A side-channel attack on most modern CPU’s was discovered last week which impacts most internet services in general. This vulnerability made it to mainstream news sites, which is quite unusual, and has been the subject of some questions from end-users and customers. This blog post is meant to provide some general answers and a probable time-line of patches and mitigations.
The attacks have to do with modern CPU branch prediction and speculative execution features, which are an integral part of modern CPU design and performance. These features can be abused to trick the CPU into returning privileged and protected information, enabling attacks on virtualisation isolation and other private information. This vulnerability is a function of flaws in the CPU hardware, which now need to be worked around in software if possible.
The side-channel attack can be broken down into 3 specific vulnerabilities:
- CVE-2017-5754 (Meltdown): CPU branch prediction data cache leak
- CVE-2017-5753 (Spectre 1): CPU bounds check bypass
- CVE-2017-5715 (Spectre 2): CPU branch target injection
General information on the vulnerability can be found on https://meltdownattack.com/. These attacks can be summarized as local privilege escalation attacks; the attacker will need to be able to execute code on the target machine. This means that in general most server applications are only vulnerable if this attack is combined with existing or new remote code execution vulnerabilities. (The client-side impact of this vulnerability (i.e. web browsers) is out of scope of this document; talk to your system administrators, install your updates.)
Large cloud infrastructure providers have been rolling out mitigations for their systems, server OEM’s (e.g. Dell, Supermicro) are providing microcode updates and the computer security industry in general has been scrambling to find solutions to these problems. The latest information indicates that #1 will be fixed with Linux kernel patches, #3 will be fixed in the short-term with microcode updates from OEM’s and later with a potential addition to the Linux kernel. #2 seems hard to exploit, but also hard to patch. Linux kernel updates for Debian-based distributions have been released or are in the process of being released, and will be installed as soon as practically possible.
It is important to note that the impact, mitigation of and full fixes for these vulnerabilities may take quite a long time, and that more issues related to these vulnerabilities may crop up later. Some of the mitigations and fixes may also come with performance degradation to CPU’s and specific workloads on the affected computer systems.
The impact to our customers will differ a great deal from customer to customer; we will provide our customers with specifics relevant to their setups in the short term. Customers should of course feel free to send us any questions or comments, and we hope this blog post has been able to answer some of your questions.
This blog post will be updated if anything else important turns up.