Patching your OS to alleviate the latest “Side-Channel CPU” vulnerabilities in Industry Standard CPUs.
Many of Evolving Solutions’ clients are being inundated with emails, theories, and questions regarding the three closely related vulnerabilities involving the abuse of speculative execution in modern CPUs that went public on Tuesday, January 2, 2018. These vulnerabilities have now been named and classified on CVE (cve.mitre.org/):
- CVE-2017-5753: Known as Variant 1, a bounds check bypass
- CVE-2017-5715: Known as Variant 2, branch target injection
- CVE-2017-5754: Known as Variant 3, rogue data cache load
These vulnerabilities are NOT limited to Intel CPUs. AMD, IBM Power Systems and some ARM processors will also need to be addressed.
Operating System and Hypervisor Vendors are releasing patches while Hardware OEMs are scrambling to release their “Official Statements” and guidance. Some OEMs are recommending following the OS / Hypervisor Vendors Guidance, while other are releasing Firmware and / or BIOS updates to be applied along with the OS Patches.
There is a copious amount of information and recommendations that can be found via a web search on the subject, some of it contradictory. Everything from CERT saying you must “throw away” the CPU to assure removal of the exploit possibility to other internet experts saying this is a lot of to do about nothing. Yes, both Chicken Little and Pollyanna are weighing in on this one.
Information is also circulating that the aforementioned patches which separate the kernel’s memory completely from user processes using what’s called Kernel Page Table Isolation, or KPTI will result in some degree of a performance hit.
But what should you do? What is the proper response for your organization?
Evolving Solutions recommends that you follow the Hardware Vendor and OS Vendor’s guidance. Additionally, you should understand the vulnerabilities and any fixes in context to your data center, applications and workloads. It’s important to do your own due diligence and lab or dev environment testing, and have a back out plan. It’s also important for you to make your own decision on roll out schedule in light of your unique security and business requirements.
We are recommending a cautious approach for several reasons:
- The vulnerabilities may have a reduced effect on non-outward facing systems that are properly protected
- The patches have the potential to effect performance and the impacts will likely vary based on workload characteristics.
Included below are links to many of Evolving Solutions’ Partner’s Advisories, Guidance and Patches.
Both the Evolving Solutions technical team and Account Executives are available to provide guidance and help with an approach. Please don’t hesitate to contact them to schedule a conversation or assessment.
Here are some links to help guide you through this:
- Meltdown Academic Paper – https://meltdownattack.com/meltdown.pdf
- Spectre Academic Paper – https://spectreattack.com/spectre.pdf
- Google Project Zero – https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html
- CVE-2017-5753 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
- CVE-2017-5715 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
- CVE-2017-5754 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754
OS and Hypervisor Vendor Security Advisories:
- Intel Security Advisory – https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
- VMware Security Advisory – https://www.vmware.com/security/advisories/VMSA-2018-0002.html
- Microsoft Security Advisory – https://portal.msrc.microsoft.com/en-US/securityguidance/advisory/ADV180002
- Red Hat Advisory – https://access.redhat.com/security/vulnerabilities/speculativeexecution
- SUSE Advisory – https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/
- Nutanix – http://download.nutanix.com/alerts/Security-Advisory_0007_v1.pdf
Hardware Vendor Advisories and Guidance:
- HPe Vulnerability Website – https://www.hpe.com/us/en/services/security-vulnerability.html
- HPe Security Bulletin – https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us
- IBM Power Security Bulletin – https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/
- IBM zSystems Notifications – https://www.ibm.com/it-infrastructure/z/capabilities/system-integrity
- Lenovo Security Advisory – https://support.lenovo.com/us/en/solutions/len-18282
- NetApp Security Advisory – https://security.netapp.com/advisory/ntap-20180104-0001/
- Cisco Security Advisory – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel