Wind River Support Network

HomeSecurity NoticesWind River Security Vulnerability Notice: several CVEs released by Intel Product Security Center in November 12, 2019
Recommended

Wind River Security Vulnerability Notice: several CVEs released by Intel Product Security Center in November 12, 2019

Released: --

Summary

Wind River Security Vulnerability Notice: several CVEs on Intel products may effect on Wind River Linux


Affected Product Versions

Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 5, Wind River Linux 6, Wind River Linux 7, Wind River Linux 8, Wind River Linux 4

Description

In November 12, 2019, Intel Product Security Center released several CVEs, some of them may effect on system runing WRLinux. All of them can be access from the entrence of Intel Product Security Center:

https://www.intel.com/content/www/us/en/security-center/default.html

Note: Press the "Show more" button just under the table , or you can only see the top four of them.


CVE-2019-11135 and CVE-2018-12207, related to Intel CPU.

CVE-2019-0140, CVE-2019-0145, CVE-2019-0139, CVE-2019-0143, CVE-2019-0144, CVE-2019-0146, CVE-2019-0147, CVE-2019-0148, CVE-2019-0149, CVE-2019-0150, related to Intel Ethernet 700 Series Controller.

CVE-2019-0154 and CVE-2019-0155, related to Intel processor graphics.

CVE-2018-12207: Intel Processor Machine Check Error Advisory

CVE-2019-11135: Intel TSX Asynchronous Abort (TAA)


Affected Windriver Linux releases:

All releases including Wind River Linux LTS 19, Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 8, Wind River Linux 7


Affected software components:

Linux kernel.


Affected hardware:

Almost all Intel CPUs, different CVE issues related to different CPU, for details, plese refer to related webpag: CVE-2019-11135, CVE-2019-11139, CVE-2019-0154, CVE-2019-0155.

Intel Ethernet 700 Series Controller.


Mitigation


For CPU related issue, upgrade CPU microcode once available.

For NIC controller issue, use newest driver and upgrade the newest firmware.

Note:

  • For these two CVEs related to Intel CPU, if your CPU not been listed in these two web pages, please just ignore them: CVE-2019-11135, CVE-2019-11139
  • For the microcode upgrading, to make a full mitigation, the new microcode should be upgraded through BIOS. So please contact your BIOS vendor for it.
  • For these NIC related CVEs, they only effect on Intel Ethernet 700 Series Controller, in linux it called "i40e", if you have no such NIC device, just ignore them.


Additional References


Microcode of Intel CPU: Binary file of microcode for Intel CPUs.

NVM Update Utility for Intel® Ethernet Adapters 700 Series : NIC firmware and tools used to upgrade it.

Intel Ethernet Adapter Complete Driver Pack: software driver, including Intel Ethernet 700 Series Controller.


We are porting all necessary kernel patches on all our supporting releases, at the same time, fetching and upgrading the microcode recipe. We will continue to update this web page and once we have any progress you can get it here.

For any questions or requirements, please contact your local WR support team, or mail to security-alert@windriver.com directly.


Changelog

  • 12/11/2019: Add CVE-2019-0154 and CVE-2019-0155.
  • 11/25/2019: Add CVE-2018-12207 and CVE-2019-11135.
  • 11/18/2019: Add method to download newest firmware and related tools for Intel Ethernet Network Adapter 700 Series.
  • 11/15/2019: Add LTS-1019; Add method to build newest I40E driver for all supported WRL releases execpt WRL8.
  • 11/14/2019: Based on Intel's document, CVE-2019-0142 only effects on Windows, so remove it.
  • 11/13/2019: Initial


Installation Notes

Steps to build NIC driver : i40e

For all supported releases except WRL8:

1) Download the newest driver package from Intel:

https://downloadmirror.intel.com/22283/eng/24_3.zip

There are some older versions like 24_2, 24.1 may also fixed those CVEs but now, we only tried v-24.3, the newest version. The version of i40e in 24.3 is 2.10.19.


