Update regarding "Meltdown" and "Spectre"
Recently, two important security vulnerabilities code-named Meltdown and Spectre have been discovered independently by several parties including researchers at Graz University of Technology and Google Project Zero. At cloudscale.ch we take these threats very seriously and do our best to ensure the safety of our cloud infrastructure.
Back in January we already summarized information about the measures taken so far regarding these vulnerabilities. With this update we would like to inform you that we have already applied the available fixes for Meltdown and Spectre (on 2018-01-10 and 2018-02-26 respectively) on all of our compute nodes.
- Detailed information regarding Meltdown
- Detailed information regarding Spectre
- Security advice for our customers
Detailed information regarding Meltdown (CVE-2017-5754)
Fixes for the Meltdown vulnerability were available shortly after disclosure. We have applied the Linux kernel update that fixes the Meltdown vulnerability on all of our compute nodes on 2018-01-10. To protect yourself against attacks from inside your cloud servers you need to apply the corresponding security updates provided by your Linux distribution as well.
Detailed information regarding Spectre (CVE-2017-5715, CVE-2017-5753)
The Spectre vulnerability comes in two variants:
Spectre variant 1 can be fully mitigated with updated software. However, all vulnerable parts of the code needed to be identified first.
Fixing Spectre variant 2 is more complicated. The fix that has been proposed initially involved a CPU microcode update. As this update caused system stability issues it was later withdrawn by Intel. Thanks to extensive testing in our lab the flawed microcode update was never applied to our compute nodes in production.
An alternative approach to fix Spectre variant 2 was then developed by Google engineers and the Linux kernel community. This approach uses a technique called retpoline (return trampoline) which offers two main advantages: It does not need a CPU microcode update and the performance penalty is much smaller.
On 2018-02-26 we installed the Linux kernel update which contains the retpoline fix. With this update all known variants of the Spectre vulnerability have been fixed on all of our compute nodes. We expect additional updates to be necessary if further vulnerable parts of the Linux kernel will be identified and will install those updates as they become available.
Security advice for our customers
Please note that you need to apply the relevant security updates on your cloud servers as well in order to fix the Meltdown and Spectre vulnerabilities. Otherwise your cloud servers will remain vulnerable to attacks from within your server. We suggest using the script published by Stéphane Lesimple to check whether your servers are still vulnerable or not.
We will continue to track the availability of CPU microcode updates but no longer consider this a priority as – for most Linux distributions – alternative approaches are available to fix the Spectre variant 2 vulnerability.
We advise all of our customers to install the retpoline enabled Linux kernels provided by their distribution whenever possible. We will inform you if further actions will be required.
Please do not hesitate to contact us if you have any questions.
Best regards from Zurich - Switzerland,
your cloudscale.ch team