Meltdown and Spectre: Case Analysis and Remediation for AWS Cloud

The original post is available here.

Recent CPU attack nightmare has again exposed the security immunodeficiency. Any device you use: be it PCs, iPhones, Macs, tablets, servers and even cloud computing — the chips have been infected with Meltdown and Spectre attack. Though Microsoft, Apple, Linux Developers have released latest patches to fix the issue, the servers are little slow in performance. So what’s the Meltdown and Spectre vulnerablity that everybody’s talking about?

Meltdown and Spectre are two processor-level nasty flaws discovered by niche researchers that can dodge the protection layer you have in your CPU. The Meltdown can read the protected kernel memory, melt the boundaries of all the data stored, crack the protection, and expose the entire data stored in your system that you thought would be inaccessible (including passwords, critical information, and even the data that has been encrypted). Spectre, on the ther hand, makes it easier for attackers to trick error-free programs and eventually leak the information. Thus, Spectre can easily attack almost any device known till date.

A group researchers reported a serious vulnerability in the CPU architecture of Intel, ARM and AMD which has impacted most of the devices across the world. The reported bugs Meltdown and Spectre potentially affects all Intel processors since 1995 which implements out-of-order execution, except Itanium and pre-2013 Atoms.

The researchers discovered details of three closely related vulnerabilities involving the abuse of speculative execution in modern CPUs:

  • CVE-2017–5753: Known as Variant 1, a bounds check bypass
  • CVE-2017–5715: Known as Variant 2, branch target injection
  • CVE-2017–5754: Known as Variant 3, rogue data cache load

These have been grouped into two branded vulnerabilities:

  • Meltdown (Variant 3)
  • Spectre (Variants 1 and 2)

In other terms, Meltdown breaks the most fundamental isolation between the user application and the operating system. This attack allows a program to access the memory and all the secrets of other programs and the operating system.

Spectre, on the other hand, breaks the isolation between different applications. It allows an attacker to trick error free programs which follow best practices into leaking the secrets. In fact, the safety checks of the said best practices actually increase the attack surface. Spectre is harder to exploit than Meltdown. According to Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw, Meltdown is “probably one of the worst CPU bugs ever found. ”

Why do you need to be worried?

The vulnerability pretty much affects everyone and every computing device including laptops, desktops, tablets, smartphones and even cloud computing systems. The problem is magnified for cloud services such as Amazon’s Web Services, Microsoft Azure and Google’s Cloud Platform, due to the scale of their computing resources and the potential impact on performance of the fixes.

Below are the links where customers can read more about updates on patches from the leading public cloud providers and operating systems:

What should I do as an AWS Cloud user?

Immediate action is to update all your servers with suggested patches and reboot them to avoid this vulnerability.

5 steps to fix Meltdown and Spectre vulnerability in AWS environment

  1. Plan your update
  2. Backup your server data
  3. Install patch as advised
  4. Activate a Tech-QA team to verify if the servers are up and running gracefully as usual
  5. Look for any other updates on same

FAQ’s for reference

Listed below are some of the frequently asked questions by cloud engineers while fixing Meltdown and Spectre vulnerability.

What AWS services are affected?

What action has AWS taken to mitigate the issue?

AWS is applying necessary updates to protect the underlying infrastructure, and is encouraging customers to patch their operating systems. As mentioned in AWS forum, While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems.

Most operating systems have patches or will soon have patches, which we recommend customers apply to their EC2 instances. These patches are designed to mitigate the issues as they apply to the operating systems running in customers’ individual instances. Updated Amazon Linux AMIs have been made available, and instructions for updating existing instances are provided in the security bulletin.

Do customers need to apply OS-level patches in addition to the mitigations made by AWS?

Yes, in order to avoid any security leaks customers need to immediately apply patches in addition to the mitigations made by AWS.

Is Amazon Linux affected, and if so, what version(s)?

Yes, pretty much all the versions are affected.

Where can customers find required patches for other operating systems, if required?

Most operating systems have patches or will soon have patches, which we recommend you to visit respective vendor support site.

If I have 100+ servers, do I need to update and reboot them all?

Unfortunately Yes, to ensure a complete and holistic security compliance it is important to update and reboot all the servers.

How do you plan to update 100+ servers?

Use industry standard CI tools like Ansible, Puppet etc to streamline your update easily.

What if I don’t update my servers?

Experts expect that hackers will quickly develop programs to launch attacks now that the information is available. Dan Guido, chief executive of cybersecurity consulting firm Trail of Bits, said: “Exploits for these bugs will be added to hackers’ standard toolkits.”

I have launched my server today. Do I need to update?

Update is only required for servers launched/ updated on or before 10:45 PM (GMT) January 3rd, 2018.

While the threat of these newly discovered flaws may still hypothetical, it requires very minimal technical workaround to exploit them. After all, it takes just an annoying banner ad to compromise your device. Botmetric is updating its own servers and is in process of informing its customers to do the needful.

So to be clear: Update your servers A.S.A.P and don’t miss out on checking back your vendor’s portal for latest patches available to apply and fix the issue.

Feel free to spread the news!