As part of
our commitment to
provide a fully free (as in freedom) operating system that is stable, simple and "SECURE"; we hereby announce Hyperbola users are now mitigated against recently published Microarchitectural Data Sampling (MDS) vulnerabilities also labelled as
Zombieland (CVE-2018-12130), RIDL (Rogue In-Flight Data Load) (CVE-2018-12127 and CVE-2019-11091), and Fallout (CVE-2018-12126) which controversially Intel has considered of "Moderate" severity. These flaws,
if exploited by an attacker with local shell access to a system,
could allow data in the CPU's cache to be
exposed to unauthorized processes. While difficult to execute,
a skilled attacker could use these flaws to read memory
from a virtual or
containerized instance, or the
underlying host system. The
vulnerabilities can be exploited using malware planted
on the targeted devices, but some of them can also be
trick the CPU into revealing data that should be protected from untrusted code running on that machine. That
data can include information like what website the user is
passwords, or the
secret keys to decrypt their encrypted hard drive. At this point of time,
these specific flaws are only known to affect Intel-based processors.
Hyperbola users are highly recommended to
update their systems immediately using # pacman -Syu to perform the upgrade.
it is not possible to fully
prevent cross-thread attacks, complete
mitigation of MDS may require that users
disable the Intel Hyper-Threading Technology at their own discretion and evaluation if disabling SMT/HT and the tradeoff between performance over security is what they wish to have.
Hyper-Threading (Intel HT) is Intel's implementation of
simultaneous multithreading (SMT), which is a technique for splitting a single physical processor core into two virtual cores which are known as hardware threads. It's supposed to improve performance by allowing two software threads to run simultaneously through each physical core, sharing available resources on the silicon chip as needed. This means one physical core can juggle two threads, either in the same application or two separate applications, at the same time, improving throughput. However, one thing it does bring into the mix is the risk that
side-channel surveillance techniques, such as MDS, may be able to
break hardware thread isolation, and
access sensitive data it shouldn't be able to see. In other words, one thread can snoop on the memory accesses of another thread sharing the same physical CPU core, and lift passwords, keys, and other secrets, potentially.
In this case, part of the mitigation advice is to
specify a kernel command line option mds=full,nosmt.
We recommend users
use firejail to sandbox their browsers.
As part of
our solutions we are
providing an updated kernel which is
patched against the vulnerabilities and we will ship fresh live images shortly.