Article

Security update: Meltdown and Spectre

What are Meltdown and Spectre security vulnerabilities?

The three reported vulnerabilities affect the CPUs installed in almost every server and appliance, and require a significant change at the operating system or hypervisor level.

The vulnerabilities are reported as affecting Intel CPUs, but they potentially impact all major CPUs, including those from Intel, AMD and ARM.

 There are three vulnerabilities known by two different names.

  • Variant 1:         bounds check bypass (CVE-2017-5753) (Spectre)
  • Variant 2:         branch target injection (CVE-2017-5715) (Spectre)
  • Variant 3:         rogue data cache load (CVE-2017-5754) (Meltdown)

Meltdown – allows normal applications to read protected kernel memory, allowing them to steal passwords and other secrets.

Spectre – depending on your CPU, Spectre allows normal apps to potentially steal information from other apps, the kernel, or the underlying hypervisor. Spectre is difficult to exploit, but also difficult to fully patch.

What is the risk to my system(s)?

Most IT equipment supplied by Maintel as a “closed system” – i.e. an appliance where the end-user does not have the ability to run arbitrary software. These systems are considered low-risk, as the system would have to be compromised before these vulnerabilities could be used.

Windows-based and Linux-based servers where customers have administrative access are considered medium risk. At present, the best method to control this risk is to minimise access rights to these servers, in line with industry best practice.

What patches are available to address these vulnerabilities?

A small number of manufacturers have issued patches for these vulnerabilities. At time of writing, patches are currently available for Cisco UCS (but not switches or routers), Microsoft Windows Servers, and VMware hosts. These do not yet address all three vulnerabilities, and there are some risks in applying them.

The following table details the risk by equipment/vendor, and which vendors have released patches as of 16th January 2018:

The Microsoft Patches require a CPU microcode update, which will be provided by the server manufacturer, and are incompatible with some anti-virus providers.

The VMware patches currently only address the Spectre vulnerabilities, and not the Meltdown vulnerability.

Those patches that are available are reported to have an adverse effect on server performance.

Maintel strongly recommends that customers evaluate and test patches before deploying them on production systems. We recommend that customers also review their access policies to ensure that only people who need access to systems are able to do so.

We will continue to monitor the availability of patches as manufacturers release them.

Maintel's ICON services

ICON Connect equipment is unaffected as they are closed systems where it is not possible to run malicious code at a local access level

The ICON Secure platform is unaffected as these appliances are again closed systems unable to run malicious code at a local access level.

ICON Communicate platform is based on VMware technology and provides Unified Communication and Contact Centre as a managed service to our customers. We do not allow customers administrative access to servers as part of this service.

Virtualisation

  • Variant 1 – patch has been released, currently being tested.
  • Variant 2 – the platform is already patched against this vulnerability
  • Variant 3 – the hypervisor is not susceptible, however operating      systems running in a virtual machine will be, and will need to be patched as required.

Server and storage hardware

We are awaiting firmware patches from our vendor which are in development due to be delivered shortly.

Operating systems

Microsoft OS and browser patches have been tested in our laboratory ready for deployment in conjunction with the firmware updates when they arrive.

We will continue to post updates as the remediation work progresses.