SWAPGS: KernelCare patches on the way
A new month has started—Summer is in full swing—Must be time for another CPU vulnerability. (Let’s hope this one has a catchy name.)
It seems we haven’t seen the last of Spectre and Meltdown. They have risen from the ashes, mutated and turned into … SWAPGS. (Sorry, no catchy name this time.)
This is another flaw in the architectural design of speculative execution side channels used to accelerate the performance of modern Intel CPUs. SWAPGS is a privileged instruction that can be run speculatively. The flaw can be exploited even with Spectre and Meltdown mitigations in place.
It’s officially numbered as CVE-2019-1125 and as with the previous types, this one affects Intel CPUs made since 2012; there is still controversy as to whether it also affects AMD processors (AMD says it doesn’t). SWAPGS utilizes the branch prediction used in modern microprocessors. This speculation can leave traces in the cache, which attackers use to extract data using a timing attack, similar to side-channel exploitation of Spectre.
KernelCare patches will start rolling out on Monday, 12 August.
Patches released to Production:
- OEL 6
- RHEL 6
- RHEL 8
- Ubuntu Xenial
- Ubuntu Bionic
- Debian 9
- Bitdefender report
- Red Hat: “CVE-2019–1125: Spectre SWAPGS gadget vulnerability”
- Ubuntu CVE Tracker
- Microsoft Windows kernel patch notification
- Zombieload 2: KernelCare Team is on it!
- Zombieload 2: The Patches for CVE-2018-12207 are in the Test Feed!
- SWAPGS: KernelCare patches on the way
- RIDL – Another MDS Attack that Live Patching Would Have Saved You From
- QEMU-KVM vhost/vhost_net Guest to Host Kernel Escape Vulnerability
- New vulnerability found in Linux kernel, patched by KernelCare
- SACK Panic & Slowness: KernelCare Live Patches Are Here
- L1 Terminal Fault (L1TF) patches are available
- Intel DDIO ‘NetCat’ Vulnerability Report
- Fallout – the MDS Side Channel Attack That Isn’t Zombieload
KernelCare is a live patching system that patches Linux kernel vulnerabilities automatically, with no reboots. It’s used on over 300,000 servers, and has been used to patch servers running for 6+ years. It works with all major Linux distributions, such as RHEL, CentOS, Amazon Linux, and Ubuntu. It also interoperates with common vulnerability scanners such as Nessus, Tenable, Rapid7, and Qualys. To talk with a consultant about how KernelCare might meet your enterprise’s specific needs, contact us directly at [email protected].