As you’ve probably already noticed a few highly dangerous CPU vulnerabilities have been released that effect the CPU at a hardware level. Since this is base off the hardware itself all operating systems (Windows, Linux, Android, macOS) need to protect against it. This means patching their operating systems to mitigate against the threats that the Intel CPU’s have introduced. Now before you run out and grab the latest patch from the OS vendors be warned. There’s a possibility that this could actually cause negative performance on your system and include system crashes.
What’s actually happening with these vulnerabilities?
Well, the Spectre vulnerability allows an exploit which in theory allows an attacker to access the operating system kernel memory due to how it uses, “speculative execution” which is used for systems to gain better performance by doing things like prefetching memory and files, etc. Due to this hole attackers would be able to access protected memory in the kernel that could give them access to sensitive data like keys, passwords, or anything it’s currently accessing. That’s not cool.
With Meltdown we’re seeing the OS vendors pushing out their patches to remediate it now. What it does is allow the isolation between user applications and operating systems to break down. This leaves open privileged level escalation attacks that can allow for attackers to have a wide variety of attacks. There are already proof of concept attacks available for this exploit and mainly effects Intel chips. With the patching updates coming out for this vulnerability there’s a major concern that it will degrade performance on the CPU. Reports are that the patch can have a 5% impact to CPU right away due to attempting to isolate the memory, but that due to workload on the system could go much higher. This means that servers could be hit much harder. We’ve seen reports of up to 30%, but it’s on a hardware and workload basis.
Interference with Antivirus
Validate with your antivirus manufacturer that the patch won’t interfere with the way the antivirus works with the operating system. There have been some antivirus providers that were causing bluescreens on Microsoft devices due to the way they were working with the kernel. All the vendors need to update a particular registry key in order for the patch to run and mitigate the exploit on the chip. It’s recommended to not test these patches in production and to have them setup on servers and workstation in a test or QA environment to reduce the risk of failure or performance issues.
Is the Cloud effected?
Another concern that comes out of these vulnerabilities is how cloud providers, like Google, Microsoft and AWS, are affected by this vulnerability. These providers all host and segment multiple servers and originations on their hardware and logically have them separated via software they’re running on top of the hardware. With these vulnerabilities it sounds theoretically possible that attackers could pass through one tenant to another co-hosted tenant running on the same hardware. All the major cloud providers are taking this threat extremely serious and have confirmed they’re deploying the patch to prevent any such issues from occurring. There isn’t any hard evidence yet to confirm that this is a possibility, but they’re all taking precautions to prevent it in case additional attacks surface over the next couple weeks and months.
Going Forward
Our advice right now is to patch what you can, but first validate that it won’t cause outages in doing so. Also, contact any cloud provider, yes this means SaaS and PaaS providers, as well, to determine how they’re protecting your data on their systems. Also, for more information on the vulnerabilities, please take a look at the following released documentation. (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754).
Author Bio: Matthew Pascucci is a Security Architect, Privacy Advocate, Security Blogger, and is the Cybersecurity Practice Manager at CCSI. He holds multiple information security certificates and has had the opportunity to write and speak about cybersecurity for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email mpascucci@ccsinet.com.