Ergebnis 1 bis 8 von 8
  1. #1

    Standard Synology & Spectre / Meltdown

    Ich habe mal den Spectre-Meltdown-Checker auf meiner DS218+ laufen gelassen, und bin sehr erschrocken:

    Code:
    ash-4.3# ./spectre-meltdown-checker.sh 
    Spectre and Meltdown mitigation detection tool v0.37+
    
    Checking for vulnerabilities on current system
    Kernel is Linux 4.4.15+ #15284 SMP PREEMPT Sat May 19 04:45:12 CST 2018 x86_64
    CPU is Intel(R) Celeron(R) CPU J3355 @ 2.00GHz
    We're missing some kernel info (see -v), accuracy might be reduced
    
    Hardware check
    * Hardware support (CPU microcode) for mitigation techniques
      * Indirect Branch Restricted Speculation (IBRS)
        * SPEC_CTRL MSR is available:  NO 
        * CPU indicates IBRS capability:  NO 
      * Indirect Branch Prediction Barrier (IBPB)
        * PRED_CMD MSR is available:  NO 
        * CPU indicates IBPB capability:  NO 
      * Single Thread Indirect Branch Predictors (STIBP)
        * SPEC_CTRL MSR is available:  NO 
        * CPU indicates STIBP capability:  NO 
      * Speculative Store Bypass Disable (SSBD)
        * CPU indicates SSBD capability:  NO 
      * Enhanced IBRS (IBRS_ALL)
        * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
        * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
      * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
      * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
      * CPU microcode is known to cause stability problems:  NO  (model 0x5c family 0x6 stepping 0x9 ucode 0x2c cpuid 0x506c9)
    * CPU vulnerability to the speculative execution attack variants
      * Vulnerable to Variant 1:  YES 
      * Vulnerable to Variant 2:  YES 
      * Vulnerable to Variant 3:  YES 
      * Vulnerable to Variant 3a:  YES 
      * Vulnerable to Variant 4:  YES 
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Kernel has array_index_mask_nospec (x86):  UNKNOWN  (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
    * Kernel has the Red Hat/Ubuntu patch:  UNKNOWN  (missing 'strings' tool, please install it, usually it's in the binutils package)
    * Kernel has mask_nospec64 (arm):  UNKNOWN  (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
    * Checking count of LFENCE instructions following a jump in kernel...  UNKNOWN  (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
    > STATUS:  UNKNOWN  (Couldn't find kernel image or tools missing to execute the checks)
    
    > How to fix: Re-run this script with root privileges, after installing the missing tools indicated above
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
      * Kernel is compiled with IBRS support:  NO 
        * IBRS enabled and active:  NO 
      * Kernel is compiled with IBPB support:  UNKNOWN  (in offline mode, we need the kernel image to be able to tell)
        * IBPB enabled and active:  NO 
    * Mitigation 2
      * Kernel has branch predictor hardening (arm):  NO 
      * Kernel compiled with retpoline option:  UNKNOWN  (couldn't read your kernel configuration)
    > STATUS:  VULNERABLE  (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)
    
    > How to fix: To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. The retpoline + IBPB approach is generally preferred as the performance impact is lower. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches.
    
    > How to fix: The microcode of your CPU needs to be upgraded to be able to use IBPB. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If you're running under an hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. You may need to reconfigure your VM to use a CPU model that has IBRS capability; in Libvirt, such CPUs are listed with an IBRS suffix.
    
    > How to fix: Your kernel doesn't have IBPB support, so you need to either upgrade your kernel (if you're using a distro) or recompiling a more recent kernel.
    
    > How to fix: The microcode of your CPU needs to be upgraded to be able to use IBRS. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If you're running under an hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. You may need to reconfigure your VM to use a CPU model that has IBRS capability; in Libvirt, such CPUs are listed with an IBRS suffix.
    
