Information on "ZombieLoad", "RIDL", and "Fallout"
By now, it is common knowledge that new bugs in software are being discovered on a regular basis. The fact that security flaws can also be found in hardware became clear to a broader public in January 2018 when Meltdown and Spectre were making headlines. Last Tuesday, new vulnerabilities known as ZombieLoad, RIDL, and Fallout were disclosed, against which the affected systems now have to be protected.
- Who is affected by the current vulnerabilities
- How cloudscale.ch is tackling these security bugs
- What you should do in order to secure your servers
Who is affected by the current vulnerabilities
The latest CPU vulnerabilities affect all Intel processor models released in the last few years. Processors from other vendors such as AMD and ARM are not affected according to current knowledge. The flaws in the chip design allow one thread to access data that is processed by another thread on the same CPU core via so-called side channel attacks. Various buffers within the CPU retain data fragments, which can then be read by another thread in certain cases. Activated Hyper-Threading additionally facilitates the exploitation of these vulnerabilities.
This is particularly relevant when executing program code that is not trusted from the point of view of a specific process or user. Be it active content on websites you visit, or software in a "neighboring" virtual server in the cloud: malicious code can potentially access parts of your data that have just been processed on the same physical CPU core.
How cloudscale.ch is tackling these security bugs
It is in the nature of public cloud providers to run "untrusted code" on their compute nodes. Intel CPUs of the affected series are used at cloudscale.ch as well. Accordingly, we take this issue seriously and are working on eliminating the known attack vector completely. As a first step, we have applied all available security updates in our lab among other necessary changes. This includes microcode updates provided by Intel for the affected processor series, the deactivation of Hyper-Threading, an updated Linux kernel as well as patches for the virtualization and storage layer. As with every update, tests are currently running to ensure that the security updates do not have any unwanted impact on the stability of our infrastructure.
As soon as our tests confirm that the updated components are working as expected, we will update the productive systems using the same procedure. In order to secure all affected systems as quickly as possible while remaining operational, we have scheduled an emergency maintenance window, which will last from now until (and including) next Tuesday 2019-05-21. We will do our best to minimize the impact on your virtual servers: before we start working on a compute node, we will move all virtual servers to another, already updated node using live migration. However, it is possible that you may notice degraded server performance and/or short interruptions of network connectivity during live migration. We apologize for any inconvenience this may cause.
What you should do in order to secure your servers
The measures that we can take on our side protect your virtual servers' data against access from other virtual servers. In order to protect your data against access from other processes within the same virtual server, please install the security updates released by the respective Linux distribution and other software vendors.
To mitigate the vulnerabilities, Intel recommends flushing the affected buffers in the CPUs when switching between processes with different permissions. Intel's microcode updates for the affected CPUs provide adjusted routines. After our maintenance window, i.e. as of Wednesday 2019-05-22, once you switch your virtual servers completely off and on again (a reboot is not sufficient), the new CPU flag "md_clear" will be visible inside your server. Correspondingly updated versions of your operating system and other software may use this to detect if and how they should flush the CPU buffers to best protect your data from other, potentially less trusted processes within the same virtual server.
Even though – according to current knowledge – the new attack scenarios are relatively difficult to exploit and potential access to data is not possible in a targeted manner, we make every effort to mitigate these vulnerabilities quickly and completely. For the best possible protection, we recommend that you promptly install all available security updates on your server as well. Should you have any questions regarding our current measures, please do not hesitate to contact us.
For secure servers,
Your cloudscale.ch team