AWS – Processor Speculative Execution Research Disclosure News About Concerning: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

We Talked about Meltdown and Spectre on this article.

Here what AWS – Amazon says:

Update As Of: 2018/01/07 11:30 PST

This is an update for this issue.

Amazon EC2

All instances across the Amazon EC2 fleet are protected from all known threat vectors from the CVEs previously listed. Customers’ instances are protected against these threats from other instances. We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads.

Recommended Customer Actions for AWS Batch, Amazon EC2, Amazon Elastic Beanstalk, Amazon Elastic Container Service, Amazon Elastic MapReduce, and Amazon Lightsail

While all customer instances are protected, we recommend that customers patch their instance operating systems. This will strengthen the protections that these operating systems provide to isolate software running within the same instance. For more details, refer to specific vendor guidance on patch availability and deployment.

Specific vendor guidance:

For operating systems not listed, customers should consult with their operating system or AMI vendor for updates and instructions.

Updates to other AWS services

Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

An updated kernel for Amazon Linux is available within the Amazon Linux repositories. EC2 instances launched with the default Amazon Linux configuration on or after 10:45 PM (GMT) January 3rd, 2018 will automatically include the updated package. Customers with existing Amazon Linux AMI instances should run the following command to ensure they receive the updated package:

sudo yum update kernel

After the yum update is complete, a reboot is required for updates to take effect.

More information on this bulletin is available at the Amazon Linux AMI Security Center.

EC2 Windows

We have updated AWS Windows AMIs. These are now available for customers to use, and AWS Windows AMIs have the necessary patch installed and registry keys enabled.

Microsoft have provided Windows patches for Server 2008R2, 2012R2 and 2016. Patches are available through the built-in Windows Update Service for Server 2016. We are pending information from Microsoft on patch availability for Server 2003, 2008SP2 and 2012RTM.

AWS customers running Windows instances on EC2 that have “Automatic Updates” enabled should run automatic updates to download and install the necessary update for Windows when it is available.

Please note, Server 2008R2 and 2012R2 patches are currently unavailable through Windows Update requiring manual download, Microsoft advise these patches will be available Tuesday, January 9th.

AWS customers running Windows instances on EC2 that do not have “Automatic Updates” enabled should manually install the necessary update when it is available by following the instructions here: http://windows.microsoft.com/en-us/windows7/install-windows-updates.

Please note, for Windows Server, additional steps are required by Microsoft to enable their update’s protective features for this issue, described here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution.

ECS Optimized AMI

We have released Amazon ECS Optimized AMI version 2017.09.e which incorporates all Amazon Linux protections for this issue. We advise all Amazon ECS customers to upgrade to this latest version which is available in the AWS Marketplace. Customers that choose to update existing instances in-place should run the following command on each container instance:

sudo yum update kernel

The update requires a reboot of the container instance to complete

Linux customers who do not use the ECS Optimized AMI are advised to consult with the vendor of any alternative / third-party operating system, software, or AMI for updates and instructions as needed. Instructions about Amazon Linux are available in the Amazon Linux AMI Security Center.

An updated Microsoft Windows EC2 and ECS Optimized AMI will be released as Microsoft patches become available.

Elastic Beanstalk

We will be releasing new platform versions that include the kernel update to address this issue within 48 hours. For Linux environments, we recommend that you enable “Managed Platform Updates” to automatically update within your chosen maintenance window once these updates are available. We will post instructions for Windows environments once the update is available.

AWS Fargate

All infrastructure running Fargate tasks has been patched as described above and no customer action is required.

Amazon FreeRTOS

There are no updates required for or applicable to Amazon FreeRTOS and its supported ARM processors.

AWS Lambda

All instances running Lambda functions have been patched as described above and no customer action is required.

RDS

RDS-managed customer database instances are each dedicated to only running a database engine for a single customer, with no other customer-accessible processes and no ability for customers to run code on the underlying instance. As AWS has finished protecting all infrastructure underlying RDS, process-to-kernel or process-to-process concerns of this issue do not present a risk to customers. Most database engines RDS supports have reported no known intra-process concerns at this time. Additional database engine-specific details are below, and unless otherwise noted, there is no customer action required. We will update this bulletin as more information is available.

RDS for MariaDB, RDS for MySQL, Aurora MySQL, and RDS for Oracle database instances currently have no customer actions required.

For RDS PostgreSQL and Aurora PostgreSQL, DB Instances running in the default configuration currently have no customer actions required. We will provide the appropriate patches for users of plv8 extensions once they are made available. In the meantime, customers who have enabled plv8 extensions (disabled by default) should consider disabling them and review V8’s guidance at https://github.com/v8/v8/wiki/Untrusted-code-mitigations.

