Meltdown and Spectre: 2018 starts with a patch.

Recent news about Meltdown and Spectre, two security bug announced few days ago, sounds like a devastating explosion that could impact a lot of technologies equipment based on Intel, AMD and ARM processors. The wide impact depends on an architectural bug that a lot of processor have since 1995 and could be used to read unauthorized memory areas.

More deeply, Meltdown exploit regards the dynamic architecture which the last Intel processors (except Itanium and Atom) and ARM which are built of. The impact is very simple and in the same time easy to patch, because it violates the memory barrier that permits to unprivileged programs to access to reserved memory. Seems that AMD processors are not affected because they use a different architecture (An official note here: http://www.amd.com/en/corporate/speculative-execution).

Spectre, the other announced vulnerability, forces programs on a user’s operating system to access an arbitrary location in the program’s memory space. This is more difficult to explain in few words becuse it is generated from a side effects of the CPU speculative execution. Anyway, see the official announcement for further information.

There’s an interesting Proof of Concept here https://googleprojectzero.blogspot.it/2018/01/reading-privileged-memory-with-side.html, that demonstrate how could be used these vulnerabilities.

Obviously any hypervisor could be affected due to the execute several operative instances in a no more isolated memory areas. Especially in a Cloud IaaS, the usage of many applications that sometimes are not under security governance, could increase the probability to meet the condition of this vulnerability.

VMware has released a patch for ESXi. Just check here: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html and keep in mind that you could use Update Manager to remediate the whole infrastructure.

Remember that this is a patch that acts as workaround in kernel-space: you should consider some performance degradations as a possible side effect.

   Send article as PDF