Canonical’s Post

AMD's SEV-SNP Hypervisor support is on the brink of being integrated into the mainline Linux kernel. This marks a significant milestone for confidential computing as it brings us closer to the ultimate goal of secure and isolated virtual environments. The SEV-SNP, which stands for Secure Encrypted Virtualization Secure Nested Paging, has reached its 14th patch revision and is building upon the existing SEV-SNP guest support that's already mainlined. While not all features are enabled yet, this update lays the groundwork for booting SEV-SNP VMs and promises future enhancements like interrupt protection. For those utilizing AMD EPYC servers, this means better security for your virtual machines, with strong memory integrity protection against malicious attacks. It's a step forward in creating a more secure and confidential computing landscape. Stay tuned for more updates as this technology progresses towards the Linux 6.10 kernel cycle. It's an exciting time for AMD and the Linux community! #AMD #Linux #Virtualization #Security #TechNews

🍘 🚨 🍘 Another chipset/processor microcode-level speculative-execution exploit! The Linux Kernel has a lightly-tested patch out now, so upgrade after testing to your comfort level. This one affects Intel, but there've been AMD-specific exploits recently, so kernel AND processor microcode upgrades are a MUST. Dedicated vulnerability page with exploit background: https://downfall.page/ and LWN for commentary and up-to-date remediation info: https://lnkd.in/eu6aJ2CQ

🚨 This vulnerability is pervasive, affectiting computer systems running a set of specific processors ( Intel Core processors from the 6th Skylake to and including the 11th Tiger Lake generation), including cloud compute.

Microsoft made another change to Windows 11 system requirements. It's dropped support for 44 Intel processors.  It's unlikely to impact your business, but if you want to be sure get in touch - we can help! #Windows11 #MicrosoftUpdates #Intel #technology #itsupport #thinkcloud #cybersecurity

Unlock the power of the edge with Keel. Our lightweight linux based OS, with integrated KVM-based hypervisor and SDN (routing and virtualized switching) capabilities, providing a secure virtualization environment on your x86 hardware.  Perfect for organizations needing a secure and robust OS, that eliminates the complexity of running siloed infrastructure at the edge. Learn more about how Keel can revolutionize your edge computing needs: https://lnkd.in/exmRZA5 #Klas #TheEdgeTechnologyCompany #edgetechnology #EdgeComputing #SecureOS #Cybersecurity #BigData

"Researchers unveil the "first native Spectre v2 exploit" targeting the Linux kernel on Intel systems, known as Native Branch History Injection (BHI). This exploit, detailed by Vrije Universiteit Amsterdam's Systems and Network Security Group, bypasses existing Spectre v2/BHI mitigations, allowing for the leakage of arbitrary kernel memory at a rate of 3.5 kB/sec. Tracked as CVE-2024-2201, the vulnerability was initially disclosed in March 2022. Intel's recommendation to address the issue includes disabling Linux's unprivileged eBPFs." #linux #vulnerability #cve #cyberattack #cybersecuirty

VMWare guest escape to host. No patch available for this one yet. The workaround is to disable the virtual USB controller, which may not be possible and difficult to do at scale. Local admin privileges is not best practice however this will be widespread on dev and non-production VMs. From the article "a malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code outside the guest. On Workstation and Fusion that code will run on the host PC or Mac. Under ESXi it will run in the VMX process that encapsulates each guest VM." https://lnkd.in/e3M_Chjf

Vulnerability in 16.5K+ VMware ESXi Instances Let Attackers Execute Code https://lnkd.in/e-mWBNpQ

#linuxkernel #exploit #spectrev2 CVE-2024-2201 is a cybersecurity vulnerabily that could be exploited to read sensitive data from the memory on Intel-based systems running Linux. It's called BHI (Native Branch History Injection) and described by cybersecurity researchers as "First, native Spectre v2" exploit against the Linux kernel.

To encourage people to find security holes in the open source Kernel-based Virtual Machine (KVM) hypervisor, Google has launched a vulnerability reward program (VRP), where the top prize is up to a quarter of a million dollars. The VRP is set up as a capture-the-flag contest where the tester logs in as a guest and attempts to find a zero-day vulnerability in the KVM host kernel. KVM is an open source project, to which Google is an active contributor, that has been included in mainline Linux since 2007. It allows Intel- or AMD-powered devices to run multiple virtual machines (VMs) with hardware emulation that can be customized to support multiple legacy operating systems. Google uses it in its Android and Google Cloud platforms, which is why it has a vested interest in keeping it secure. https://lnkd.in/gw7Y9m-N