These vulnerabilities, made public on the night of 3rd-4th January by Google's Project Zero, are now known as Meltdown and Spectre and include 3 distinct attack vectors:
- CVE-2017-5715 (branch target injection - Spectre)
- CVE-2017-5753 (bounds check bypass - Spectre)
- CVE-2017-5754 (rogue data cache load - Meltdown)
To date, PLEGMA has not received any information demonstrating that the concerned vulnerabilities have been exploited outside of a research laboratory setting. Their operation today requires technically complex processes, but there is no doubt that simpler processes will emerge.
Intel, the world leader in microprocessors, has confirmed the existence of these vulnerabilities on its CPU. With its partners, and operating system editors, the company is working on solutions to reduce the exposure of its chips to these types of attack, via patches to be implemented at several levels.
- Operating system and Virtual Machine Manager
- Microcode processor (via BIOS/UEFI)
At PLEGMA, a dedicated team of security experts is fully mobilised. We are in close contact with the main players involved in the implementation of patches, i.e. the main editors of free operating systems (including GNU/Linux distributions), proprietary operating systems (Microsoft or VMware), and motherboard manufacturers.
Most of these players were warned of vulnerabilities discovered several weeks ago, and were already working on patches while under an embargo. Patches are therefore beginning to be announced and released by various editors and communities. Our teams are progressively testing patches so that once stability has been assured, updates can be released as quickly as possible. Since the patches make major modifications to the kernel design, the risks of instability are not negligible.
It is still too early to accurately identify the impact of the available patches and the future performance of servers. Furthermore, our internal tests indicate that the potential impact on performance varies greatly depending on workload and running services. In addition, it is likely that the effectiveness of the first available updates will improve over time, mitigating the effects induced by this design change at the kernel level.
Given the unusually short development time of these patches, making tests on all market configurations is unlikely, there is a good chance that more updates will follow, correcting any bugs that may appear. We already know that official patches will only be available, except in exceptional cases, for the versions of kernels and operating systems that are currently maintained (depending on the editor).
At the same time, we are studying in detail the possible exploitation of vulnerabilities exposed, so that we can assess risks more accurately and share our recommendations with our customers.
Our teams are also following development of any corrective measures that need to be taken to protect potential vulnerabilities on non-Intel processors.
In parallel, we are studying various scenarios for deploying official patches as quickly as possible, while minimising the impact on the availability of your services. Some infrastructures may have to be rebooted in order to update the kernels and firmware affected by vulnerabilities.
We will inform you as soon as possible of the action plan and related operations. When the time comes, we will provide you with more details about what you need to do next to apply the patches on your physical or virtual machines.
Friday, January 5, 2018
