Canonical released today a security patch for the recent Intel SRBDS/CrossTalk vulnerabilities found in som Intel CPUs, affecting all supported Ubuntu releases.
The security patch for the intel-microcode firmware addresses three hardware vulnerabilities that affect computers powered by Intel processors and running the Ubuntu 20.04 LTS, Ubuntu 19.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, or Ubuntu 14.04 ESM systems.
These include a fix for the recently discovered SRBDS (Special Register Buffer Data Sampling) hardware vulnerability (CVE-2020-0543) also known as Crosstalk. This affects some Intel client and Xeon E3 processors, allowing a local attacker to expose sensitive information. A full list of affected Intel processors is available here.
“Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access,” reads the security notice. “Intel is releasing firmware updates to mitigate this potential vulnerability.”
Two other vulnerabilities (CVE-2020-0548 and CVE-2020-0549) were patched in this new security update. These are believed to be cleanup errors in L1 data cache (L1D) eviction and vector registers that affect certain Intel processors, allowing local attackers to expose sensitive information.
Canonical urges all users who use a computer with an affected Intel CPU to update the intel-microcode package to version 3.20200609, which is now available in the stable repositories of Ubuntu 20.04 LTS, Ubuntu 19.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS and Ubuntu 14.04 ESM, as soon as possible.
According to Canonical, the mitigations for the Intel SRBDS/CrossTalk vulnerabilities will have an impact on the performance of the affected Intel processors. Therefore, an opt-out mechanism is provided as a Linux kernel command-line option (
srbds=off) for users who want to disable the mitigations in favor of better performance.
To update your computers, run a standard system update (
sudo apt-get update && sudo apt-get full-upgrade) and make sure you reboot after the new intel-microcode version was successfully installed.
Update: Canonical also released new Linux kernel versions for all supported Ubuntu releases to fully mitigate the Intel SRBDS/CrossTalk vulnerabilities and provide users with the ability to disable the mitigation. More details here.
Update 2: Canonical re-released the intel-microcode packages to address a regression that prevented some processors in the Intel Skylake family (06_4EH) from booting successfully and created system instability on Ubuntu 20.04 LTS machines. Users are urged to update their installations again.