New CPU vulnerabilities known as Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715 and CVE-2017-5753) have been disclosed on 3 January 2018. Who is concerned about these vulnerabilities? How to fix them? What about EASI? Our Blogpost will answer all these questions and much more!
How are Operating Systems working?
There are two different areas where instructions are processed by the CPU. The kernel and the userland. The kernel is a privileged area which manages almost everything: enforcement of security settings, start and stop user programs, memory management, access control to the hardware (USB,Network Cards...). The userland is the least privileged area where the user's applications are running.
An access control is enforced to avoid userland applications to access data located in kernel area or even between userland applications unless authorized. This access control is enforced in a software level thanks to the kernel and in a hardware level thanks to CPU. Regarding the hardware level, privileges are called "rings" where ring 0 stands for kernel level and ring 3 stands for userland level. Processes in Ring 0 can take control over processes and resources in higher numbered rings, but not the other way around.
Modern CPUs support what is called speculative execution, whereby the processor figures out what the next few instructions are supposed to do, breaks them into smaller sub-instructions, and processes them in a possibly different order compared to how they appear in the program.
But what if the processor processes multiple instructions at the same time (in parallel) but one is invalidated due to insufficient rights and the complete operation is aborted? Where is the data from the other instructions which were already processed? For performance reason, this data might be kept inside the CPU's memory cache. This means that Intel CPUs suffer from a hardware-level side channel that could leak privileged memory to unprivileged programs.
What is Meltdown (CVE-2017-5754)?
This vulnerability could exploit the speculative execution feature used in Intel CPUs to create a side-channel attack capable of reading arbitrary memory locations used by other processes and even the system kernel itself. Potentially stolen data could be passwords and cryptographic keys.
What is Spectre (CVE-2017-5715 and CVE-2017-5753)?
It uses the same attack model than Meltdown but can only read memory from unprivileged (userland) processes. Furthermore, it must be customized for each software environment. However, it affects all processors that use speculative execution (Intel, AMD and ARM).
How to counter these vulnerabilities?
Patches released for Meltdown are expected to reduce the CPU performance for about 5 to 30%. Most of the vendors have already released patches such as:
- Intel: They have started rolling out software and firmware upgrades. They do not provide more information currently
- An emergency patch has been released on January 3 for Windows 10. This patch will be available on January 9 for Windows 7 and Windows 8.
- Windows Server 2016: KB4056890
- Windows Server 2012 R2: KB4056898
- Windows Server 2008 R2: KB4056897
- Windows Server 2008 and 2012 have no patch released currently.
- Apple: Latest version 10.13.2 is already partially patched but older versions need to be patched.
- VMware: They have released a patch called VMSA-2018-0002 since december 2017.
- Firefox: It has just released an update to mitigate these attacks. Correct version is 57.0.4.
- Android: Google specifies that devices with the latest security update (January 2018) are secured.
- Linux: Linux kernel 4.15 has been patched.
What about EASI?
We implement best practices described in our policies to increase our security everyday. Thanks to these policies, we already have patched our VMware environment since the release of the VMware patch last december. All of our clients' servers are still isolated from each other as they should be. We are also testing the released patches for Windows & Linux in our test environments in order to be able to deploy them as soon as possible to our clients without impacting their core business.
We can assist to patch your servers with the latest security patches.
If you need to update your VMware Environment, Linux Servers, Windows Server, we can assist you to patch the servers with the correct security updates.
If you have a Windows Update Server, those security patches will be deployed automatically.
If you are not sure if the patches are installed correctly everywhere, please contact us and we will investigate if they are correctly deployed.