14 DAY TRIAL // A new Spectre-like flaw affects Intel x86 CPUs once again, called L1 Terminal Fault (L1TF) or Foreshadow, and patches are now available for the most popular Linux-based operating systems.
Both Canonical and Red Hat emailed us with regards to the L1 Terminal Fault security vulnerability, which are documented as CVE-2018-3620 for operating systems and System Management Mode (SMM), CVE-2018-3646 for impacts to virtualization, as well as CVE-2018-3615 for Intel Software Guard Extensions (Intel SGX). They affect all Linux-based operating system and machines with Intel CPUs.
"It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS)," reads the Ubuntu security advisory.
In addition to the L1 Terminal Fault flaw, the new kernel updates also patch a security vulnerability (CVE-2018-5391) discovered by Juha-Matti Tilli in Linux kernel's IP implementation, which performed algorithmically expensive operations in various situations during handling of incoming packet fragments, thus allowing remote attackers to cause a denial of service.
"This is mitigated by reducing the default limits on memory usage for incomplete fragmented packets. The same mitigation can be achieved without the need to reboot, by setting the sysctls: net.ipv4.ipfrag_high_thresh = 262144 / net.ipv6.ip6frag_high_thresh = 262144 / net.ipv4.ipfrag_low_thresh = 196608 / net.ipv6.ip6frag_low_thresh = 196608," reads the Debian security advisory.
How to patch your computer against the Foreshadow vulnerability
Patching your computer against the Foreshadow (L1 Terminal Fault) vulnerability is important, and patched kernels are now available for Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), Ubuntu 14.04 LTS (Trusty Tahr), Ubuntu 12.04 ESM (Precise Pangolin), Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, CentOS Linux 6, and CentOS Linux 7.
All users of these operating systems or other GNU/Linux distributions based on them are urged to update their installations as soon as possible. Make sure you install the latest kernel version for your Linux OS and then reboot the computer for the patch to be activated. Also, ensure you're running the most recent microcode firmware update for your Intel processor.
Update 20/08/18: Debian GNU/Linux 9 "Stretch" didn't receive the patch against the L1 Terminal Fault security vulnerability until August 20, 2018. Instead, the kernel security update published last week addressed the CVE-2018-5391 (FragmentSmack) vulnerability.