[Security Bulletin] Intel Processor Meltdown and Specter Security Vulnerability Bulletin - Alibaba Cloud Developer Forums: Cloud Discussion Forums

shhanshan
Forum Moderator
Forum Moderator
  • UID105
  • Fans5
  • Follows0
  • Posts343
Reads:2337Replies:0

[Security Bulletin] Intel Processor Meltdown and Specter Security Vulnerability Bulletin

Created#
More Posted time:Jan 5, 2018 14:58 PM
On January 3, 2018, A serious vulnerability affecting Intel processors came to light. The vulnerability stems from a chip hardware design bug, which can lead to problems such as operating system kernel information leakage and applications gaining access to privileged system kernel data. Before the disclosure of the vulnerability, Alibaba Cloud has synchronized with Intel and has confirmed verified a mitigation plan. Up to now, there have been no attacks detected which take advantage of this vulnerability.

Specific details are as follows:

Vulnerability Numbers:

CVE-2017-5753
CVE-2017-5715
CVE-2017-5754

Vulnerability Name:

Intel processor serious chip level vulnerability

Official Rating:

High-risk

Vulnerability Description:

Because computer processor chips have security flaws in their implementation, they cannot distinguish between low-privileged application access and kernel high-level access in some situations, which allows an attacker to bypass memory protection, and read data from memory which belongs to the operating system kernel or other privileged applications, creating a risk risk of sensitive information disclosure.

According to the attack details disclosed so far and a comprehensive analysis by the Alibaba Cloud technical team, there are two attack methods taking advantage of Intel processor design loopholes: Meltdown and Specter. Meltdown refers to CVE numbers CVE-2017-5753 and CVE-2017-5715, while Specter refers to CVE number CVE-2017-5754.

Specific attacks are described below:

bounds check bypass (CVE-2017-5753) (https://spectreattack.com/spectre.pdf)
branch target injection (CVE-2017-5715) (https://spectreattack.com/spectre.pdf)
rogue data cache load (CVE-2017-5754) (https://meltdownattack.com/meltdown.pdf)

Vulnerability Impact:

The vulnerability exists on Intel x86-64 hardware, and Intel processor chips produced after 1995 may be affected. In addition, AMD, Qualcomm and ARM processors are also affected.

Vulnerability Risk:

According to the current public PoC test, an attacker needs to obtain local common account rights and then further perform privilege escalation operations, so as to obtain higher authority to obtain locally sensitive information and to exploit the vulnerability.

Recommended actions to help protect against the vulnerabilities:

•  Recovery plan of the cloud platform Infrastructure

Alibaba Cloud has already started taking steps to mitigate the impact of this vulnerability on our cloud platform Infrastructure. The deployment will be finished before 24:00 on January 12, 2018, Beijing time. The solution will leverage hot upgrades so it will not impact customers in the normal case.

Alibaba Cloud official notice – 2018.01.04: https://alibabacloud.com/notice/platform_01_03

•  Recovery plan of the guest OS

1. Customers need to apply the latest corresponding OS patch inside the guest OS to protect against the vulnerabilities. Alibaba Cloud continues to track the patch status of major OS vendors, and will update the official OS images once we get the latest patch from the OS vendors.

The latest tracking status(Jan. 10 update):
  
Operation System
Version
Architecture
Impact
Official Patch Status
Recover status of the image
Updating status of the source image
Official security notices from OS distribution vendors
Patching steps
Microsoft Windows
2008 R2

x64
Yes
Published
Not recovered
Not updated
1. Open windows update and click “Check for updates”. Install the related patches according to business situation.  
2. Restart the machine after installation and check the running status after reboot.
3. You can also download and install the patches manually via following links:
Windows Server Version 1709:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056892
Window Server 2016:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056890
Windows Server 2012 R2:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056898
Windows Server 2008 R2:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056897
4.The fix will take effect after reboot.
Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.
2012 R2

x64
Yes
Published
Not recovered
Not updated
2016 R2

x64
Yes
Published
Not recovered
Not updated
Version 1709

x64
Yes
Published
Not recovered
Not updated
Aliyun Linux
All versions

x64
Yes
Not published
Not recovered
Not updated
Please check Alibaba Cloud Office Notice
NA
CentOS
All versions

x64
Yes
Published
Not recovered
Updated
i. Use root account to run updating command yum update kernel.
ii. Reboot System.
iii. Check version:
rhel 6 : kernel >= 2.6.32-696.18.7.el6
rhel 7 : kernel >= 3.10.0-693.11.6.el7
Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.
Redhat
el6
el7

x64
Yes
Published
Not recovered
Updated
Ubuntu
All versions

i386/x64
Yes
Published patch CVE-2017-5754
Not recovered
Not updated
i. Use root account to run updating command:
update list: apt-get update
upgrade: apt-get upgrade
ii. Reboot System
Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.

Debain
All versions

i386/x64
Yes
Published patch CVE-2017-5754
Not recovered
Not updated
i. Use root account to run updating command:
update list: apt-get update
upgrade: apt-get upgrade
ii. Reboot System
Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.
SUSE Linux Enterprise Server
SUSE 11 SP4
SUSE 12 SP2

x64
Yes
Published

Recovered System
SUSE 11 SP4
SUSE 12 SP2

Updated
i. Use root account to run updating command “zypper refresh && zypper patch”.
ii. Reboot system.
iii. Check version:
SUSE 11 SP4:
kernel-default >= 3.0.101-108.21.1 microcode_ctl >= 1.17-102.83.6.1
SUSE 12 SP2:
kernel-default >= 4.4.103-92.56.1 kernel-firmware >= 20170530-21.16.1
ucode-intel >= 20170707-13.8.1
Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.

Open SUSE

All versions

x64
Yes
Published

Not recovered
Not updated
CoreOS

All versions

x64
Yes
Published
Not recovered
Updated
https://coreos.com/blog/container-linux-meltdown-patch
i. Upgrade system.
ii. Reboot.
iii. Check version:
stable >= 1576.5.0
alpha >= 1649.0.0
beta >= 1632.1.0
Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.

gentoo

All versions

x64
Yes
Not published
Not recovered
Not updated
NA
FreeBSD
All versions

x64
Yes
Not published
Not recovered
Not updated
https://www.freebsd.org/news/newsflash.html#event20180104:01
NA

  
2. Due to the fact that most OS vendors are still working on their patches, Alibaba Cloud recommends you apply  security hardening and enable protection against the attacks.

3. Currently, Linux based OSs will suffer some performance impact after patches are applied. Since only local privilege escalation can leverage thisvulnerability to access sensitive data, customers can decide whether or not to apply the current patch based on own needs. We highly recommend creating and verifying backups before installing patches.

Information Source:
•  Attack details from Google: https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html?m=1&from=groupmessage&isappinstalled=0
•  Notice by US CERT: https://www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability
•  Official notice by Intel: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
•  A brief analysis of the vulnerability: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
•  Detailed analysis: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
[shhanshan edited the post at Jan 10, 2018 13:12 PM]

Latest likes:

KingsonKingso...
AlibabaCloud.com
Guest