As part of our commitment
to provide a fully free (as in freedom) operating system
that is stable, simple and "SECURE"; we hereby announce Hyperbola users are now mitigated against recently published Microarchitectural Data Sampling (MDS) vulnerabilities also labelled as Zombieland (CVE-2018-12130), RIDL (Rogue In-Flight Data Load) (CVE-2018-12127 and CVE-2019-11091), and Fallout (CVE-2018-12126)
which controversially Intel has considered of "Moderate" severity. These flaws, if exploited by an attacker
with local shell access to a system, could allow data
in the CPU's cache to be exposed to unauthorized processes
. While difficult to execute, a skilled attacker could use these flaws
to read memory from a virtual
or containerized instance
, or the underlying host system
. The vulnerabilities can be exploited
using malware planted on the targeted devices
, but some of them can also be exploited remotely from the internet via JavaScript code and malicious websites
. Even a rogue website running Javascript
in the target's browser—could trick the CPU into revealing data
that should be protected from untrusted code running on that machine. That data can include information like
what website the user is browsing
, their passwords
, or the secret keys to decrypt their encrypted hard drive
. At this point of time, these specific flaws are only known to affect Intel-based processors
. Hyperbola users
are highly recommended to update their systems immediately
using # pacman -Syu to perform the upgrade.
Additionally, since it is not possible
to fully prevent cross-thread attacks
, complete mitigation of MDS may require
that users disable the Intel Hyper-Threading Technology
at their own discretion and evaluation if disabling SMT/HT and the tradeoff between performance over security is what they wish to have. Hyper-Threading (Intel HT)
is Intel's implementation of simultaneous multithreading (SMT)
, which is a technique for splitting a single physical processor core into two virtual cores which are known as hardware threads. It's supposed to improve performance by allowing two software threads to run simultaneously through each physical core, sharing available resources on the silicon chip as needed. This means one physical core can juggle two threads, either in the same application or two separate applications, at the same time, improving throughput. However, one thing it does bring into the mix is the risk that side-channel surveillance techniques, such as MDS
, may be able to break hardware thread isolation
, and access sensitive data
it shouldn't be able to see. In other words, one thread can snoop on the memory accesses of another thread sharing the same physical CPU core, and lift passwords, keys, and other secrets, potentially. In this case, part of the mitigation advice
is to specify a kernel command line option
mds=full,nosmt.
We recommend users not to use nonfree JavaScript code
, and to use firejail to sandbox their browsers
.
As part of our solutions
we are providing an updated kernel
which is patched against the vulnerabilities
and we will ship fresh live images shortly.