Our Action Plan for Spectre, Variant 2
Earlier this year, the tech world was buzzing about two processor vulnerabilities, Meltdown and Spectre. The vulnerabilities affect processors from multiple vendors, can allow normal users and programs running in user space access to kernel memory. This allows unprivileged users to read arbitrary data in main memory. This includes passwords, private keys, certificates, and all other sensitive information.
Where Meltdown is a specific attack implementation, Spectre targets the way modern CPUs work, regardless of speculative execution. Virtually all devices, manufactured in the last 23 years, are potentially vulnerable to one or both of these exploits. Intel processors are the most susceptible, though Meltdown affects ARM chips as well while Spectre can potentially be exploited on any processor type. AMD, the second-largest maker of microprocessors for PCs after Intel, has also been affected by the biggest ever CPU flaws. While none of the AMD’s processors are vulnerable to Meltdown, each of them can be exploited due to Spectre (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715).
Protection all the Way!
First, a bit of primer. There are in fact three instinct vulnerabilities identified, one Meltdown and two variations of Spectre. Variant 1 and Variant 2 apply to Spectre; the Variant 3 attack is classified as Meltdown and did not impact AMD CPUs.
- Variant 1: bounds check bypass (CVE-2017-5753), (Spectre)
- Variant 2: branch target injection (CVE-2017-5715), (Spectre)
- Variant 3: rogue data cache load (CVE-2017-5754), (Meltdown)
There’s no single fix for all three attack variants; each requires protection individually. The vulnerabilities can be addressed in part by OS-specific kernel updates, but not for all operating systems updates are available yet. Firmware updates (microcode updates) are also required for affected systems.
Since becoming aware of these vulnerabilities, FastComet has been working diligently to plan and implement the best resolution for our customers. Our security and development teams have been working with our vendors to deploy the required updates to mitigate vulnerabilities. As posted on our blog, so far we have performed multiple rounds of reboots and emergency maintenance to address the Meltdown vulnerability. While Spectre variant 1 updates have already been issued back in January, the fresh security update rolled out on April 10, 2018, has brought about a fix for Spectre variant 2. Thus, to apply the patch, the physical hardware on which your server/s resides will need to undergo maintenance. For this fix, we are also upgrading the kernel to have access to the latest stable patches available rather than going with a long-term maintenance line.
Spectre-V2 Patch – Update Schedule
The Linux kernel source code was patched for Meltdown on January 2, 2018, with the release of 4.14.11. As is often the case with this kind of situations, the landscape has evolved a bit since our original posting.
Earlier this week, a new update to the Linux Kernel has been released. As you have come to expect, we are taking immediate and swift action to tackle these vulnerabilities, keep your sites safe and secure, and keep our promises to you as a managed host. Due to the seriousness of the issue and due to the security implications regarding this, we made the decision to apply the updates to all of our servers. This requires a reboot of each of the servers in order to move to the new patched kernel.
Spectre-V2 mitigation is a two-stage process. The first stage involves the application of the kernel update to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode.
The second stage is host-level fixes applied per our upstream provider which would involve maintenance of the physical hardware on which your server resides. These updates affect the underlying infrastructure that your server is located on and will not affect the data stored within. We currently have these scheduled, and they will begin starting April 25th. We anticipate completing the reboot process in a week’s time. Our plan is to try and run the bulk of these reboots at a time of day when your site generates the least amount of traffic, in order to affect your business as little as possible. The time range of reboot windows will instead run from 8pm-5pm, local time for a given datacenter. Users will be notified via email prior to the server reboots, with specific information about the maintenance window for their impacted server. We advise checking your notification email, which can be found via the Email History section of your Client Area. We will share progress updates and alert our users to the completion of reboots in each of our regions as information becomes available.
Regrettably, due to the critical nature and logistical requirements of these updates, we aren’t able to reschedule or push back the provided maintenance windows. Our team is working around the clock to have our infrastructure patched against the Meltdown and Spectre vulnerabilities as quickly as possible.
At FastComet, a dedicated team of security experts is fully mobilized. Please rest assured that we are working with our operating system vendors to resolve the vulnerabilities to ensure that your data is safe. FastComet continues to secure its infrastructures. Our whole team would like to thank the amazing FastComet community for their understanding in this matter.
The latest tips and news from the industry straight to your inbox!
Join 30,000+ subscribers for exclusive access to our monthly newsletter with insider cloud, hosting and WordPress tips!