On January 3, 2018, serious security vulnerabilities were exposed in Intel processor chips. These vulnerabilities are caused by some design bugs at the chip hardware layer. Successful exploitation can result in leakage of the operating system’s kernel information, elevated access to system kernel data by applications, and other serious issues. Alibaba Cloud has synced key security information with Intel before the vulnerability disclosure, and continuously verifies remediation program.
See the following for more information about the vulnerability.
CVE identifier
- CVE-2017-5753
- CVE-2017-5715
- CVE-2017-5754
Vulnerability name
Serious chip-level vulnerabilities in Intel processors
Vulnerability rating
High
Vulnerability description
Because of some security bugs during the realization of CPU process chips, low-privilege accesses to applications cannot be correctly distinguished with high-privilege accesses to the kernel. Thus, attackers may bypass the security isolation boundary of memory access, and gain memory data of the operating system and other applications in kernel, which results in greater risk of sensitive information leakage.
Based on the revealed attack details and the aggregate analysis by the Alibaba Cloud Technical team, these vulnerabilities can be exploited by two attack methods: Meltdown and Spectre. The CVE-2017-5754 vulnerability is exploited by Meltdown, and the CVE-2017-5753 and CVE-2017-5715 vulnerabilities are exploited by Spectre.
For more information about the attack methods, see the following articles:
- Bounds check bypass (CVE-2017-5753)
- Branch target injection (CVE-2017-5715)
- Rogue data cache load (CVE-2017-5754)
Condition and method of exploitation
Based on the revealed PoC testing result, attackers must gain permissions of local normal account first, and then obtain local sensitive information with higher permissions through privilege escalation. The vulnerabilities can only be exploited under certain conditions.
Affected scope
Since the vulnerabilities exist in Intel x86-64 hardware, all Intel processor chips manufactured after 1995 may be affected. Meanwhile, processors of AMD, Qualcomm, and ARM are also affected.
How to fix or mitigate
Cloud platform
Alibaba Cloud has launched updates on the underlying infrastructures of our cloud platform to fix the vulnerabilities. The updates are applied in batch, and are planned to be completed no later than 24:00:00 (UTC+08:00) on January 19, 2018. As hot upgrades are performed for these updates, customer’s business on the cloud platform remains unaffected.
Tenant
To avoid risks of the vulnerabilities, you have to apply hotfixes for your systems on the cloud platform. Alibaba Cloud continuously updates the official release status of hotfixes for major operating systems, and fixes official operating system images at first.
Hotfixes release status (Until January 10, 2018)
Operating system Version Architecture Affected Official hotfix status Image status Image source status Official security notice How to fix Microsoft Windows Server 2008 R2 i386/x64 Yes Released Not fixed Not updated Hotfixes have been released for all versions, except for Windows Server 2008. For more information, see Microsoft official notice. - Open Windows Update, and click Check for updates. Download and install relevant security hotfixes.
- Restart your server after the installation, and check the operation status of your system.
- Windows Server Version 1709:https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056892
- Window Server 2016:https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056890
- Windows Server 2012 R2:https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056898
- Windows Server 2008 R2:https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056897
Note: Before the hotfix installation, we strongly recommend that you perform relevant testing, and create the data backup or snapshot.2012 R2 x64 Yes Released Not fixed Not updated 2016 R2 x64 Yes Released Not fixed Not updated Version 1709 x64 Yes Released Not fixed Not updated Aliyun Linux All versions x64 Yes Not released Not fixed Not updated Alibaba Cloud has released official notice. Unavailable CentOS All versions x64 Yes Released Not fixed Updated - Run the
yum update kernel
command with the root account to update your system. - Restart your system.
- Verify the updated version:
- rhel 6 : kernel >= 2.6.32-696.18.7.el6
- rhel 7 : kernel >= 3.10.0-693.11.6.el7
Redhat - el6
- el7
x64 Yes Released Not fixed Updated Ubuntu All versions i386/x64 Yes Hotfix released to fix CVE-2017-5754 Not fixed Not updated - https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
- https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html
- https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html
- https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html
- Run the following command to update your system:
- Update list:
apt-get update
- Upgrade:
apt-get upgrade
- Update list:
- Restart your system.
Debain All versions i386/x64 Yes Hotfix released to fix CVE-2017-5754 Not fixed Not updated SUSE Linux Enterprise Server - 12.2
- 11.4
x64 Yes Partial hotfixes released Not fixed Updated - Run the
zypper refresh && zypper patch
command with the root account to update your system. - Restart your system.
Open SUSE All versions x64 Yes Not released Not fixed Not updated https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00001.html CoreOS All versions x64 Yes Not released Not fixed Not updated No official notice released Unavailable Gentoo All versions x64 Yes Not released Not fixed Not updated https://archives.gentoo.org/gentoo-user/message/11050085e72a8a05aa84e10a89ce3498 Unavailable FreeBSD All versions x64 Yes Not released Not fixed Not updated No official notice released Unavailable Note: For more information about released versions of operating systems provided by ECS, see How to select a system image.
Since most manufactures still haven’t released hotfixes, we strongly recommend that you apply security hardening and protection measures according to our security best practices to reduce the risk of vulnerabilities exploitation by attackers. For more information, see Security Deployment GuideSecurity Deployment Guide.
Currently, certain performance degradation in Linux is evidenced after the vulnerabilities are fixed. The vulnerabilities can be exploited only through local privilege escalation to obtain sensitive information. Thus, considering the stability of business, you can decide yourself whether to apply the hotfixes to fix the vulnerabilities. We strongly recommend that you perform relevant testing and create the data backup or snapshot before you apply the hotfixes on your server.
References
[1]. Attack details revealed by Google
[2]. Security notice released by US CERT
[3]. Official notice released by Intel
[4]. Brief analysis of the vulnerabilities
[5]. Detailed analysis of the vulnerabilities