A new set of processor (CPU) vulnerabilities, known collectively as Meltdown and Spectre, have become public. These vulnerabilities take advantage of the way that modern processors execute code in order to speed up performance which can lead to information leakage between applications, users, etc.
The vulnerabilities impact on almost all Operating Systems and hypervisors in some way. Including most modern processors from Intel, AMD and ARM, and have existed for at least twenty years without discovery.
What are Meltdown and Spectre?
Cloudflare have put together an excellent non-technical explanation of how Meltdown and Spectre work and why they are causing trouble. Non-technical readers interested in the details of the situation can read this here.
For a more technical overview, please visit Spectre Attack.
Am I vulnerable?
Almost certainly. We can say for certain that customer Windows and Linux VMs and dedicated servers must have the latest round of patches applied in order to mitigate some of the greatest risks.
As this issue involves functionality deep within almost all processors’ instruction sets, assessing actual vulnerability to Meltdown and Spectre is a complex and evolving process. A number of existing features of Memset’s various hypervisor, infrastructure and service segregation methods can either limit the risk posed by these new vulnerabilities, or in some cases fully mitigate against it. However, this should not be taken as full protection at this moment in time.
Since the announcement, we have continuously assessed the evolving state of play. Where we believe there may be the possibility of a vulnerability in our infrastructure or hypervisors, we are taking timely action to mitigate the risks and are applying multiple layers of protection.
Has this been exploited?
Unfortunately, the nature of Meltdown and Spectre lend themselves to stealthy attacks that are difficult to detect. The normal responsible disclosure processes followed by most vendors and security researchers did not work fully in this instance. The vulnerabilities have been published without a full set of patches in place for all common OSes and applications. As such, Meltdown and Spectre are close to zero-days and therefore present a higher practical risk to vulnerable systems.
What can customers do?
One action that customers can take is to apply the latest Windows or Linux patches to their operating system. We strongly encourage Memset customers to patch their VMs and dedicated servers immediately or to make a request via a support ticket for Memset to do so.
By applying the latest OS patches customers can protect themselves from a portion of the risk.
Meltdown and Spectre almost certainly impact on customers’ other devices, including any other servers, laptops or PCs and mobile devices, including Linux, Windows and Apple devices. We strongly recommend that customers ensure that the latest patches are applied to these devices, and in particular to any web browsers installed.
See our documentation pages for the latest information on patches for Meltdown.
Regularly check for new patches as OS and application protection against Meltdown and Spectre is expected to evolve and new patches be released for some time.
Patching hypervisors and Memset internal infrastructure
Memset is continually assessing the full range of our internal systems and hypervisors to determine if vulnerability to Meltdown and Spectre is a possibility in each case. The situation regarding Meltdown and Spectre is rapidly evolving and many vendors have not yet confirmed vulnerability or released patches. Where we consider a system to be potentially vulnerable we will apply any released patches at the earliest opportunity.
As such, customers should expect one or more reboots in the near future to ensure that no risk is posed to customers from Memset systems or via their Cloud infrastructure and hypervisors. We will ensure that disruption from any future related maintenances is minimised and any maintenance window is communicated to customers as per our service level agreement.
We will release further updates and information to customers as they become available.