Meltdown and Spectre vulnerabilities

Introduction

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.

Meltdown

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.

Spectre

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.

Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

A new class of issues has been identified in common CPU architectures. The presently known issues could allow unprivileged code to read privileged memory locations. Citrix is analysing the potential impact of these issues across its product range. This bulletin will be updated as further information becomes available on the impacts of these issues and their variants. Please note that, although these are issues in the underlying processor hardware, Citrix intends to provide software updates, together with our partners, to mitigate these issues where practical. Please review the following sections for information on your specific Citrix products. This bulletin will be updated as more information becomes available. Customers can receive e-mail notifications about updated or new security bulletins by subscribing at the following address: https://support.citrix.com/user/alerts .

Products that we believe are not impacted:

  • Citrix XenMobile Server: Citrix believes that currently supported versions of Citrix XenMobile Server are not impacted by the presently known variants of these issues.
  • Citrix XenMobile MDX Toolkit and SDK: Citrix believes that currently supported versions of Citrix XenMobile MDX Toolkit and SDK are not impacted by the presently known variants of these issues.
  • Citrix NetScaler (MPX/VPX): Citrix believes that currently supported versions of Citrix NetScaler MPX and VPX are not impacted by the presently known variants of these issues.
  • Citrix NetScaler AppFirewall Platforms: Citrix believes that currently supported versions of Citrix NetScaler AppFirewall Platforms are not impacted by the presently known variants of these issues.
  • Citrix NetScaler Management Analytics Service (MAS): Citrix believes that currently supported versions of the Citrix NetScaler Management Analytics Service are not impacted by presently known variants of these issues.
  • Citrix Command Center: Citrix believes that currently supported versions of the Citrix Command Center, both hardware and software components, are not impacted by presently known variants of these issues.
  • Citrix NetScaler Insight Center: Citrix believes that currently supported versions of Citrix NetScaler Insight Center are not impacted by the presently known variants of these issues.
  • Citrix NetScaler SD-WAN (Standard. Enterprise, WAN Optimization (except 1000WS/2000WS platform) editions) / SD-WAN Center: Citrix believes that currently supported versions of Citrix NetScaler SD-WAN are not impacted by the presently known variants of these issues.
  • Citrix ShareFile StorageZones Controller: Citrix believes that currently supported versions of Citrix ShareFile StorageZones Controller are not impacted by the presently known variants of these issues.
  • Citrix License Server: Citrix believes that currently supported versions of Citrix License Server are not impacted by the presently known variants of these issues.
  • Citrix StoreFront: Citrix believes that currently supported versions of Citrix StoreFront are not impacted by the presently known variants of these issues.
  • Citrix App Orchestration: Citrix believes that currently supported versions of Citrix App Orchestration are not impacted by the presently known variants of these issues.
  • Citrix App Layering: Citrix believes that currently supported versions of Citrix App Layering are not impacted by the presently known variants of these issues.

Products that may require Third Party updates:

  • Citrix XenApp/XenDesktop: Citrix believes that currently supported versions of the core Citrix XenApp and XenDesktop products are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates.
  • Citrix Provisioning Services: Citrix believes that currently supported versions of Citrix Provisioning Services products are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates.
  • Citrix AppDNA: Citrix believes that currently supported versions of Citrix AppDNA are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates.
  • Citrix Linux VDA: Citrix believes that currently supported versions of Citrix Linux VDA are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates.
  • Citrix XenMobile Apps: Citrix believes that currently supported versions of Citrix XenMobile Apps are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates.
  • Citrix ShareFile Clients on Desktop and Mobile: Citrix believes that currently supported versions Citrix ShareFile Clients are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates.
  • Citrix Receivers for Desktop and Mobile: Citrix believes that currently supported versions of Citrix Receivers are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates.
  • ByteMobile products: When deployed in line with Citrix recommendations, Citrix believes that currently supported versions of ByteMobile products are not impacted by the presently known variants of these issues. However, Citrix strongly recommends that customers using virtualized installations of ByteMobile products contact their Citrix ByteMobile Telco Support contact for potential mitigations steps and further information.

Products that we believe are impacted:

  • Citrix NetScaler SDX: Citrix believes that currently supported versions of Citrix NetScaler SDX are not at risk from malicious network traffic. However, in light of these issues, Citrix strongly recommends that customers only deploy NetScaler instances on Citrix NetScaler SDX where the NetScaler admins are trusted.
  • Citrix NetScaler SD-WAN (WANOpt1000WS/2000WS): When deployed in environments with only trusted administrators, Citrix believes that currently supported WAN Optimization versions of Citrix SD-WAN on 1000WS/2000WS platforms are not at risk from malicious network traffic. Citrix strongly recommends that Citrix SD-WAN 1000WS and 2000WS administrators ensure that access to the Citrix supplied Windows VM is limited to trusted administrators only
  • Citrix XenServer: Please see https://support.citrix.com/article/ctx231390 for information on Citrix XenServer

Azure March 6th update

March 6, 2018 update: Please refer to the guidance for mitigating speculative execution side-channel vulnerabilities here.

