[Security Bulletin] Intel Processor Meltdown and Specter Security Vulnerability Bulletin
Created#More Posted time:Jan 5, 2018 14:58 PM
On January 3, 2018, A serious vulnerability affecting Intel processors came to light. The vulnerability stems from a chip hardware design bug, which can lead to problems such as operating system kernel information leakage and applications gaining access to privileged system kernel data. Before the disclosure of the vulnerability, Alibaba Cloud has synchronized with Intel and has confirmed verified a mitigation plan. Up to now, there have been no attacks detected which take advantage of this vulnerability.
Specific details are as follows:
Intel processor serious chip level vulnerability
Because computer processor chips have security flaws in their implementation, they cannot distinguish between low-privileged application access and kernel high-level access in some situations, which allows an attacker to bypass memory protection, and read data from memory which belongs to the operating system kernel or other privileged applications, creating a risk risk of sensitive information disclosure.
According to the attack details disclosed so far and a comprehensive analysis by the Alibaba Cloud technical team, there are two attack methods taking advantage of Intel processor design loopholes: Meltdown and Specter. Meltdown refers to CVE numbers CVE-2017-5753 and CVE-2017-5715, while Specter refers to CVE number CVE-2017-5754.
Specific attacks are described below:
bounds check bypass (CVE-2017-5753) (https://spectreattack.com/spectre.pdf)
branch target injection (CVE-2017-5715) (https://spectreattack.com/spectre.pdf)
rogue data cache load (CVE-2017-5754) (https://meltdownattack.com/meltdown.pdf)
The vulnerability exists on Intel x86-64 hardware, and Intel processor chips produced after 1995 may be affected. In addition, AMD, Qualcomm and ARM processors are also affected.
According to the current public PoC test, an attacker needs to obtain local common account rights and then further perform privilege escalation operations, so as to obtain higher authority to obtain locally sensitive information and to exploit the vulnerability.
Recommended actions to help protect against the vulnerabilities:
• Recovery plan of the cloud platform Infrastructure
Alibaba Cloud has already started taking steps to mitigate the impact of this vulnerability on our cloud platform Infrastructure. The deployment will be finished before 24:00 on January 12, 2018, Beijing time. The solution will leverage hot upgrades so it will not impact customers in the normal case.
Alibaba Cloud official notice – 2018.01.04: https://alibabacloud.com/notice/platform_01_03
• Recovery plan of the guest OS
1. Customers need to apply the latest corresponding OS patch inside the guest OS to protect against the vulnerabilities. Alibaba Cloud continues to track the patch status of major OS vendors, and will update the official OS images once we get the latest patch from the OS vendors.
The latest tracking status(Jan. 10 update):
2. Due to the fact that most OS vendors are still working on their patches, Alibaba Cloud recommends you apply security hardening and enable protection against the attacks.
3. Currently, Linux based OSs will suffer some performance impact after patches are applied. Since only local privilege escalation can leverage thisvulnerability to access sensitive data, customers can decide whether or not to apply the current patch based on own needs. We highly recommend creating and verifying backups before installing patches.
• Attack details from Google: https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html?m=1&from=groupmessage&isappinstalled=0
• Notice by US CERT: https://www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability
• Official notice by Intel: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
• A brief analysis of the vulnerability: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
• Detailed analysis: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
[shhanshan edited the post at Jan 10, 2018 13:12 PM]