A design flaw present in most modern processors (including Intel, AMD and ARM) enables potential attackers to read areas of system memory that should have been inaccessible. Surely you have already heard and read plenty about Meltdown and Spectre, maybe even updated your computer just in case. But what about your Cloud infrastructure? Do you have to worry about Meltdown and Spectre in the Cloud?
If you have your critical platform in one of the leading Cloud providers (Amazon Web Services, Google Cloud Platform, Microsoft Azure), you might care about how to fix these vulnerabilities and how to ensure the performance of your platform. So do we. So here’s a brief clarification on how are we helping our clients ensuring their infrastructure.
Meltdown and Spectre: what they are
We are facing what may be the most widespread security issue in modern computing history to date. This class of attacks actually consists of 3 vulnerabilities codenamed Meltdown (CVE-2017-5754), Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715). There’s neither a single nor straightforward fix for the three of them.
The technical details are complex but the takeaway concept is “speculative execution”. In this scenario, this basically means that,
in order to improve performance, the CPU can try to guess and execute instructions before it is known whether they should be executed or not.
To sum up, this can lead to leaking sensitive information meant to be kept secret such as passwords, private keys, et cetera. The main requisite: to be able to execute specially crafted code on the targeted system.
Needless to say, the impact is massive. It directly affects the CPU architecture and the memory management of devices of any sort all around the planet, ranging from smartphones and tablets to corporate servers, regardless of the overlaying operating system.
Meltdown and Spectre in the Cloud
In environments where resources are shared among many clients, like public Clouds, this meant that guests could drill down into the underlying host’s physical memory, obtaining data from other clients.
This was initially managed following an industry best practice of responsible disclosure in which a vulnerability is publicly disclosed only after a period of time that allows for the vulnerability to be patched. Major operating systems, hardware and Cloud vendors signed an NDA and agreed upon a public disclosure date, January 9th.
Cloud vendors including Amazon Web Services, Google Cloud Platform and Microsoft Azure scheduled maintenances across their infrastructures and urged their clients to reboot certain resources. Unfortunately, the early and unexpected full disclosure of this issue moved them to speed up this process. In order to safeguard their clients’ security some pending actions had to be forced, causing some disruption.
There are two attack vectors:
- infrastructure-based attacks originated in other guests of the same host
- intra-guest attacks originated in software running in the guest instance
The first attack vector (infrastructure-based) was eliminated once the major public Cloud vendors patched their platform.
Removing the second attack vector (intra-guest) will require Cloud clients to apply operating system and firmware updates, whenever they are released, which will require restarting a significant number of instances.
The fixes will involve outstanding changes to the kernel memory management and may take a toll on CPU performance, probably between 5 % and 30 %, as the latest figures show. This slowdown varies depending on factors like the rate of system calls.
Nevertheless, Spectre Variant 1 attacks are expected to remain unpatched. Luckily, they are complex to exploit and, as previously noted, there is no way to exploit these vulnerabilities without first getting access to the guest instances and being able to run malicious code.
Given the nature of these fixes, there are reports of antivirus compatibility issues that require manual troubleshooting besides other issues that end up showing the frightening Blue Screen of Death (BSOD). Knowing this, creating Windows restore points and snapshots is a good idea in case a rollback is needed.
How can CAPSiDE help?
We pride ourselves on maintaining our clients‘ trust to safeguard their Cloud platforms and we take this responsibility very seriously.
As their reference partner in the Cloud, we guide many of our current clients in their digital transformation and we have helped them implement bulletproof platforms, adopting best practices in terms of availability, security and compliance. It is no surprise we are partners of the three leading public Cloud vendors, AWS, Azure and GCP.
Having a comprehensive Cloud Strategy and thus a platform able to scale and adapt to these inevitable situations is crucial to our clients’ success. As soon as we were aware of the upcoming maintenance activities, we coordinated with our clients in order to take next steps, minimise the impact and work on the troubleshooting when required.
We already patch monthly our clients’ platforms and some instances have an even a faster update track to apply patches just as they are available. We are now focusing on the fixes for Meltdown and Specter vulnerabilities – we know the drill! Our monitoring system will quickly detect any performance impact or other issues that might result from these updates. If any thresholds are breached following the final updates, we will work to remediate where applicable.
If you are one of our clients and have further doubts, please contact our Support team. We’ll be happy to help!