Cloud Security Alert: Meltdown and Spectre
You may have heard the news this week that the Meltdown and Spectre CPU flaws can expose modern systems to risk and affect users of cloud services from public cloud providers as well as those operating their own private clouds. The Meltdown vulnerability is Intel specific, while Spectre encompasses any chip architecture. These CPU flaws were discovered by security researchers on Google’s Project Zero team in coordination with academic and industry researchers from several different countries.
What You Need to Know
According to the researchers who found the flaws, CPU chips dating as far back as 1995 have been affected. The issues found may affect virtually every modern computer, including smartphones, tablets, and PCs from all vendors and running almost any operating system.
The specific issues are listed in the Common Vulnerabilities and Exposures database:
The good news is that OS vendors can remediate all of these flaws, on any CPU architecture, with kernel software patches. Amazon, Microsoft, Google, and Apple have already released patches. These flaws affect all Intel processors. However, Meltdown does not affect AMD processors. Intel has developed and is rapidly issuing software updates and patches for all types of Intel-based computer systems to protect these systems against the Meltdown and Spectre exploits. Below is a high-level summary of key differences and similarities between the Meltdown and Spectre vulnerabilities:
Intel, ARM, AMD
Intel Privilege Escalation and Speculative Execution
Branch Prediction and Speculative Execution
Read kernel memory from user space
Read contents of memory from other users’ running programs
Additional levels of software patching
What the Cloud Providers Are Doing
Amazon Web Services
Amazon Web Services (AWS) has patched its VM hosts, which protects customers from being attacked by other customers’ instances. However, as an AWS customer, you will still need to take action to protect your instances from attacks by an external threat. AWS has provided more detail here.
Microsoft said that the majority of Azure infrastructure has been updated to address this vulnerability, and that many of its customers have already rebooted their VMs to apply the fix. The Azure infrastructure update addresses the disclosed vulnerability at the hypervisor level, and Azure customers should make sure to consult with their OS vendors for specific updates and instructions as needed to patch the OS. See more detail from Microsoft Azure here.
Google Cloud Platform
After Google’s Project Zero team discovered the CPU vulnerability last year, the company’s security and product development teams mobilized to defend Google’s systems and its users’ data. The Google Security Blog has an excellent write-up of the steps Google has taken both in terms of responsible disclosure and remediation. The article also includes links to information on the steps that users of Google Compute Engine, Google Kubernetes Engine, and other Google cloud services should take to further protect themselves.
IBM reports that it is working with its customers and industry partners on this issue and will be making patches available via its normal customer portals. The company emphasizes that there are no known cases where this vulnerability has been used maliciously on its platform. See more detail from IBM here.
How RightScale Is Protecting You and What We Recommend That You Do
We have applied OS-level patches to the RightScale platform to ensure that our customers’ data is not susceptible to Meltdown or Spectre attacks. As new information becomes available, we will continue to review and provide updates.
We strongly recommend that RightScale customers patch their own instances’ operating systems across both their public and/or private cloud environments. This helps to reinforce the protection that these operating systems provide to isolate software running within the same instance.
Patching Guidelines and Recommendations:
- There may be some impact on performance after you apply the patch. Google’s Project Zero Team reported yesterday that concerns of performance issues are greatly exaggerated and that they had found “negligible impact on performance.” However, we recommend you monitor performance just in case.
- You may need to resize your instance to absorb the performance hit if one occurs. The performance hit may vary based on the type of application or workload being run on the system.
- For private cloud environments, patch both the hypervisor and the virtual machines or instances. The hypervisor/host patch protects against VM-to-VM leaks and the virtual machine/instance patch protects your VM against application-to-application leaks.
Contact your RightScale account manager or RightScale Support if you need assistance with applying patches and updates to your environments. We will be closely monitoring this situation and will post additional details on the RightScale Blog as more information becomes available.