Hypervisor package is installed. Open the config file in your editor and look for the location of the variable GRUB_CMDLINE_XEN_DEFAULT. Add the parameter ucode=scan. In the default state, the line of the xen.cfg then should look like this:
GRUB_CMDLINE_XEN_DEFAULT="ucode=scan"
Customize Initramfs
In addition to the instruction, the microkernel of the XEN hypervisor also needs access to the respective microcode files as well as the ‘Intel Microcode Tool’, if applicable.
While the microcode packages are usually already installed correctly, the the Intel tool may had to be made accessible via sudo apt-get install iucode tool. Care must also be taken to ensure that the microcode files also get into the initial ramdisk. For this purpose, Ubuntu already has matching scripts available.
In the default state, the system tries to select the applicable microcodes for the CPU in the InitramFS. Unfortunately, this does not succeed always, so you might have to help here.
With the command sudo lsinitrd /boot/initrd.img-4.15.0-46-generic you can, for example, check which contents are stored in the InitramFS with the name initrd.img-4.15.0-46-generic. If on an Intel system there is something from AMD but not Intel shown, the automatic processor detection went wrong when creating the initramdisk.
To get this right, you need to look at the files amd64-microcode and intel-microcode in the directory /etc/default. Each of these two config files has a INITRAMFS variable AMD64UCODE_INITRAMFS or IUCODE_TOOL_INITRAMFS. The valid values to configure are “no,” “auto,” or “early”. Default is “auto”. With “auto” the system tries the auto discovery mentioned above. If it doesn’t work, you should set the value to early in the file matching the manufacturer of your CPU, and the other setup file to no. If the manufacturer is Intel, you can use the file intel-microcode to set the following additional variable:
IUCODE_TOOL_SCANCPUS=yes
This causes the script set to perform advanced CPU detection based on the Intel CPU, so that only the microcode files are included in the InitramFS that match the CPU. This helps avoiding an oversized initial ramdisk.
Finalize changes
Both the changes to the grub config and the adjustments to the InitramFS must also be finalized. This is done via
sudo update-initramfs -u sudo update-grub
A subsequent restart of the hypervisor will then let the XEN microkernel integrate the microcode patches provided in the InitramFS to the CPU.
Is it worth the effort?
Adjustments to the microcode of the processors are important. CPU manufacturers troubleshoot the “hardware” they sell. This fixes can be very important to maintain the integrity oder security of your server system – as we saw last year when the Spectre and Meltdown bugs got undisclosed. Of course, microcode updates can also be seen as negative, since the fixes for “Spectre” as well as “Meltdown” impose performance losses. Here it is necessary to consider whether one should integrate the microcode updates or not. This depends on risk vs. reward. Here there are quite different views, which are to be considered in the context of the system application.
A virtualization host, which runs third party virtual machines has whole other security requirements than a hypervisor who is deeply digged into the internal infrastructure and only runs trusted VMs. Between these two extremes, there are, of course, a few shades to deal with.
The open-source SSH client PuTTY, popular among Windows administrators, was released in a new version last Saturday. This update closes several critical security vulnerabilities. The last version of PuTTY was released around 20 months ago.
Users should update urgently
The newly released version 0.71 was made available for download last Saturday, March 16, 2019.
PuTTY is available as a 32- and 64-bit MSI installer package as well as a source archive. As is customary with PuTTY, all components of the package can also be downloaded individually as executables.
Based on the security vulnerabilities listed and fixed in the changelog, we can only strongly recommend updating all PuTTY clients.
As with any security-relevant software, the digital fingerprints (hashes) should be verified. Alternatively, the author team also provides GPG signatures to verify the authenticity of the archives. Furthermore, you should not download this tool from third-party, unknown sources. Security-relevant open-source software in particular is often used by unverified third-party sources to introduce modified and sometimes malicious software into systems.
You can find more information on the official project homepage.
EU funding program for the security of open-source software
With the EU-FOSSA funding program, in which the European Commission offered rewards for submitted bugs in a selection of open-source software, PuTTY was also included in the latest round. For the period from January 16, 2019 to December 15, 2019, a total reward of €90,000 was offered for PuTTY for reported security vulnerabilities.
As a result of this program, the PuTTY authors are closing five security vulnerabilities with the current release that were submitted to EU-FOSSA:
- Before host key verification, memory can be overwritten remotely during the RSA key exchange
- Possible reuse of random numbers for encryption
- On Windows, an attacker can manipulate a help file and thus gain control of PuTTY
- On Unix systems, a remotely triggered buffer overflow can be triggered
- Various denial-of-service attacks by writing to the terminal
More information about the bug bounty program is available here.
Further bug fixes by the author team
In addition to the bugs reported via EU-FOSSA, the team is fixing further issues and delivering improvements in the areas of security and usability.
Overall, the EU program suggests that further fixes can be expected over the course of 2019, after PuTTY development had become quieter.
PuTTY is embedded in many programs
It should also not be forgotten that PuTTY, as open-source software, is indeed used directly or indirectly in other products. For example, there is the Multi-PuTTY-Manager, which uses an existing PuTTY installation. Here, too, it is important to remember to update the PuTTY installation to close the security vulnerabilities. The same naturally applies to AutoPutty and similar tools.
Also important is software that integrates PuTTY or parts of it permanently or invisibly for the user. One example is WinSCP, which uses the PuTTY package component PageAnt. In this case, it may be necessary to wait for a new release of the software.
The PuTTY authors maintain a list of software that includes PuTTY.