Meltdown & Spectre4th January 2018
What Are They?
Since cloud providers (such as AWS, AWS and Google) systems run off affected processors, VM instances running on these servers will also be affected.
Meltdown allows an unprivileged process to access privileged kernel memory. This would allow for privilege escalation. Meltdown affects almost every Intel processor since 1995. It also appears to affect some ARM chips as well.
Working POCs have been developed, so this is a real danger:
Spectre, unlike meltdown, does not allow an unprivileged process to access privileged kernel memory. This would most likely to help a process within a sandbox environment to leak data. This affects almost all current day processors including those from Intel, AMD and ARM.
What Do I Need To Do?
Cloud providers are ready actively patching their servers, so ensure that you follow any communication from your cloud provider.
Ensure that you install any software and OS updates. Windows is currently releasing an emergency patch. Linux has a fix in the kernel, but this may take a few days to reach all the Linux distos. MacOS has already patched the issue (since version 10.13.2).
However there is a negative side affect of a downgraded performance. Figures are any where from a 5% degradation all the way to 30%. The amount of performance hit will vary based on differing scenarios such as how many threads are being used, what application is running (some applications appear to be more affected than others), OS (these figures where based on Linux, there is suspicion that Windows will be less affected), etc.
Unfortunately the only known way to address this issue is via a hardware fix. Thankfully this is harder to exploit than Meltdown.
There are some good summaries and writeups by others:
- The official site for these 2 vulnerabilities: https://meltdownattack.com/
- A technical blog from Google: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
- A good article from the New York Times: https://mobile.nytimes.com/2018/01/03/business/computer-flaws.html
- A good summary at the end of the article: https://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/
- A great summary from Nicole Perloth on Twitter:
1. Apparently I don't know how to thread, so here goes my second attempt at blasting you with critical news on this "Intel Chip problem" which is not an Intel problem but an entire chipmaker design problem that affects virtually all processors on the market.— Nicole Perlroth (@nicoleperlroth) January 3, 2018