Spectre/Meltdown Spec store bypass: vulnerable

[Xela69]

From CERT-EU Services on 2023-03-24 16:23

Dear Researcher,

Once again we would like to extend our gratitude for reporting your findings to us. It really helps us carry out our tasks and fulfill our mandate towards our constituents.

After examining the plausibility of the reported vulnerability and its effects, we followed due process in establishing contact with the relevant vendor, as per our vulnerability disclosure policy.

CERT-EU escalated the potential security issues related to CVE-2018-3639 to the ...Cloud support a few times. After a number of interactions with them, the ...Cloud team informed us that they are not concerned by CVE-2018-3639 because the CPUs in use for this service are not affected by this vulnerability.

Unfortunately, we are not in a position to have the vendor share with us more technical details explaining the reason why Speculative Store Bypass Disable (SSBD) option is not exposed to the guest virtual Debian-based machines.

Nevertheless, please be informed that in addition to SSBD there are other mitigation options available like process isolation or LFENCE option to control speculative load execution [1,2].

Finally, as a customer, you could request access to ...Cloud certifications, reports or on-site audits in order to check if the service meets your requirements, different compliance and security standards [3].

1. https://www.intel.com/content/www/us/en ... software-s[..]
2. https://msrc.microsoft.com/blog/2018/05 ... eculative-[..]
3. ...

We sincerely hope you find this information useful.

Kind regards,

--
CERT-EU (https://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: services@cert.europa.eu
PGP KeyID 0x5DDA8E13
FP: C9B2 0BAB 2C37 35AD FF79 7949 AFBD 579A 5DDA 8E13
Privacy statement: https://cert.europa.eu/cert/plaineditio ... ivacy.html

[Xela69]

Email from 2023-03-26 16:41

Dear CERT-EU Team,

many thanks for the efforts so far but doubts now arise.

Are we pulling together in the same direction?

As an European and one of the largest cloud provider in Europe, he should represent the values of Europe. Especially privacy, without which a democracy cannot survive and therefore neither can European values.

Cloud instances at xxx are not only affected by CVE-2018-3639 (https://nvd.nist.gov/vuln/detail/CVE-2018-3639).

In the meantime a shell-script exists which assesses a system's resilience against the several transient execution CVEs that were published since early 2018, and it gives guidance as to how to mitigate them.

You can find that shell script at following link: https://github.com/speed47/spectre-meltdown-checker

The xxx-VPS instances are currently vulnerable with:

CVE-2018-3640 https://nvd.nist.gov/vuln/detail/CVE-2018-3640 [5.6 MEDIUM]
CVE-2018-3639 https://nvd.nist.gov/vuln/detail/CVE-2018-3639 [5.3 MEDIUM]
CVE-2018-12126 https://nvd.nist.gov/vuln/detail/CVE-2018-12126 [5.6 MEDIUM]
CVE-2018-12130 https://nvd.nist.gov/vuln/detail/CVE-2018-12130 [5.6 MEDIUM]
CVE-2018-12127 https://nvd.nist.gov/vuln/detail/CVE-2018-19127 [9.8 CRITICAL]
CVE-2019-11091 https://nvd.nist.gov/vuln/detail/CVE-2019-11091 [5.6 MEDIUM]
CVE-2020-0543 https://nvd.nist.gov/vuln/detail/CVE-2020-0543 [5.5 MEDIUM]

THERE IS NO PRIVACY!

All these vulnerabilities are now mitigable with the help of microcode and properly set kernel parameters. Yes, performance intrusions can occur. However, the observance of privacy has a higher priority here.

Whether there is an intention here is secondary, the privacy must be guaranteed. xxx is a publicly traded company whose shareholders are unknown. Are there possibly Russian, Chinese or other shareholders?

I politely ask the experts from CERT-EU to definitely take a closer look at this.

I am looking forward.

Best regards

[Tintom]

Ich möchte deine Euphorie ja nicht bremsen, aber aus gegebenem Anlass einmal nachfragen: Hast du die Damen und Herren davon in Kenntnis gesetzt (und die Zustimmung erhalten?), dass du sämtliche Kommunikation hier veröffentlichst?

[towo]

Kann man diesen Unsinn nicht beenden und den Thread zu machen?

[Xela69]

Seid Ihr schon Up2Date?

https://internet.nl/

[TRex]

Seid Ihr schon Up2Date?

https://internet.nl/

Hat der Link einen Zweck? Und: was hat das mit dem Rest des Threads zu tun? Ich finde die Frage von Tintom viel interessanter. Magst du darauf eingehen?

[Xela69]

Nein! Über 150.000 Zugriffe sprechen für sich!