    > How to fix: Your kernel doesn't have IBRS support, so you need to either upgrade your kernel (if you're using a distro) or recompiling a more recent kernel.
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Kernel supports Page Table Isolation (PTI):  NO 
      * PTI enabled and active:  NO 
      * Reduced performance impact of PTI:  NO  (PCID/INVPCID not supported, performance impact of PTI will be significant)
    * Running as a Xen PV DomU:  NO 
    > STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)
    
    > How to fix: If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64)
    
    CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
      * CPU microcode mitigates the vulnerability:  NO 
    > STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)
    
    > How to fix: The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed.
    
    CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
      * Kernel supports speculation store bypass:  NO 
    > STATUS:  VULNERABLE  (Neither your CPU nor your kernel support SSBD)
    
    > How to fix: Both your CPU microcode and your kernel are lacking support for mitigation. If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel from recent-enough sources. The microcode of your CPU also needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).
    
    A false sense of security is worse than no security at all, see --disclaimer
    Kein PTI, kein Retpoline, kein IBRS, GARNICHTS!
    Weiss jemand ob bei Synology da etwas in Planung ist?

    colo ZRH | SuperMicro | 64GB RAM | Xeon E5-2620v4 | 4x1TB SATA, HW RAID 10 | debian stretch | BGP | SuperMicro 5018D-FN8T | 1 Gbit/s | DS218+ mit 2x 1TB |
    colo FRA | SuperMicro | 32GB RAM | Xeon E3-1240 | 4x1TB SAS, HW RAID 10 | debian stretch | BGP | SuperMicro 5018D-FN8T | 11 Gbit/s |
    netzwerk | AS62078 | RIPE LIR | BGP Multihoming | 2 Locations |
    Home | Synology DS218+ | 2x1TB WD RED | USV | PCEngines APU2 | UPC 500 Mbit/s & Salt 10 Gbit/s |


  2. #2
    Moderator Avatar von Matthieu
    Registriert seit
    03.11.2008
    Beiträge
    13.050
    Blog-Einträge
    46

    Standard

    Hallo,
    hier gibt es den aktuellen Stand:
    https://www.synology.com/de-de/suppo...ology_SA_18_01
    Da es ein Microcode-Update erfordert, der auch auf den Windows-Kisten nicht ganz reibungslos lief, kann ich mir schon vorstellen dass der Patch etwas dauern wird.

    MfG Matthieu
    Paketzentrum-Server "Community Package Hub"
    DS207+ | DS209+II | DS411+II | DS1513+ | DS916+ 8GB | RS818+ 16GB
    || 4x WD20EFRX, 4x ST4000VN008, 2x WD10EADS, 2x HDS721616, 1x HD204UI, 3x WD30EFRX
    iUSB2 | APC USV | Synology Remote
    | Chromecast 2 | Chromecast Audio | Fairphone 2

    "There is no cloud, just other people's computers" - Free Software Foundation Europe

  3. #3

    Standard

    Zumindest Meltdown lässt sich mit einem simplen Kernelupdate fixen. Und die Microcode-Updates laufen auf all meinen Linux-Maschinen super :-)
    Ich bin gespannt.

    colo ZRH | SuperMicro | 64GB RAM | Xeon E5-2620v4 | 4x1TB SATA, HW RAID 10 | debian stretch | BGP | SuperMicro 5018D-FN8T | 1 Gbit/s | DS218+ mit 2x 1TB |
    colo FRA | SuperMicro | 32GB RAM | Xeon E3-1240 | 4x1TB SAS, HW RAID 10 | debian stretch | BGP | SuperMicro 5018D-FN8T | 11 Gbit/s |
    netzwerk | AS62078 | RIPE LIR | BGP Multihoming | 2 Locations |
    Home | Synology DS218+ | 2x1TB WD RED | USV | PCEngines APU2 | UPC 500 Mbit/s & Salt 10 Gbit/s |


  4. #4
    Anwender Avatar von DKeppi
    Registriert seit
    01.04.2011
    Beiträge
    2.976

