ספקטר ומלטדאון - הכשלון הגדול של יצרניות המעבדים

#1

אז אם במקרה אתם פה ועדיין לא שמעתם את החדשות - כל עולם אבטחת המידע קרס השבוע עם פירצה חדשה שהתגלתה ומקורה בכשל תכנוני בכל המעבדים שלכם. מתיאס גיינר כתב קטע קצר עם קישורים רלוונטים והוא כל כך מדויק שאני מעתיק אותו כמו שהוא לכאן:

On January 2nd, a severe flaw [was rumored](https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/) to be announced in all Intel CPU's. No biggie, hardly anyone uses those, right? At first, it looked like AMD was off the hook, but it was later announced AMD was vulnerable for 2 out of the 3 exploits to be released. There are patches, but benchmarks indicate that - depending on the workload - there's a 1 to 19% performance hit on the patched systems. After the patch is applied, you can control which of its security features are enabled or disabled, if you value performance over security.

Shortly after the rumors came out, Intel tried to explain it with a vague PR statement. The Register did a good job at debunking every line in that statement, it’s worth a read for laughs & giggles.

Anyway, a few days later, the vulnerabilities got announced. As per usual, it got a logo (2!) and a website. SpectreAttack.com. From this day on, we’ll call them Spectre & Meltdown. Now that the details are out, the write-ups are coming, explaining the exploits with more clear examples. I specially liked this one from LWN.

Microsoft issued updates. Red Hat did too, as did most Linux distro’s. It’s a shame someone forgot to notify the BSD community though.

As if the bugs themselves weren’t serious enough, because of all the hype around it, the vulnerabilities were revealed a week earlier than planned. Turns out, if you hype the most serious vulnerability in the last decade, people go looking online. And they pieced together the bug from various sources, before the details were released. And in many cases, before vendors were ready with the patch. They all thought they had an extra week. Funny, isn’t it?

Meanwhile, props to Google for this bug. They followed-up on earlier reports of these vulnerabilities with some epic technical debugging. They even submitted patches to LLVM & GCC with new binary constructs for speculative execution.

The bugs were so bad, you could apparently exploit them with client-side JavaScript in a browser. Mozilla quickly pushed updates to help prevent it.

To make a long story short, if you haven’t already, you will want to:

  1. Update the BIOS of your servers (make sure your vendor confirms they patched this)
  2. Update your hypervisors (KVM/Xen/VMware/…)
  3. Update all your servers (bare metal + VMs) with the latest kernel updates. By now, all major OS’s have patches.
  4. Just update everything that has a CPU in it