As most of you will have heard, two new widespread vulnerabilities were announced this month. The two are distinct, but related and are known as Meltdown and Spectre; Meltdown is also known as CVE-2017-5754 and Spectre by two separate references CVE-2017-5753 and CVE-2017-5715. Both vulnerabilities affect types of microprocessors used in all sorts of devices, from servers to mobile phones. These processors are so widely used that you will almost certainly be affected by it (unless you live out in the woods with no internet, computer or telephone).
These exploits have been demonstrated with real examples by several organisations and individuals including Google and Microsoft. The vulnerabilities were disclosed to hardware manufacturers as early as June 2017 and since then hardware and software vendors have been working to create patches for a co-ordinated public disclosure in January 2018.
Both vulnerabilities take advantage of performance and optimisation techniques used in modern microprocessors to reduce latency know as out-of-order and speculative execution.
Meltdown allows a malicious user to bypass the proceedures designed to prevent access to privileged memory (such as Kernel memory). It does this by exploiting of a side effect of out-of-order execution. Out-of-order execution is used to pre-process instructions and fetch memory ahead of time in order to optimise resource usage within a microprocessor. This means it will often process code and access memory that it does not necessarily need to in order to speed up the execution of a given set of instructions. This was thought to be secure as it discards or commits the output as soon as the program reaches the point where it knows whether or not the particular result is needed. However, there are side effects to this which can be observed, manipulated and ultimately accessed via a "side-channel", namely storing this information in a shared cache which can then be read by an attacker.
Spectre is based on the fact that many modern processors will pre-emptively compute certain instructions that would not normally execute during correct program flow via a similar mechanism known as speculative execution. More specifically a particular type of speculative execution called branch prediction, which tries to predict which path or branch will be taken in a particular set of program logic, for example in an
if statement. It does this to improve performance by computing or fetching information that would normally take extra time to retrieve, caching the result and then checking if it is required later, returning if so or discarding if not. Malicious code can be used to "train" this to behave in a predictable way (i.e. execute a particular branch of an
if statement), then speculatively execute an instruction that will access a victims privileged memory and leak that data into an accessible channel.
If you would like to read more detail on these vulnerabilities, please see links below:
We have patched all of our servers within the Civo Cloud Platform with the latest releases provided, which include the updates to fix both vulnerabilities.
You will also need to update your services in order to keep yourselves and your clients / users safe from these vulnerabilities.
For Centos you should simply run:
After the packages have all installed, you will need to reboot in order for them to take effect.
There are reports of performance hits based on these patches. The amount of impact ranges from negligible to 30%, depending on the type of usage. Unfortunately, there's nothing we can do to reduce this impact and it will be the same industry-wide.