[Share][Security Bulletin] Intel Processor Meltdown and Specter Security Vulnerability Bulletin

On January 3, 2018, A serious vulnerability affecting Intel processors came to light. The vulnerability stems from a chip hardware design bug, which can lead to problems such as operating system kernel information leakage and applications gaining access to privileged system kernel data. Before the disclosure of the vulnerability, Alibaba Cloud has synchronized with Intel and has confirmed verified a mitigation plan. Up to now, there have been no attacks detected which take advantage of this vulnerability.

Specific details are as follows:

Vulnerability Numbers:

CVE-2017-5753
CVE-2017-5715
CVE-2017-5754

Vulnerability Name:

Intel processor serious chip level vulnerability

Official Rating:

High-risk

Vulnerability Description:

Because computer processor chips have security flaws in their implementation, they cannot distinguish between low-privileged application access and kernel high-level access in some situations, which allows an attacker to bypass memory protection, and read data from memory which belongs to the operating system kernel or other privileged applications, creating a risk risk of sensitive information disclosure.

According to the attack details disclosed so far and a comprehensive analysis by the Alibaba Cloud technical team, there are two attack methods taking advantage of Intel processor design loopholes: Meltdown and Specter. Meltdown refers to CVE numbers CVE-2017-5753 and CVE-2017-5715, while Specter refers to CVE number CVE-2017-5754.

Specific attacks are described below:

bounds check bypass (CVE-2017-5753) (https://spectreattack.com/spectre.pdf)
branch target injection (CVE-2017-5715) (https://spectreattack.com/spectre.pdf)
rogue data cache load (CVE-2017-5754) (https://meltdownattack.com/meltdown.pdf)

Vulnerability Impact:

The vulnerability exists on Intel x86-64 hardware, and Intel processor chips produced after 1995 may be affected. In addition, AMD, Qualcomm and ARM processors are also affected.

Vulnerability Risk:

According to the current public PoC test, an attacker needs to obtain local common account rights and then further perform privilege escalation operations, so as to obtain higher authority to obtain locally sensitive information and to exploit the vulnerability.

Recommended actions to help protect against the vulnerabilities:

•  Recovery plan of the cloud platform Infrastructure

Alibaba Cloud has already started taking steps to mitigate the impact of this vulnerability on our cloud platform Infrastructure. The deployment will be finished before 24:00 on January 12, 2018, Beijing time. The solution will leverage hot upgrades so it will not impact customers in the normal case.

Alibaba Cloud official notice – 2018.01.04: https://alibabacloud.com/notice/platform_01_03

•  Recovery plan of the guest OS

1. Customers need to apply the latest corresponding OS patch inside the guest OS to protect against the vulnerabilities. Alibaba Cloud continues to track the patch status of major OS vendors, and will update the official OS images once we get the latest patch from the OS vendors.

The latest tracking status(Jan. 10 update):
  

Operation System	Version	Architecture	Impact	Official Patch Status	Recover status of the image	Updating status of the source image	Official security notices from OS distribution vendors	Patching steps
Microsoft Windows	2008 R2	x64	Yes	Published	Not recovered	Not updated	All versions’ patches are published except server 2008 https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s	1. Open windows update and click “Check for updates”. Install the related patches according to business situation.   2. Restart the machine after installation and check the running status after reboot. 3. You can also download and install the patches manually via following links: Windows Server Version 1709： https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056892 Window Server 2016: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056890 Windows Server 2012 R2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056898 Windows Server 2008 R2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056897 4.The fix will take effect after reboot. Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.
	2012 R2	x64	Yes	Published	Not recovered	Not updated
	2016 R2	x64	Yes	Published	Not recovered	Not updated
	Version 1709	x64	Yes	Published	Not recovered	Not updated
Aliyun Linux	All versions	x64	Yes	Not published	Not recovered	Not updated	Please check Alibaba Cloud Office Notice	NA
CentOS	All versions	x64	Yes	Published	Not recovered	Updated	https://access.redhat.com/security/vulnerabilities/speculativeexecution https://access.redhat.com/errata/RHSA-2018:0007 https://access.redhat.com/errata/RHSA-2018:0008	i. Use root account to run updating command yum update kernel. ii. Reboot System. iii. Check version： rhel 6 : kernel >= 2.6.32-696.18.7.el6 rhel 7 : kernel >= 3.10.0-693.11.6.el7 Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.
Redhat	el6 el7	x64	Yes	Published	Not recovered	Updated
Ubuntu	All versions	i386/x64	Yes	Published patch CVE-2017-5754	Not recovered	Not updated	https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html	i. Use root account to run updating command: update list: apt-get update upgrade: apt-get upgrade ii. Reboot System Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.
Debain	All versions	i386/x64	Yes	Published patch CVE-2017-5754	Not recovered	Not updated	https://security-tracker.debian.org/tracker/CVE-2017-5754 https://security-tracker.debian.org/tracker/CVE-2017-5753 https://security-tracker.debian.org/tracker/CVE-2017-5715	i. Use root account to run updating command: update list: apt-get update upgrade: apt-get upgrade ii. Reboot System Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.
SUSE Linux Enterprise Server	SUSE 11 SP4 SUSE 12 SP2	x64	Yes	Published	Recovered System SUSE 11 SP4 SUSE 12 SP2	Updated	https://www.suse.com/security/cve/CVE-2017-5754/ https://www.suse.com/security/cve/CVE-2017-5753/ https://www.suse.com/security/cve/CVE-2017-5715/	i. Use root account to run updating command “zypper refresh && zypper patch”. ii. Reboot system. iii. Check version: SUSE 11 SP4: kernel-default >= 3.0.101-108.21.1 microcode_ctl >= 1.17-102.83.6.1 SUSE 12 SP2: kernel-default >= 4.4.103-92.56.1 kernel-firmware >= 20170530-21.16.1 ucode-intel >= 20170707-13.8.1 Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.
Open SUSE	All versions	x64	Yes	Published	Not recovered	Not updated	https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00001.html
CoreOS	All versions	x64	Yes	Published	Not recovered	Updated	https://coreos.com/blog/container-linux-meltdown-patch	i. Upgrade system. ii. Reboot. iii. Check version: stable >= 1576.5.0 alpha >= 1649.0.0 beta >= 1632.1.0 Notes: In order to avoid incident it is highly recommended to do the test and backup data & snapshots before the patching.
gentoo	All versions	x64	Yes	Not published	Not recovered	Not updated	https://archives.gentoo.org/gentoo-user/message/11050085e72a8a05aa84e10a89ce3498 CVE-2017-5753: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2017-5753 CVE-2017-5715: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2017-5715 CVE-2017-5754: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2017-5754	NA
FreeBSD	All versions	x64	Yes	Not published	Not recovered	Not updated	https://www.freebsd.org/news/newsflash.html#event20180104:01	NA

  
2. Due to the fact that most OS vendors are still working on their patches, Alibaba Cloud recommends you apply  security hardening and enable protection against the attacks.

3. Currently, Linux based OSs will suffer some performance impact after patches are applied. Since only local privilege escalation can leverage thisvulnerability to access sensitive data, customers can decide whether or not to apply the current patch based on own needs. We highly recommend creating and verifying backups before installing patches.

Information Source:
•  Attack details from Google: https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html?m=1&from=groupmessage&isappinstalled=0
•  Notice by US CERT: https://www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability
•  Official notice by Intel: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
•  A brief analysis of the vulnerability: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
•  Detailed analysis: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html