For RDS for SQL Server Database Instances, we will release OS and database engine patches as Microsoft makes each available, allowing customers to upgrade at a time of their choosing. We will update this bulletin when either has been completed. In the meantime, customers who have enabled CLR (disabled by default) should review Microsoft’s guidance on disabling the CLR extension at https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server.

VMware Cloud on AWS

Please refer to the VMware security advisory here for more details: https://www.vmware.com/security/advisories/VMSA-2018-0002.html.

WorkSpaces

AWS will apply security updates released by Microsoft to most AWS WorkSpaces over the coming weekend. Customers should expect their WorkSpaces to reboot during this period.

Bring Your Own License (BYOL) customers, and customers who have changed the default update setting in their WorkSpaces should manually apply the security updates provided by Microsoft.

Please follow the instructions provided by Microsoft security advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002. The security advisory includes links to knowledge base articles for both Windows Server and Client operating systems that provide further specific information.

Updated WorkSpaces bundles will be available with the security updates soon. Customers who have created Custom Bundles should update their bundles to include the security updates themselves. Any new WorkSpaces launched from bundles that do not have the updates will receive patches soon after launch, unless customers have changed the default update setting in their WorkSpaces, in which case they should follow the above steps to manually apply the security updates provided by Microsoft.

WorkSpaces Application Manager (WAM)

We recommend that customers choose one of the following courses of action:

Option 1: Manually apply the Microsoft patches on running instances of WAM Packager and Validator by following the steps provided by Microsoft at https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution. This page provides further instructions and downloads for Windows Server.

Option 2: Rebuild new WAM Packager and Validator EC2 instances from updated AMIs for WAM Packager and Validator which will be available by end of day (2018/01/04).

=========================================================

2018/01/03 14:45 PST

AWS is aware of recently disclosed research regarding side-channel analysis of speculative execution on modern computer processors (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754). These are vulnerabilities that have existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices.

All You Need To Know About Spectre And Meltdown A pair of bugs has silently infested CPUs from Intel, AMD, and ARM for years.

 

After two days of whirlwind developments, we finally have more of a complete picture of the new vulnerabilities that impact processors from the leading vendors. Reports initially surfaced two days ago that Intel’s processors are susceptible to a new hardware-based bug that cannot be patched with a mere microcode update. A report from The Register, based in part on a blog post, said that incoming Windows and Linux patches would correct the vulnerability but come with a 5-30% performance loss depending on the workload.

The industry remained silent due to NDAs that were scheduled to expire on January 9, the same date as a round of patches were scheduled to appear. After a day of silence while its stock slumped, Intel issued a statement and claimed the issue is not a hardware bug. Intel also announced that it’s working with other titans of the industry, such as AMD and ARM Holdings, to “develop an industry-wide approach to resolve this issue promptly and constructively.” AMD has since released a statement and claimed that it has minimal exposure to the primary vulnerability.

The root issues behind the vulnerabilities weren’t clearly defined at the time, but a slew of releases from several of the parties involved, along with Google’s Project Zero team, have shed light on two new exploits that have served as the catalyst for the recent developments. We’ll cover the new exploits below; then we’ll get to the updates from Intel, ARM, AMD, and Nvidia.

Performance First

Before we dive into the nuts and bolts, recent tests indicate the patch does not impart a cataclysmic performance loss in most workloads. Phoronix tested the Linux patch, and Computerbase.de tested a patched Windows Insider build.

The good news? Most desktop applications appear to be safe in both Windows 10 and Linux. That includes most workloads that are largely confined to the user space, such as gaming and normal productivity applications. There does appear to be a slowdown to storage I/O operations (2-7%), but for now it’s hard to ascertain if that is due to the patch or other kernel updates. The Windows 10 patch was rolled out to the Windows Insider builds in November, and there haven’t been reports of performance issues.

The bad news? The patch does incur a performance overhead to some enterprise applications. Phoronix recorded significant performance regressions in the object-relational PostgreSQL database. Redis also suffers a performance loss. Many industry analysts feel the real impacts will come in virtualized environments, but we have yet to see benchmarks. Google has already updated all its cloud infrastructure, which includes its cloud computing services, and we haven’t yet heard of significant user backlash due to reduced performance.

Meet Meltdown & Spectre

Google’s Project Zero touched off the vulnerability scare when it discovered that it could access data held in the protected kernel memory through two exploits that are now known as Meltdown and Spectre. Google does not believe these exploits have ever been used in the wild, but it’s impossible to tell if they have or not.

 

Meltdown is both easy to execute and easy to fix. This exploit allows applications to read from the protected kernel memory. That ability can allow hackers to read passwords, encryption keys, or other data from the memory. Intel’s statement specifically noted that the exploits cannot corrupt, modify, or delete data, but those points are moot if the attacker can access passwords and encryption keys. The biggest concern for data centers and cloud service providers is that the exploit also allows an application resident in one virtual machine to access the memory of another remote virtual machine. This means an attacker could rent an instance on a public cloud and collect information from other virtual machines on the same server.

Researchers have been able to execute a Meltdown exploit only on Intel processors, although ARM has submitted patches to protect itself from the same method of attack. In fact, the attack exploits Intel’s out-of-order execution implementation that is present on every Intel processor made since 1995. Researchers discovered Meltdown last year. The exploit is reportedly simple enough that a script kiddie could execute the attack, so a fix is of utmost importance.

Apple already patched this exploit in the MacOS December OSX patch (10.13.2). Windows is also pushing emergency patches out immediately. The Linux kernel has also been patched. These patches do have performance impacts, as we noted above, that largely revolve around how frequently the application issues kernel calls.

The Spectre exploit is much more nefarious and impacts Intel, AMD, and ARM. This exploit can access kernel memory or data from other applications. Researchers contend that fixing this exploit would require a fundamental re-tooling of all processor architectures, so we’ll live with the threat of this vulnerability for the foreseeable future. Fortunately, this exploit is extremely hard to execute and requires an elevated level of knowledge of the interior workings of the target processor.

These two exploits are categorized into three variants. Variants 1 and 2 are Spectre, whereas Variant 3 is Meltdown. Intel is vulnerable to all three.

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

Levels Of Exposure

We reached out to AMD, and the company responded with the following information, which has since been publicly released.

Most notably, AMD claims that is has zero vulnerability to Variant 3 (Meltdown), stating that the patches that are currently being issued for Meltdown do not apply to its processors due to “architectural differences.” This is excellent news for AMD, as it therefore has no exposure to the current round of potentially performance-sapping patches. That bodes very well for the company as it reenters the data center with a competitive line of EPYC processors.

The Ryzen desktop processors are also not susceptible to Meltdown. Linus Torvalds has also granted AMD an exemption to the performance penalties incurred by the Linux patch for Meltdown.

AMD is vulnerable to Variant 1, which is a Spectre exploit. As noted above, many contend that Spectre is not likely to see an effective patch any time soon, and some researchers claim the vulnerability exists in every modern processor architecture in existence. They also claim that fixing the issues could require a redesign of fundamental processor architectures. AMD said it has a patch that can mitigate Variant 1 with minimal performance impact and further stated that it has a “near zero risk of exploitation” from Variant 2, which is also a Spectre exploit.

Nvidia also issued a statement regarding the vulnerabilities:

Nvidia’s core business is GPU computing. We believe our GPU hardware is immune to the reported security issue and are updating our GPU drivers to help mitigate the CPU security issue. As for our SoCs with ARM CPUs, we have analyzed them to determine which are affected and are preparing appropriate mitigations.

ARM Holdings has added a security update to its website that outlines its exposure to the vulnerabilities, and like Intel, it is susceptible to all three variants.

The legal ramifications of these developments could be troublesome. The Law Offices of Howard G. Smith has already announced an investigation on behalf of Intel Corporation investors, and there will likely be more similar developments in the coming weeks. Intel has a history of establishing a reserve to cover pending large-scale hardware replacements, but the company has not disclosed a new fund to deal with the vulnerabilities. The company has also stated that it does not expect any impact to its business.

Intel’s statement on the matter specifically says that the exploits are not caused by a “bug” or a “flaw” that is unique to Intel products. Intel also noted that the exploits can “gather sensitive data from computing devices that are operating as designed.” These statements likely indicate Intel will defend any potential claims because “the hardware is working correctly.” Depending on when these vulnerabilities became known (some claim that Meltdown-type attacks have been a known entity since 2010), these points may be challenged in court. ARM and other vendors may also face similar challenges.

Intel’s CEO, Brian Krzanich, also sold $39 million in stocks in November 2017 (this doesn’t include the amount he paid for the stock options). These transaction initially appeared innocuous (and they may be) because Krzanich sold the stock under a 10b5-1(c) plan, which is a pre-planned sale of stocks intended to prevent claims of insider trading. The sale left Krzanich with the Intel-mandated minimum of 250,000 stocks. The sale was pre-planned on October 30. Now, though, MarketWatch claims Intel was made aware of the vulnerability on June 1, which may draw attention to the matter from regulatory officials. Business Insider said a representative for the Securities and Exchange Commission declined to comment on the matter.

Considering the lengthy preparation period, we imagine there will not be any major service disruptions to the cloud service providers. However, we expect more details to come to light concerning performance impacts of the new patches on various workloads. Stay tuned.

Related Articles: Understanding The Meltdown And Spectre Exploits: Intel, AMD, ARM, And Nvidia