As you may be aware, there have been several publications and reports released during the past week reporting several vulnerabilities that could potentially be exploited with some Intel, AMD and ARM CPUs.
The vulnerabilities has been identified as an architectural problem in the way CPUs attempt to speed up the execution of requests, and named as Spectre and Meltdown. These effect a broad range of devices from smartphones, tablets, PCs, laptops and cloud services provided on server virtualisation platforms. Due to the number of devices these particular issues could affect, the media have highly publicised this story and somewhat sensationalised it. Nonetheless, we are working our way through applying the guidance listed from the major vendors.
To date, there are no known real-world examples of these vulnerabilities being exploited. Security researchers have demonstrated a Proof of Concept that can exploit these vulnerabilities using internal (non-publicly available) tools. In addition to this, the exploits cannot be run remotely and must execute locally on a machine.
A detailed explanation of the vulnerabilities along with vendor specific guidance can be located here.
Three vulnerabilities have been catalogued as:
- Variant 1: bounds check bypass (CVE-2017-5753) – a.k.a. Spectre
- Variant 2: branch target injection (CVE-2017-5715) – a.k.a. Spectre
- Variant 3: rogue data cache load (CVE-2017-5754) – a.k.a. Meltdown
The advice so far is for Operating Systems (i.e. Windows), Virtual Machines, Virtual Appliances, Hypervisors, Server Firmware and CPU microcode to be patched or upgraded to mitigate the vulnerabilities identified. In addition to this, it is advised to update web browsers in an attempt to prevent JavaScript exploitation as a further method to reduce the risk of exploitation. One experimental feature within Google Chrome (Site Isolation) can be used to mitigate some of the risk.
Please note that Windows machines may not actually patch the vulnerabilities if third party antivirus software is running as specific registry keys must be set in order for updates to continue to be received. One industry expert, Kevin Beaumont, has started compiling a list of updates from Antivirus vendors and their guidance which can be accessed here.
Performance Impact
There have been reports that patching these vulnerabilities may impact performance with up to a 30% degradation. Performance impact has been varied and seems to depend very much on the age of the CPU and the type of workload. VMware have stated that performance degradation for their patches is negligible and very much depends on the mitigation applied by the Operating System vendor. Microsoft have provided the following statement: “Microsoft recommends that customers assess the performance impact for their systems and make adjustments if necessary”*.
Actions we are taking
We have already started patching the underlying infrastructure we operate our hosted IaaS platforms on, and will begin contacting customers about patching any Virtual Machines and Operating Systems we support for you, if it is likely to include a period of interruption. As we continue our efforts, we will contact customers on a customer-by-customer basis with updates.
Our Advice
For customers where we do not provide managed services for operating systems and applications, please seek the latest guidance from your vendors. Information has been updated daily so please ensure you follow the latest advice.
- Use this as a reminder to re-enforce good cyber security practices with your businesses
- Consult with each vendor – Hardware, Hypervisor, Virtual Appliance, GuestOS, Web Browsers and Antivirus for guidance on which patches you should apply
- Test the process before committing to full implementation to ensure you capture any problems early (including any performance impacts)
- Consider the potential impact for Guest operating systems that may not be offered patches (i.e. Windows 2003)
- Consider implementing Site Isolation within Google Chrome
- Start patching!
Additional Sources: