Virtual ****** ********** ****
* **** *** ********** where **** ** ********* kernel ******* ****** ***** be discovered ** ************ **** software, ********* **** *** processor ****** *** ******** to ******* *******. ******** of ******** ******* ** experts *** ******** **** these ******* ******* *** way *** ********* ******* handle ******* ****** ***********. In *****, ****** ********* systems *** * ******* memory ********** ****** ***** memory ** ******* ********* into "******" ** ********* system *****, *** "****" or ******* *****. *** idea ****** **** ************ was ** ******** ****** performance, *** ******* ******** from ********* ****** **** by *** ******, ***** often ******** ********* **** or *** ******* ** manipulate **** ********** ** how *** ****** ******* tasks.
All ***** ********** ****** ********
*** ******* ** ********* with ** ***** ********* is ****** ********, ********** of ********* ******. ***** has *** ******** * list ** ******** **********, but *** ******* ****** management ******* **** ****** to ** ******** **** been **** ** *** ***** *** processors ******* *** *** last ****** ** ****, with *********** ** *********************** ** ***** ********** as *** **** ** 2007.
Moderate ****
***** **** **** **** not ***** **** ** be ******** ** *******, it ***** ** ********* to ****** ****** ***************, which ***** ****** ** significant **** **** ** disclosure. ***** ** ******* exploits have ******* **** ********* ** researchers, **** ** ***** can ** ******** ** a *** ******* ********* a ********* ****. *******, there *** *********** **** flaw *** ** **** to ***** * ********* program ******** ****** * virtual ******* ** *********** break *** ** *** VM *** ****** **** in ****** **** ***** normally ** ********** *********.
*** **** ******** * ********* program ** ** ****** and ******** ** * machine **** ** ******** processor, ******* **** ** takes **** **** **** remote ************* ** ****** a ****. ******** **** are ******** *******, *** are ********* **** ********* unknown **** *** ************* safe, ******* **** ** environment ** **** ********* to ******** ** ********, particularly **** *** *** used *** ******* ** different *********** ** ******** (e.g.: ****** *********, ** corporate ******* ****** ** a ******* ** ***********), and **** ***** ****** consider **** ** ******* ****** on ******* ***** **** lack **** *******.
Significant *********** ****** **** *******
*********** ******* ** ** 50% *** ***** **** on ******* *******, **** a ******* ********* ** ~30% *********** ****** *** many *****. ****** ****** ****** they **** ********* * patch *** ***** ******* that ************ *********** ******. ******* ****** ******* on ********** ********* *** specific ********* ****. *******, it ****** ** ***** that **** ******* *** run ** *** **** than ***% ** ********* load, ** ***** *********** impacts *** *** ************* slow **** ******* ********* of ******* **** *******.
*** ******* ***** ****** out ** ******* ********* systems primarily ****** ********** **** **** significant ******* ** ********** I/O, ** ** ****** in *** *******. ***** patches ********** *** *** processors ********* ** ***** protect *** ****** ****** space **** ***** ******** by **** ********. *** methodology **** ** ** this ******* ** * significant ******** ** ****** "swapping", ** *** ******* memory ********* *** *********** been *** ** ****, as ******* **** ** kept ** *** ******* half ** *** ******* memory ***** ** ** effort ** ****** *** amount ** **** **** could ** ******* ** probing ******* **** ********* user ****. *** ******** to *** ******* ****** and ********* ******** ** a *********** ******.
Core ******* *** **** ****** ***
*********** *** ***** ** release **** ******* *** additional ***********, **** **** *** made **** ******* ** the **** ****** ***, releasing ***** ******* ***** embargo ** ********* ****** developers ** ****** **** to ****** *** ********** patches ** ******* ** full **********. ** ** expected **** ***** **** release **** ******* ** the ****, *** ******* vulnerabilities, ******** ** ******* 2018. ******* ** **** information *** **** ***********, and ******** **********, ****** understand *** ***** *** how ** ******** *********** impacts.
AMD ********** **** ********
***, ***** ******* ********** designed ** ** ** alternative ** ***** ********, ****** to *** ** ******** to *** **** ****** as ***** [**** ** longer *********]. *** *** variant ** ****** ***** they *** ********, **** anticipate ***** *********** *******, though ***** ********** **** not **** ***** ******** by *********** ***.
Video ************ *** ** *****
***** ** ****** ******** as *** ******** ********* company ** *** ****** and *********** ********* *****, and **** ***** ******** are ******* ******** ** computers ******** *** ******** and ************ ************.
* ****** ** ******* and ************ ********* **** Avigilon, *****, *******, *********, and ****** *** ****** ********* use ** ***** **********.
Impact ** *** *******
*********** ******** **** ******** VMS ************* ********* **** performance ******* *** ******, with *** ********* * 20% ****** ** ********* performance, *** ************* **** not *** ***** *********** the ****** ** ***** impacts, ** ******** ****-*******. Most ****** **** **** in *** ******* ** applying *** ******* ** test ******* *** ********* impact, **** ***** ** release ********** *********** ** the ****** *****. ** will ****** **** ******* accordingly ** ** ******* feedback **** *************.
Embedded **** *** ****
******** **** **** ** not ******* *** ******* to **** ******** ********, such ** *******'* **** *** ** *********, ** units **** *****, *********, IDIS, ***. ****** *** be ******** ** ****. These ***** ** *** have ********** *** ***** to **** *** ******* arbitrary ********. *********-***** *****, such ** ********'* ** ***** *********, ** *******'* ** **********, *** ******* ***-****** systems ***** ***** *** access ******* ** ***** consoles, **** * **** risk.
Benchmark *********** ****** ********
***** ****** ********* *********** of ******* *** ************, particularly ***** **** *****, before ********** ********* ****** updates. **** **** **** determine *** ****** ** performance ******* ***********, *** may **** ** *********** mitigation ********** ** *********** degrades ***** ********** ******.
***************
*** ** *** ****** of **** *************, ***** should **** ** ******* OS ******* ** *********** by ***** ** ********, as ****** ******* **** likely **** ** ******* contained ** *** *******. Due ** *** ****** of *** *******, *** how ****** ****** ******** is ********, ******* ** other ******** *** **** need ** ** ******* to ****** *** ****** functionality ** **********. ******** updates ******** **** ** dependent ** *** ** and *********, *** **** most ****** ** *********** of *** ****.
Comments (55)
Undisclosed Integrator #1
Other than patches, is there anything we can do to help protect against this? Most of the servers we install are never interacted with so I am not sure what the level of risk is for us. Performance decrease is a major concern for me. While we typically allow for some wiggle room a potential for up to 20% decrease in performance is entirely unacceptable.
So the real question is, on small systems is it even worth patching? This is way outside of my skill set so I am mostly in the dark here.
Create New Topic
Undisclosed End User #2
Y2K Redux...
Create New Topic
Undisclosed Integrator #3
What about Hikvision? Should they not be the target as usual? Or the Chinese? What happened Hikvison is soo soo bad and does all these evil things, and every other American or South Korean manufacturer is solid as a rock, never makes mistakes like this, no way.... how could this even come under consideration? Engineering flaw my ass ....that was not acceptable from Hikvision why now believable from Intel without question?.....Maybe it's the NSA planting something to see you remotely?....maybe Intel made a mistake? Hikvision has been claimed to make these type flaws from such "poor engineering standards" and done intentionally on there part, remember?
Where is secret agent Bashis? He must missed this one....
We reap what you sow.... Just saying!
Create New Topic
Undisclosed End User #2
"Intel" NSA back doors probably built in on purpose.
Maybe Oracles stock will go up?:
http://www.oracle.com/technetwork/systems/opensparc/index.html
Open Source 64 bit CPU
Create New Topic
Undisclosed #5
You sort of mixed both released issues together here.
Meltdown is the vulnerability that allows attackers to read arbitrary memory from a non privileged process including kernel memory. This can allow escalated privileges and control of the system. Interestingly, the patches for this cannot actually "fix" it, because there is no practical way to change the way modern existing CPUs work. The reason for this is it exploits out of order instruction executions on the CPU. The patches address this by removing the protected memory address mapping in user space so it makes the attack not practical anymore. The side effect of that is the performance hit.
AWS, Azure etc were already patched before disclosure. Smaller clouds, maybe not so much because they were not in on the embargoed information. If you are using a smaller cloud provider YOU NEED TO ASK if you are using one!
This vulnerability is especially bad for multi-tenant environments. When people ask why you don't want to share severs, this is why! Both Xen and Docker may have Hypervisor escapes. It hasn't been seen yet on VMware, but that is certainly no guarantee it's immune and I would not bet on that.
Spectre only affects the current process not kernel or other processes. Branch prediction and speculative execution algorithms are what Spectre attacks. Is is mostly going to affect browsers by leaking data between tabs. Java can get outside the sandbox and read other tabs. Although this really isn't Java's fault, Peal and Python have the same problems because this is a CPU issue not a software issue.
The biggest deal though is leaking of addresses out of user space modules breaks Address space layout randomization (ASLR) which opens up a lot of other remote code execution vulnerabilities that previously had been impractical because of ASLR. The other thing is session keys are vulnerable in the browser if the session is not ended and logged out. This can make multi factor authentication ineffective if the session keys get stolen. Remind users to ALWAYS log out of sessions, don't just close the tab.
The other bad news here is this has been embargoed for almost a year, so the chances a nation state has exploited this are not insignificant. The paper also left open a number of other areas that future research needs to be done on that may lead to other exploits like these being found.
Create New Topic
Undisclosed #6
This looks like it goes all the way back to the Core Duo and Core 2 era based on the link referring to 2007 processors. Is there a list of which processors are not affected? I am hopeful the Xeon E5 series and up are exempted, as unlikely as it seems.
Ought to be interesting to watch how significantly the Passmark scores decline on Intel in the coming weeks.
Create New Topic
Undisclosed Integrator #8
I think the performance hit is being overblown. Watch this video from the Naked Security team (Sophos)
https://nakedsecurity.sophos.com/2018/01/04/fckwit-the-video/
Create New Topic
Undisclosed Manufacturer #10
Intel just posted the list of CPUs affected:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Create New Topic
Undisclosed Manufacturer #10
The following Intel-based platforms are impacted by this issue. Intel may modify this list at a later time. Please check with your system vendor or equipment manufacturer for more information regarding updates for your system.
Create New Topic
Truman HW
Anyone know if this affects the
i7-7700 (Kaby Lake - with native H.265)
and the...
i7-8700 (Coffee Lake (Kaby successor, from 4-core to 6-core) also with H.265.
I'm hoping not given how recent they came out. :-0
Create New Topic
Peter Thompson
I have a more basic question about updates to VMS systems vs. operating system upgrades: When we install a VMS server that was pre-configured by the manufacturer the assumption is that the OS provided has been tuned for optimum system performance. Presumably OS components that could impact performance have been removed or disabled, and the overall system has been tested rigorously under the specific OS installed. Automatic OS upgrades are often disabled as delivered.
In addition to the likelihood of system performance reduction following patching for these particular flaws should we be expecting specific instructions from manufacturers detailing exact patches to apply, or should we just allow the OS update tool to apply ALL available patches?
Obviously it is always important to have a clean backup of the system prior to patching, but some problems may not appear until specific conditions are met days or weeks later.
Create New Topic
Brian Karas
In this case, you should really talk to your VMS manufacturer for specifics. Because the performance impacts often revolve around I/O operations (which is a big part of what a VMS does, move bits from the NIC to the HDD), and because each VMS handles this in slightly different ways (how data is cached, indexed, etc.) it is very likely that some may be more impacted than others.
Create New Topic
John Honovich
Interesting new disclosure: Intel Warned Chinese Companies of Chip Flaws Before U.S. Government:
Create New Topic