Overview
Since a patch hit the Linux kernel in late December 2017, it indicated that there was a potential (and critical) security flaw in the way CPU’s allocate memory. As no official security report had been published, there had been a lot of speculation in regards to the underlying issue. This speculation grew and various guesses were made (like this one) in regards to the flaw, which appeared to be a potential bug in within the Intel CPU.
As the full report shows, there are two vulnerabilities regarding system memory and it’s wider than just Intel. The main vulnerability has been named “Meltdown“, which if successfully exploited would allow malicious code to read system memory it’s not meant to be able to access. In real world terms, this means there’s the potential for malicious browser code to read areas it’s not meant to (eg your logins and passwords) or for a Virtual Private Server (VPS) to read the memory allocated to a different VPS.
At this point we aren’t aware of any real world exploits. We are certainly taking this vulnerability very serious and reviewing all information as it comes to hand. We will update this article if any further details or exploits have been discovered.
Will my Conetix VPS be impacted?
For all Conetix VPS’s, there will be very little to no impact. At present, we haven’t been made aware of any real-world exploit of the issue but we are constantly monitoring. To be exploited, hackers would have to upload code to a server, which also means it would have to bypass our multi-layered security policies.
We are currently awaiting a patch from our upstream vendor to apply to our systems. The advantage of our platform means that we can apply security patches without rebooting, something which many of the other large providers don’t supply. This should mean that there’s little to no impact nor downtime for your VPS.
Update 06 January 2017: Conetix has begun testing the patches on a small number of systems to ensure reliability and integrity.
Update 10 January 2017: Updates are being progressively applied to all server clusters. No issues have been noted so far, if there are any problems please ensure you contact our support team.
Update 11 January 2017: In order to apply microcode updates, each of the servers needs to complete a full reboot. We are applying these over the next few days in order to ensure the highest levels of mitigation against both attack vectors. This will result in a small, 10-15 minute outage and your server will be paused during this period. Due to the severity of the issue, we’re bringing these patches forward to err on the side of caution and ensure the systems are protected.
Initial reports indicate that there may also be a performance drop after the patch has been applied. At this stage, Conetix hasn’t verified the performance impact (since patches aren’t available yet), but it should be minimal based on the fact we use modern Intel CPU’s with the “pcid” feature set. As we also undersell our hardware to ensure there’s sufficient headroom for burst activity, which means even with an increase in CPU load we’ll be able to handle and redistribute without impact.
What else is affected?
In short, any laptop, tablet, PC or phone using Intel or ARM chips meaning 99% of the market. There is potential for malicious javascript or browser based flaws to exploit the vulnerability which could potentially give hackers access to your secure information such as your passwords. Conetix recommends ensuring that all browsers and operating systems are kept-up-to-date in order to mitigate this issue. Various vendors such as Mozilla, Google and Microsoft will be releasing patches over the next two weeks so users should remain vigilant by only browsing known, secure sites.
Further Reading
Google Security Blog: https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
Google Project Zero report: https://googleprojectzero.blogspot.com.au/2018/01/reading-privileged-memory-with-side.html
Official website: https://meltdownattack.com/
RedHat Summary: https://access.redhat.com/security/vulnerabilities/speculativeexecution