An industry-wide, hardware-based security vulnerability was disclosed today. Keeping customers secure is always our top priority and we are taking active steps to ensure that no Azure customer is exposed to these vulnerabilities. At the time of this blog post, Microsoft has not received any information to indicate that these vulnerabilities have been used to attack Azure customers. The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required.

With the public disclosure of the security vulnerability today, we are accelerating the planned maintenance timing and will begin automatically rebooting the remaining impacted VMs starting at 3:30pm PST on January 3, 2018. The self-service maintenance window that was available for some customers has now ended, in order to begin this accelerated update. During this update, we will maintain our SLA commitments of Availability Sets, VM Scale Sets, and Cloud Services. This reduces impact to availability and only reboots a subset of your VMs at any given time. This ensures that any solution that follows Azure’s high availability guidance remains available to your customers and users. Operating system and Data disks on your VM will be retained during this maintenance. You can see the status of your VMs and if the reboot completed within the Azure Service Health Planned Maintenance Section in your Azure Portal.

The majority of Azure customers should not see a noticeable performance impact with this update. We’ve worked to optimize the CPU and disk I/O path and are not seeing noticeable performance impact after the fix has been applied. A small set of customers may experience some networking performance impact. This can be addressed by turning on Azure Accelerated Networking (WindowsLinux), which is a free capability available to all Azure customers. We will continue to monitor performance closely and address customer feedback. This Azure infrastructure update addresses the disclosed vulnerability at the hypervisor level and does not require an update to your Windows or Linux VM images. However, as always, you should continue to apply security best practices for your VM images.  Please consult with the vendor of your operating systems for updates and instructions, as needed. For Windows Server VM customers, guidance has now been published and is available here.

Hyper-V notice

What are the Risks of Running without Patches?

Properly addressing Spectre and Meltdown will require more administrative effort than most other problems. Admins in large and complex environments will need to plan deployments. With unpredictable performance impacts, some will want to wait as long as possible before doing anything. The more avoidant of us will want to just ignore it as much as possible and hope that it just sorts itself out. Eventually, we’ll all have new chips, new operating systems, and redesigned applications that won’t be susceptible to these problems. That won’t be ubiquitous for some time, though. We need more immediate solutions.

In one sense, an unpatched system will be fairly easy to assault. Attacks can be carried out via simple Javascript. Unprivileged user code can access privileged kernel memory. The processor cache is an open book for many of these vulnerabilities. It looks to me as though some attack vectors could be used to read essentially any location in memory, although some other accounts dispute that. These are hardware problems, so in the hypervisor world, they transcend the normal boundaries between virtual machines as well as the management operating system. These threats are serious.

However, they cannot be exploited remotely. Attacking code must be executed directly on the target system. That separates the Spectre and Meltdown vulnerabilities from other nefarious vectors, such as Heartbleed. Furthermore, Spectre-class attacks are a bit of a gamble from the attacker’s side. Even if they could read any location in memory, it will be mostly without context. So, something may look like a password, but a password to what? The clues might be alongside the password or they might not.

So, the risk to your systems is extremely high, but the effort-to-reward ratio for an attacker is also high. I do know of one concern: LSASS keeps the passwords for all logged-on users in memory, in clear text. You should assume that a successful Spectre or Meltdown attack might be able to access those passwords. Also, attacks can come from Javascript in compromised websites. You shouldn’t be browsing from a server at all, so that could help. But what about remote desktop sessions? Do you keep those users off of the general Internet? If not, then any of them could unwittingly risk everyone else on the same host.

I cannot outline your risk profile for you, but I would counsel you to work from the assumption that a compromise of an unpatched system is inevitable.

Should I Patch My Hyper-V Hosts, Guests, or Both?

One of my primary research goals was to determine the effects of only applying OS patches, only applying firmware updates, and doing both. I did not find full, definitive answers. However, it does appear that some kernel protections only require OS updates. Others indicated that they would require firmware updates, but they did not make it clear whether or not a firmware update alone would address the problem or if a combination of firmware and OS updates were necessary. However, there is no question that the best protection only comes from updating your hardware and software.

Also, the guests’ kernels must be made aware of the changes to the physical layer in order to fully utilize their mitigation techniques, which can only be done if both the host and the guest are updated.

Therefore, for the fullest protection, you must:

  • Patch the host
  • Perform host configuration changes
  • Update the firmware on the host
  • Patch the guests
  • Cold boot the guests

Also, be aware that “host” means any Hyper-V host. Windows Server, Hyper-V Server, or desktop Windows — patch them all.

 

Sources: 

https://meltdownattack.com/

https://support.citrix.com/article/CTX231399

https://azure.microsoft.com/en-gb/blog/securing-azure-customers-from-cpu-vulnerability/

The Actual Performance Impact of Spectre/Meltdown Hyper-V Updates

 

 

 

About The Author