Melthdown and Spectre… updates from cyberspace

After some days from the announcement of this vulnerability, some updates coming out from official channels and community blog are providing further information about patches and resolutions, clarifying also where to focus the attention where you don’t need to rush patching.

I’ve already described (or better I linked some resources) the mechanism and the degree of danger where the unauthorized read-only action could cause a data breaches that is really difficult to identify and quantify.

Updates from VMware vSphere

An important update in KB 52085 is showing how to mitigate the vulnerability acting from hypervisor level. In order to enable this feature is important update both CPU microcode (finally available from hardware vendors and Intel) and hypervisor. Before update it’s important also take a look at https://kb.vmware.com/s/article/52345 for resolution of side effect of application of ESXi patch ESXi650-201801402-BG, ESXi600-201801402-BG against Spectre vulnerability. In fact recent sightings are notified by Intel that may affect some of the initial microcode patches that provide the speculative execution control mechanism for a number of Intel Haswell and Broadwell processors. The solution is remove the exposure of speculative-execution for patched OS VM until Intel provides a new micro-code update.

Verifying the issue

There’s a lot of scripts that, running at operative system level, could check if your system is affected to this vulnerability, investigating both hardware and OS level.

I tested the use SpeculationControl Module available for Powershell. The installation is very simple:

Then issue the command:

Here the result of a vulnerable system:

image

Here the official documentation that could let you better understand the results: https://support.microsoft.com/en-in/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell

Source: https://www.powershellgallery.com/packages/SpeculationControl/1.0.4

Automating the check

Obviously the SpeculationControl module could be implemented in a script to gather the situation of the whole data-center workloads. There are two methods:

  1. Automation based on PowerShell (an example well-explained here: https://blogs.technet.microsoft.com/ralphkyttle/2018/01/05/verifying-spectre-meltdown-protections-remotely/ )
  2. Automation based on PowerCLI using Invoke-VMScript Cmdlet with the same mechanism used to gather another vulnerability: https://blog.linoproject.net/tech-tip-how-to-check-windows-patch-against-wannacry-using-powercli/

From vSphere side, the application of patch and/or workaround for “Sightings” is well explained in the Lam’s posts here: https://www.virtuallyghetto.com/2018/01/verify-hypervisor-assisted-guest-mitigation-spectre-patches-using-powercli.html and here https://www.virtuallyghetto.com/2018/01/automating-intel-sighting-remediation-using-powercli-ssh-not-required.html

The state from OS level to cloud level

Ubuntu, after some hesitations, finally has rolled out a patch for 17.10, 16.04LTS, 14.04 LTS and 12.04; to mitigated simply issue

RedHat/CentOS has already provided the patch in a security update (aka “errata”). Check here: https://access.redhat.com/security/vulnerabilities/speculativeexecution

Apple MacOS has provided a patch for Sierra, High Sierra and El Capitan. (https://support.apple.com/en-us/HT208331)

Amazon AWS, Azure and Google infrastructures have been updated.

For knowledge purpose, check this interesting post about performance imapact in Google Cloud Platform (GCP): https://www.blog.google/topics/google-cloud/protecting-our-google-cloud-customers-new-vulnerabilities-without-impacting-performance/

Salva

Salva