The new year starts with a fairly nasty security disclosure
Bugs were discovered last year on most modern CPU and could be used to gain information from system parts of the memory (Meltdown) or from arbitrary locations in userspace memory (Spectre). Now don't panic dear hitchhikers, security patches are rolling out for most operating systems, and you should probably install them.
Here are the currently known vulnerabilities1:
- CVE-2017-5715 - Variant 1: bounds check bypass
- CVE-2017-5753 - Variant 2: branch target injection
- CVE-2017-5754 - Variant 3: rogue data cache load
The official disclosure page (both Meltdown and Spectre) lead to the same page) is pretty much complete with technical researches available for download. Linux distributions will possibly start backporting kernel page table isolation (KPTI) feature2 to mitigate the most serious bits.
Major operating systems manufacturers have produced security advisories and provided additional details:
- Amazon Linux - ALAS-2018-939
- CentOS - CESA-2018:0007
- Debian - DSA 4078-1
- Microsoft - ADV180002
- Red Hat - RHSA-2018:0007
- Red Hat - RHSA-2018:0012
- Red Hat - Knowledge Base - Speculative Execution Exploit Performance Impacts
- Red Hat - Vulnerability Responses - Kernel Side-Channel Attacks
- Ubuntu - Security Team - SpectreAndMeltdown
- VMWare - VMSA-2018-0002
For those interested in more in dept information, there are already great articles available on python sweetness and LWN.net(about KAISER and about KPTI). Another LWN.net article by Jonathan Corbet covers each vulnerability with detailed examples.
Cloud computing can make this issue more serious with exploitation of Meltdown potentially leaking host reserved data to a guest virtual machine. Google is saying that the infrastructure that they are responsible for under the shared responsibility model implements the latest security fixes already. Thanks to their live migration capacity, Google will not force a maintenance on its customers and no virtual machines will have to be restarted (Reference here). Amazon has not updated their advisory after January 3 14:45 PST (link), but there might be a need to restart paravirtual Xen based EC2 instances to get the latest security fixes onto the underlying hosts. Microsoft Azure says that the majority of the infrastructure was updated in the past weeks to address the vulnerability (link).
Along with the disclosure is a video demonstrating the Meltdown attack on a Linux machine:
Obviously there is a lot of drama and finger pointing going on right now since this disclosure has an impact on the entire industry. Just look at the responses from Intel and AMD.
Canonical has produced a good summary of the vulnerabilities: here.
Additional references:
- meltdownattack.com and spectreattack.com
- Reading privileged memory with a side-channel, Jann Horn, Project Zero
- Notes from the Intelpocalypse, Jonathan Corbet
- The mysterious case of the Linux Page Table Isolation patches, python sweetness
- Today's CPU vulnerability: what you need to know, Matt Linton and Pat Parseghian
- KAISER: hiding the kernel from user space, Jonathan Corbet
- The current state of kernel page-table isolation, Jonathan Corbet
- Processor Speculative Execution Research Disclosure, Amazon Web Services Security Bulletin AWS-2018-013
- GCP - Security Bulletins, Google Cloud Platform
- GCP - Live Migration, Google Cloud Platform
- What Google Cloud, G Suite and Chrome customers need to know about the industry-wide CPU vulnerability