What You Need to Know About "Spectre" and "Meltdown"

In recent days, you have most likely seen news stories about the "Meltdown" and "Spectre" vulnerabilities in many modern processors. Solutions II is aware of these issues, and we are watching the situation closely as we work with our partners to help you formulate the best plan of action to safeguard your infrastructure.

According to the National Vulnerability Database (https://nvd.nist.gov), both Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715) require local user access to exploit the vulnerability. Keep in mind that your greatest level of protection from these, and most other, vulnerabilities can be achieved by following strong security practices: including vetting & limiting user access, limiting physical access, auditing data center security, using only trusted web sites and software sources, not using a web browser directly on your servers (if possible), and assuring that your anti-virus / malware protection is configured to receive regular updates.

What Do These Vulnerabilities Do?

Both vulnerabilities exploit features in the Speculative Execution Optimizations on modern processors. RedHat and Windows have released initial security patches to address these vulnerabilities, but because the vulnerabilities are within optimization routines, the patches MAY incur reduced performance under certain workloads.  There is currently mixed information on the performance issues, with reports ranging from no measurable impact to performance degradation of up to 30%. We are working hard to understand the potential impact to your environment, and we will keep you posted as the situation develops.

To Patch or Not to Patch

If you do choose to patch your systems at this time, there are a few things you should be aware of:

1. Microsoft updates may not be delivered if your Antivirus package is not up to date. The Microsoft patch requires a new registry key. Some AV products are setting the key for you, while others require you to create the key yourself. ZDNet is maintaining a running compatibility report for the major AV vendors here: http://www.zdnet.com/article/windows-meltdown-spectre-fix-how-to-check-if-your-av-is-blocking-microsoft-patch/
2. RedHat has issued a Knowledge base article on the potential performance impacts of the new patches here: https://access.redhat.com/articles/3307751?sc_cid=7016000000127NJAAY. As the KB states, different workloads may experience different degrees of performance degradation. The patches default to maximum security, however these settings can be controlled at boot or runtime as detailed here: https://access.redhat.com/articles/3311301
3. At this time Microsoft has blocked updates for some AMD processors for compatibility reasons: https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

The main public threats at the moment are privacy and confidentiality concerns in Multitenant Infrastructure as a Service (IaaS) environments where an attacker could potentially attempt to exploit the vulnerability by merely using the service (after likely breaking the Acceptable Use Policy and likely the Law as well). Most dedicated environments are just patching as usual.

Firmware Updates

Hardware vendors are rushing to implement firmware updates where possible. If you do not have an immediate need to update your firmware, it may be advisable to wait until the firmware updates have been available for a few weeks to assure there are no unforeseen issues with the updates. This is a risk/reward decision that will vary with your individual needs.

More Information

For more information check out this resource page (https://spectreattack.com/). This resource was created by the researchers who discovered and responsibly disclosed the bugs. As always, the Solutions II team is here to help with this or any IT concerns you may have. You can reach out to us at info@solutions-ii.com or if you would rather leave the worrying up to the experts, here's some information about Managed IT Services.