2) Get the source code from 24_3.zip:

$ mkdir /PATCH_1

$ cp 24_3.zip /PATCH_1

$ cd /PATCH_1

$ md5sum 24_3.zip

1b9acacdcb57c3777e63865f2fadc844 24_3.zip

$ unzip 24_3.zip

...

$ md5sum PRO40GB/Linux/i40e-2.10.19.30.tar.gz

9af74c805302b85ed92b68fd41b18e3e PRO40GB/Linux/i40e-2.10.19.30.tar.gz

$ mkdir /PATH_2_BUILD_DRIVER
$ cp PRO40GB/Linux/i40e-2.10.19.30.tar.gz /PATH_2_BUILD_DRIVER
$ cd /PATH_2_BUILD_DRIVER
$ tar zxvf i40e-2.10.19.30.tar.gz
Now you get the source code of newest i40e driver in "/PATH_2_BUILD_DRIVER/i40e-2.10.19.30/src".

3) Prepare build envirnonment

$ cd /PATCH_2_WRL_PROJ

$ . oe-init-build-env

# suppose your kernel is linux-yocto.

$ bitbake linux-yocto -c devshell


BTW: For WRL9 and earlier release, the command line should be:

$ make bbs

$ bitbake linux-windriver -c devshell


4) Build I40E driver

$ make menuconfig

Set CONFIG_I40E=n manually.

$ make CONFIG_I40E=m M=/PATH_2_BUILD_DRIVER/i40e-2.10.19.30/src modules

Now you get the kene module /PATH_2_BUILD_DRIVER/i40e-2.10.19.30/src/i40e.ko .


Steps to upgrade firmware for Intel Ethernet 700 Series Controller

The package fits for Linux, Windows and some other OS environment

1) Download the newest Non-Volatile Memory (NVM) Update Utility package from Intel:

https://downloadcenter.intel.com/download/24769/Non-Volatile-Memory-NVM-Update-Utility-for-Intel-Ethernet-Network-Adapter-700-Series

In this web page, you can get the newest package: NVMUpdatePackage_700_Series.zip

This package can be used to upgrade the firmware on Linux, Windows, EFI, VMware ESX and FreeBDS.

$ md5sum NVMUpdatePackage_700_Series.zip

26800f13868e8838df9aad4a26d34c71 NVMUpdatePackage_700_Series.zip


2) Unpackage it and choose the one fit for you, for Linux:

$ unzip NVMUpdatePackage_700_Series.zip

Archive: NVMUpdatePackage_700_Series.zip

inflating: 700Series_NVMUpdatePackage_v7_10_EFI.zip

inflating: 700Series_NVMUpdatePackage_v7_10_ESX.tar.gz

inflating: 700Series_NVMUpdatePackage_v7_10_FreeBSD.tar.gz

inflating: 700Series_NVMUpdatePackage_v7_10_Linux.tar.gz

inflating: 700Series_NVMUpdatePackage_v7_10_Windows.exe

# here the xxx_Linux.tar.gz is the one for Linux.
$ md5sum 700Series_NVMUpdatePackage_v7_10_Linux.tar.gz
a8a2ae2e0e4e1739efe146cbfae3a163 700Series_NVMUpdatePackage_v7_10_Linux.tar.gz
$ tar zxvf 700Series_NVMUpdatePackage_v7_10_Linux.tar.gz
...
$ cd 700Series/Linux_x64
$md5sum nvmupdate64e
d86729bc0fb93d6805693346c85e11a2 nvmupdate64e
$file nvmupdate64e
nvmupdate64e: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.18, BuildID[sha1]=52521145cf59b6bdb075a01e498786d521edd4c2, stripped
$ ./nvmupdate64e
...

Binary file "nvmupdate64e" above is the very tool used to upgrade the NIC firmware. It is only fit for x86-64 enveironment. For more detailed method to upgrade the firmware, plese refer to the "readme.txt" in the same directory as "nvmupdate64e".

BTW: Beside the "700Series_NVMUpdatePackage_v7_10_Linux.tar.gz", there are several other tar.gz packages, for example "700Series_NVMUpdatePackage_v7_10_Windows.exe" is used for Windows environment.

Live chat
Online