    Standard

    Im aktuellsten DSM 6.2.1 gefunden
    Angehängte Grafiken Angehängte Grafiken
    DS916+ | 8GB RAM | 6.2.3-25426 | 12TB SHR | 24/7
    DS116 |
    6.2.3-25426 | 4TB Basic | Backup

    APC Back-UPS CS350 | Ubiquiti: USG P3, US 8 POE-60W & 2x UAP-nanoHD


    DSFinder | DSFile | DSCloud | DSPhoto | Photostation | Cloudstation | Webstation | DNS-Server | HyperBackup | TimeMachine | NUT | Java | VMM |
    lcd4linux
    RSScrawler | jD2 | filebot | Plex | Docker | Portainer | sspks | watchtower | Unifi Controller | Storj Storage Node | MariaDB | phpMyAdmin | Joomla | MediaWiki

  5. #5
    Anwender Avatar von dil88
    Registriert seit
    03.09.2012
    Beiträge
    28.573

    Standard

    Danke für den Hinweis!
    DS214+ mit DSM 5.2 5967-9 (1x WD RED 4TB), VU+ Solo2 SAT-Receiver, Fritzbox 7580 - Ultimate Backup

  6. #6
    Anwender
    Registriert seit
    20.08.2016
    Beiträge
    15

    Standard

    Den Status zu den Schwachstellen kann man hier abfragen:
    https://www.synology.com/de-de/support/security?page=1


    Synology-SA-18:01 Meltdown and Spectre Attacks Moderate Ongoing 2018-01-09 18:00:16 UTC+8
    Synology-SA-18:23 Speculative Store Bypass Moderate Ongoing 2018-05-22 14:39:53 UTC+8

  7. #7
    Anwender
    Registriert seit
    29.04.2014
    Beiträge
    472

    Standard

    wo finde ich denn das Script:
    spectre-meltdown-checker.sh ?
    Ist die DS213+ denn überhaupt "Affected"?
    bei "Freescale P1022" Prozessor?

  8. #8
    Anwender Avatar von DKeppi
    Registriert seit
    01.04.2011
    Beiträge
    2.976
    DS916+ | 8GB RAM | 6.2.3-25426 | 12TB SHR | 24/7
    DS116 |
    6.2.3-25426 | 4TB Basic | Backup

    APC Back-UPS CS350 | Ubiquiti: USG P3, US 8 POE-60W & 2x UAP-nanoHD


    DSFinder | DSFile | DSCloud | DSPhoto | Photostation | Cloudstation | Webstation | DNS-Server | HyperBackup | TimeMachine | NUT | Java | VMM |
    lcd4linux
    RSScrawler | jD2 | filebot | Plex | Docker | Portainer | sspks | watchtower | Unifi Controller | Storj Storage Node | MariaDB | phpMyAdmin | Joomla | MediaWiki

Ähnliche Themen

  1. Meltdown / Spectre Diskussion
    Von Puppetmaster im Forum Off-Topic
    Antworten: 62
    Letzter Beitrag: 13.02.2018, 08:42
  2. Synology und Meltdown, Spectre Patches
    Von Renalto im Forum Disk Station Manager
    Antworten: 5
    Letzter Beitrag: 16.01.2018, 08:36
  3. Wegen Meltdown stärkere Synology kaufen? Wechsel von 218+ auf 718+ /Rückgaberecht
    Von MrJohn im Forum Kaufberatung - Fragen vor dem Kauf
    Antworten: 12
    Letzter Beitrag: 12.01.2018, 14:46
  4. Synology DS1513 & Onko 905 / Musik & Movie per App steuern
    Von M4xtor im Forum Kaufberatung - Fragen vor dem Kauf
    Antworten: 0
    Letzter Beitrag: 12.09.2013, 21:47
  5. Boxee & Boxxe iPad App & Synology
    Von fritte im Forum Streaming Multimedia Server / iTunes Server
    Antworten: 2
    Letzter Beitrag: 21.03.2012, 17:28

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •