This week the technology media and national press has been full of coverage of two recently discovered vulnerabilities in Intel, AMD and ARM CPU technology, now collectively known as Meltdown and Spectre.
In this post we look briefly at some of the tech behind these flaws and how Secura are dealing with patching Meltdown and Spectre to protect our customers.
The Register released details of the vulnerabilities early this week, with further in-depth detail disclosed after work by the Google security research team.
Within a multi-tenant cloud platform, the concern from a security perspective is that a guest virtual machine could exploit this vulnerability to access the host machine’s physical memory and access data from other virtual machines.
The vulnerabilities take advantage of the way that modern CPUs speculatively execute code to deliver fast performance when we use our laptops or run commands on servers. If these ‘best guess’ commands are incorrect, then the CPU will run the actual operations required.
Meltdown takes advantage of this design by inputting processes that cause the CPU to speculatively fetch data, bypassing its normal security processes.
For an in-depth look at Meltdown and Spectre, head over to the Register article which is extensive and offers further reading, should you want it.
VMware have today shared information with Secura and other service providers which reveals that the latest VMware ESXi version 6 build contains a security update to mitigate the potential information disclosure risk caused by the recently discovered bugs in Intel CPUs.
The VPC service is a multi-tenant infrastructure (today running VMware ESXi version 6 hypervisors) and therefore Secura will be accelerating the patching of the VMware ESXi software to ensure that customers are not at risk of exploitation of this vulnerability between virtual machines on the Secura VPC.
Secura is already running this updated ESXi version on the majority of its VPC hypervisors and we have not observed any negative impact following deployment of this update. VMware have communicated that they have not witnessed any performance impact during testing of this update.
In light of the extended media coverage of this exploit, Secura are planning to pull forward the deployment of the VMware ESXi updates for the affected Secura VPC availability zones. Updates will be published via the Secura Status pages at: http://www.securastatus.com.
Whilst this will secure the risk of data leakage between virtual machines it will not mitigate against the risk of data leakage within individual virtual machines. To protect against this threat operating system specific security updates must be installed.
Secura customers with Managed Operating System services for Windows Server or Linux will automatically have these updates applied, non-managed customers are welcome to contact Secura through the service desk if they require assistance.
As Secura’s CTO, Dan is responsible for the team that design, build and maintain our cutting edge cloud hosting infrastructure. He is also the dishwasher police – stack it or else.
Tweet me at: