News | Meltdown and Spectre Vulnerabilities
Meltdown and Spectre Vulnerabilities
Friday, 05 January 2018
You have probably heard over the last day or so about a serious security vulnerability affecting Intel CPUs. There are actually two vulnerabilities which have been named "Meltdown" and "Spectre".
The Meltdown issue seems to only affect Intel CPUs (although ARM have also released some patches that may address that issue) and is present in every Intel CPU released since 1995, the Spectre issue affects Intel, AMD and ARM.
Meltdown allows "user mode" code access to "kernel mode" areas of RAM (which contain sensitive information such as passwords and encryption keys) and is relatively easy to exploit. Spectre breaks the isolation between different user mode processes and kernel mode memory but is apparently much harder to exploit. In both cases the access is limited to read-only (so these issues don't directly allow change or corruption of data), but should passwords be compromised that then allows other exploits to be used which may not be read-only.
The highest potential threat is to public cloud environments, where anyone can purchase a virtual machine and potentially run malicious code which could try to read the memory of other VMs running on the same physical host.
Private clouds are also at high risk from attack, as one potential customer could introduce malicious code that affects others in the same way. It is however not limited to cloud based computing, but puts all servers, PCs and smart phones at risk as well.
Patches / Workarounds
There is no immediate fix at a hardware level, as processors would require redesign and replacement, which is completely impracticable in the short term. The workaround therefore is to patch the operating systems and BIOS/Firmware of hosts.
Private cloud vendors are rapidly looking to roll out updates, however to be fully protected the users will need to patch their individual operating systems as well.
Patches have already been released for Linux, MacOS and some versions of Windows 10, but the Windows patches are dependent on AV vendors setting a registry key to confirm they will not be affected by the patch before the fix is applied – most AV vendors have now put this registry key in place but some large vendors have yet to complete this but should do so in the next few days.
There has been some reporting of performance issues associated with the overhead that this patch puts on the OS. These vary between 5% - 30% performance hit dependent on the actual workload (how much access to kernel mode RAM is required by the application) and the age of the CPU (older CPUs being worst hit). Having said that, Google are reported to have completely patched their public cloud servers in recent weeks with no widespread reports of anyone noticing performance issues.
VMware have announced that their ESXi hypervisor is not vulnerable to the Meltdown issue as it doesn't run any user mode code, but is vulnerable to Spectre. They have released patches for their desktop products (Workstation and Fusion) and are working on patches for ESXi and vCenter.
https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html
It is expected that any further Microsoft patches will be included in future Windows Cumulative Updates (i.e. the monthly roll-up of all patches for an OS) and hence will be installed on all patched servers in the coming weeks.
Where does that leave the Datel Advansys Private Cloud?
Our cloud services all run on VMWare and we as an organisation have control over what applications are running on the virtual machines we run and manage.
Whilst our exposure risk is low, we are following Industry bulletins and evaluating announcements as they come out. We will be patching all services during the normal patching cycles we run every month.
We are confident that whilst some applications may subsequently demand more CPU cycles, our server platforms typically run at around 25-35% capacity and hence we should not see any major bottlenecks, although it is possible some routines may appear to be slightly slower dependent on the nature of the individual workload.
If you have any queries please call the helpdesk on the usual number.
There are many posts online about these very high profile issues, useful links include:
http://www.tomshardware.com/news/meltdown-spectre-exploits-intel-amd-arm-nvidia,36219.html
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
https://cloudhat.eu/vmware-security-advisory-vmsa-2018-0002-meltdown-specter-vulnerabilities/
https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
Paul Rathbone
Technical Director