Meltdown and Spectre bugs in Intel, AMD, ARM processors

Serious security vulnerabilities have been found in modern Intel, AMD, ARM processors that allow attackers to steal sensitive data which is currently processed on the computer including passwords and banking information.

These hardware bugs named Meltdown and Spectre were independently discovered and reported by Google’s Project Zero and academic researches from different countries. They can affect desktop, laptop, cloud computers, tablets, smartphones from any vendor and with any operating system running.

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

Which cloud providers are affected by Meltdown?

Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.

Is Holbihost affected by Meltdown?

Holbihost uses KVM with real hardware virtualization for cloud infrastructure. So customers cloud servers are isolated from each other. Moreover, with Managed Service enabled – we do not grant server administrator privileges to our customers for Cloud VPS. So this significantly complicates exploiting Meltdown on our servers.

But Holbihost still has clients remaining on “Virtual Server” Plans that are based on OpenVZ container virtualization. We will offer these clients to migrate their projects to Cloud VPS Plans.

What Holbihost is going to do to avoid impacting of Meltdown and Spectre flaws to hosting infrastructure?

Holbihost security team is fully mobilized. We are permanently monitoring information from Linux distributions vendors about patches available to apply for kernels of operating systems used in our hosting infrastructure.

We are applying OS kernel patches against Meltdown for Linux based distributions: CentOS 6, CentOS 7, Debian 9.

We are waiting for OS kernel patches against Meltdown for Debian 7, Debian 8.

#UPDATE 1: January 8, 2018

Holbihost finished updating customers Dedicated and Cloud Servers  against Meltdown using patched Linux kernel for Operating Systems: CentOS 6, CentOS 7, Debian 9.

We started updating Linux kernel on the servers with  Operating Systems: Debian 7, Debian 8.

#UPDATE 2: January 10, 2018

Holbihost finished updating customers Dedicated and Cloud Servers  against Meltdown using patched Linux kernel for Operating Systems: Debian 7, Debian 8.

Our security team continues to audit how Linux kernel updates may affect servers performance considering possible overheads caused by Kernel Page Table Isolation (KPTI aka KAISER) patches.

Any new information about Meltdown and Spectre will be added to this article.

Leave a Reply