Google’s “Project Zero” has released details about three vulnerabilities that impact all Intel, AMD and ARM based systems running any operating system, including systems on all major cloud platforms. The three vulnerabilities may allow an attacker to access sensitive areas of the system’s memory where applications use passwords and encryption keys.
The vulnerabilities affect every unpatched system, they have multiple attack vectors and if successfully exploited can provide attackers unauthorized access to the most sensitive parts of a system’s memory. And the fact that the only mitigation strategies currently available involve widespread system patching makes this one of the worst vulnerabilities discovered to date.
SUMMARY OF THE VULNERABILITIES
Spectre (CVE-2017-5753 & CVE-2017-5715)
These vulnerabilities use the speculative execution features of central processing units (CPUs) to break the security isolation between applications and operating system (OS) functions. This can allow an unprivileged attacker to read privileged system memory locations and, in CVE-2017-5715’s case, read memory locations across the host/guest boundary in virtual systems.
These privileged areas of memory, normally accessible only to the OS kernel, are where passwords and encryption keys are openly used by the system and by applications.
Mitigations available today for both Spectre and Meltdown require OS patches that have been published for all supported Windows versions, Apple operating systems and all major Linux distributions. See links below for specific patch information from each vendor.
Other software and firmware patching options from Intel have started to be released, but it is expected to be next week before patches for 90 percent of its chips will be available.
CLOUD SERVICES IMPACTS
All cloud providers rely on hardware impacted by this vulnerability as well. Amazon, Google and Azure have already patched their operating systems in the underlying infrastructures that provide service. Also, their platforms as a service are already patched.
However, if you’re using Infrastructure as a Service, you are responsible for patching the guest OS you are running.
PERFORMANCE IMPACTS OF PATCHES
There have been reports the patches for these vulnerabilities cause significant to severe performance impacts to workloads. The reports aren’t completely reliable yet, as each workload and each underlying system varies widely. The best advice currently is to complete your own test cycle of these patches on critical workloads such as databases focusing on the performance impacts pre- and post-patching.
RESPONDING TO SOFTWARE VULNERABILITIES
This advice applies to all software vulnerabilities:
- Your security and operations team should activate its vulnerability management program to patch your system against these vulnerabilities.
- This would be considered an emergency patch that you should apply immediately. Patches are already available for all major operating systems and your teams should be planning a test and release cycle for these patches.
- Consider a monitoring strategy using a vulnerability management tool to track your organization’s progress in applying the required patches. Tool vendors started releasing dashboards and plugins for these vulnerabilities today. You can use these dashboards to track your progress in patching all your systems, elegantly report this progress to your management teams and search for straggler systems missed by the initial patching cycle.
Also, be prepared for follow-up patches as more information and research becomes available. It’s still very early in these vulnerabilities’ lifecycles and we will see firmware updates from CPU vendors as well as possibly other OS patches for other variants of the exploits.
PERFORMANCE TUNING AND PATCH MANAGEMENT ASSISTANCE
Working with a trusted technology service provider is one step in the right direction. Pythian can provide services to streamline patching cycles and to automate most of these tasks.
As well, Pythian has performance tuning toolkits and best practices for all major database platforms, and we have developed and implemented cloud service stacks with our customers.
USEFUL SOURCES OF INFORMATION
Google’s Project Zero research:
Google’s Product and Services mitigation summary:
Amazon’s Product and Services mitigation summary:
Microsoft’s Azure Product and Services mitigation summary:
Red Hat & CentOS:
Amazon Linux AMI:
*Note: The views expressed above are my own and draw on my years of expertise in information technology security.