SECURITY AND PERFORMANCE: INTEL CPU FLAW DISCOVERED– Updated!

Security and performance, Yin and Yang, we seem to always be doing the dance of trying to secure our systems and at the same time make sure that they perform well. This is one of the prime focuses of this blog, in most cases this balance is one that can be made to work together in beautiful harmony.  Unfortunately there are always those who seek to benefit by taking advantage of the weakness of others, and so we must be diligent and always keep our guards up.

This week several critical flaws were discovered that affect Intel processors from workstation to server class going back to 1995! These flaws read like very typical and go something like this: “A vulnerability has been discovered which could allow an attacker to gain unauthorized…” The big difference with this one is that it affects microcode buried deep in the hardware which is inaccessible, so a regular patch is not possible. The only possible answer is to either go out and buy a new processor which is not affected by the flaw or come up with a software fix. Intel has scrambled and managed to work up a fix which is software based and will protect you, but it comes at a (performance) cost.

The ramifications of these vulnerabilities, being called Meltdown and Spectre are going to be very disruptive. At the very least, in order to apply any of the updates to correct the issue will require a reboot of the systems. Think about your own datacenter and how many servers this might affect, add in virtualization and how many servers are running on hosts and the numbers of servers quickly adds up to hundreds, sometimes thousands in many datacenters. Now think about cloud providers, e.g Azure, AWS, Google, etc. with potentially millions of servers and your head quickly starts to spin. If this was not bad enough early reports are showing that the software fix can impact performance of the processors by as much as 30%!

If you are thinking that this probably does not affect me and I can take a wait and see approach, please be aware that the Spectre flaw allows applications to extract information from other applications running on the system, think passwords, Javascript, cookies, etc. and again, this is across servers as well as desktops, laptops really anything with an Intel chip.

If all of this is not enough to put you on edge, here is a final note, an administrative user on a guest VM could gain access to the hosts’ processor and read the kernel memory thereby gaining access to all of the VM data running on that host. Intel has released a tool to check if your processors is affected by the bug and we encourage everyone to down the tool as soon as possible.

Here is a list of helpful links:

Intel check if your processor is affected: https://downloadcenter.intel.com/download/27150?v=t

VMware Updates: https://lists.vmware.com/pipermail/security-announce/2018/000397.html

Full information on the flaw: https://meltdownattack.com/

UPDATE: January 8th, 2018

Microsoft has released two articles that provide guidance on how to deal with this issue. One for Desktops and one for Servers. The links are provided here:

Server: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

Client: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Please contact Helient for more information and to put together a plan to protect your environment. We will continue to monitor this situation closely and update this blog posting with any relevant information as it becomes available.

Stay safe!

Aaron