Security and Performance: Multiple CPU Vulnerabilities Discovered
Co-Authored by: Aaron Silber, Managing Director – NY Region & Jamie Engelhard, Chief Technology Officer
Updated Links: 1/10/18
Security and performance, Yin and Yang, we seem to always be doing the dance of trying to secure our systems and at the same time make sure that they perform well. In most cases, this balance is one that can be made to work together in beautiful harmony. Unfortunately, there are always those who seek to disrupt this balance so we must be diligent and always keep our guard up against new threats. As we usher in the new year, a very serious disturbance has emerged which may upset that balance for a long time to come.
This week, multiple critical flaws were announced that affect microprocessors ranging from server-class CPUs to mobile device chips going all the way back to 1995! At first glance the descriptions of these flaws, being called Meltdown and Spectre, read like a very typical security alert and start something like this: “A vulnerability has been discovered which could allow an attacker to gain unauthorized…” But the big difference with these vulnerabilities is that they affect the microcode burned deep into the hardware which is inaccessible, so a regular patch is not possible. The only possible answer is to either go out and buy a new processor which is not affected by the flaw or come up with a higher-level piece of code which builds a defense against the inherent hardware flaw. In the case of Meltdown, only Intel and certain high-end ARM chips are affected and the industry has scrambled and managed to work up “defenses” and “mitigations” which are software based and will protect against exploitation, but come at a potentially significant performance cost. Spectre is a much broader and more fundamental exploit which takes advantage of certain low-level instructions which exist in countless pieces of software. And Spectre affects every Intel, AMD, and ARM processor on the market as well as many other low-level system chips that use these same instructions. Because of the way Spectre works, there will not be a single software patch but many smaller fixes will be required to address virtually every piece of code that exposes the vulnerability. While patches will quickly start to become available, the underlying vulnerability exploited by Spectre will probably be with us for years and there is no way to know for sure when all exploits have been addressed.
The ramifications of these vulnerabilities are going to be very disruptive. At the very least, in order to apply any of the updates to correct the issue will require a reboot of the affected systems. Think about your own datacenter and how many servers this might affect, add in virtualization and how many servers are running on affected hosts and the numbers of at-risk servers quickly adds up to hundreds, sometimes thousands in many datacenters. Now think about cloud providers, e.g. Azure, AWS, Google, etc. with potentially millions of servers and your head quickly starts to spin. If this was not bad enough early reports are showing that the software fix can reduce system performance by as much as 30%!
If you are thinking that this probably does not affect you and you can take a wait and see approach, please be aware that the Spectre flaw allows applications to extract information from other applications running on the same system – think passwords, Javascript, cookies, etc. And again, this is across servers as well as desktops, laptops, mobile devices, and even smart devices like TVs, thermostats, and smoke detectors!
If all of this is not enough to put you on edge, here is a final note: an administrative user on a guest VM could gain access to the host processor and read the kernel memory thereby gaining access to all the VM data running on that host. Intel has released a tool to check if your processor is affected by the bug, and we encourage everyone to download and run the tool as soon as possible.
Below is a list of links to get started with, but we strongly recommend contacting all your major software vendors for specific information and remediation options.
Intel check if your processor is affected: https://downloadcenter.intel.com/download/27150?v=t
VMware Updates: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
NetApp: https://security.netapp.com/advisory/ntap-20180104-0001/
Citrix Product Stack: https://support.citrix.com/article/CTX231399
Citrix XenServer: https://support.citrix.com/article/CTX231390
Nutanix AOS/AHV: http://download.nutanix.com/alerts/Security-Advisory_0007_v2.pdf
Nutanix AHV – The AHV fix for AOS versions 5.0.x and 5.1.x is applied to AHV version 20160925.103 which is available standalone on the Nutanix support portal, and will be bundled with upcoming AOS versions 5.0.5 and 5.1.4 respectively. The AHV fix for AOS version 5.5.x is applied to AHV version 20170830.85, which is available standalone on the Nutanix support portal, and will be bundled with upcoming AOS version 5.5.1. Please refer KB#5104 for more information about the AHV patches and configuration options.
Duo: https://www.helient.com/wp-content/uploads/2018/01/DUO-Security-Awareness.pdf
Microsoft Windows 10 out-of-band update to address Meltdown: https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
Microsoft SQL: https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server
Microsoft warning about Meltdown patch incompatibility with certain anti-virus software: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released
Current status of compatibility from many different vendor’s Anti-virus solutions: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0
Additional information on the nature of the flaws themselves:
https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw
Please contact Helient for more information and to put together a plan to protect your environment. We will continue to monitor this situation closely and update this blog posting with any relevant information as it becomes available.
Stay safe!
Aaron and Jamie