— by Brandon Jackson, Jennifer Lugo, Jason Owens and Jesse Wiener
There has been a lot of information and articles published over the last few days regarding what some initially reported as a security issue with Intel CPUs. As more research and information has become available, some of the details previously announced appear to have been inaccurate.
The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. The issues appear to affect AMD and ARM as well as Intel processors, although maybe not equally. This is not an Intel-only issue — a statement published by Intel and then by Google seems to confirm this. Intel chips as old as 10 years may be affected.
ARM has indicated that some of its processors are affected. According to a ZDNet article, an AMD rep was quoted as stating the threat differs by microprocessor company and that because of AMD’s architecture, the company believes there is a near-zero risk to AMD processors. The extent to which AMD is affected seems unclear at this point, however the patches that are being released by software vendors apply to the products of all three microprocessor companies.
The Vulnerability Explained
The vulnerability exists in the layer between the CPU and the software. It’s a threat because the vulnerabilities can permit one process to spy on another process and gain access to privileged information such as passwords, data and more contained in memory. This is sometimes referred to as a “side channel attack.” It can be especially concerning for highly virtualized or cloud environments with multiple customers and systems on the same CPUs.
One issue is being referred to as “Meltdown” and relates to CVE-2017-5754. It is called Meltdown because it “melts” the security boundaries between the chip and software, enabling access to private kernel memory.
The other issue is being referred to as “Spectre” and is different from Meltdown. Spectre tricks the system into providing the information. Spectre is potentially more dangerous as it’s harder to mitigate, although it appears at this time to be harder to make use of.
What to Do
Most organizations are going to have IoT, industrial, medical, legacy or other types of devices that will not receive software updates or patches. In these scenarios, a properly segmented network design/roadmap is important to implement. Having a segmented network and monitoring tools will play a key role in protecting your environment. Vulnerable devices can be placed into areas of the network (behind firewalls or controlled via ACLs) where their access can be controlled and continuously monitored while reducing the potential issues they could cause.
Potential Performance Issues
Some of the conversation around these issues has been in regard to a potential performance hit resulting from applying the fixes. This is due to the immediate fix for Meltdown in the form of kernel Page Table Isolation (PTI) and resulting overhead. Intel is denying reports of a huge performance dip and research seems to indicate that there are only certain circumstances where there could be a significant performance impact. VMware, Amazon and Red Hat have all made statements indicating that some performance and systems will hardly be affected at all. Actual impact is yet to be determined and may vary by both hardware and the tasks being performed.
Vendor Press Releases and Advisories
The following links and documents are official statements from the various technology vendor and CDW partners:
- Intel Security Bulletin
- Intel summary Newsroom Article (contains links to other Intel press releases)
- Microsoft Security Advisory
- Windows Server Support Advisory
- Microsoft Cloud Protection Statement
- Windows and Devices Guidance
- VMware Security Advisory
- VMware KB: Virtual Appliances and Meltdown/Spectre
- VMware Security Blog Post