It’s been two weeks since the IT world was rocked by the news of the CPU vulnerabilities known as Meltdown and Spectre. It’s making headline news due to how far the vulnerabilities extend—to nearly every processor manufactured over the past 20 years—as well as the potential impacts in mitigating these vulnerabilities. Every server, computer, tablet, phone or any other computing device with a modern CPU is potentially affected. (See WEI’s Customer Advisory about Meltdown and Spectre in this blog post.)
So what’s transpired in those 14 days? Fortunately, we have not heard of any compromised or exploited environments from our customers. But the general sentiment in the security community is that weaponization has likely already begun by hackers, and it’s only a matter of time before breaches occur from the CPU vulnerabilities. As of now, the only way to exploit the architectural flaws in the CPUs is through root access or by running JavaScript over a browser to access a local host system. OEMs have followed a good protocol by releasing patches and updates for the CPU vulnerabilities, and while there is urgency to respond, proceed with caution with those patches.
BEFORE YOU APPLY PATCHES...
Here are 3 critical tips we recommend to ensure your company’s systems are protected and to minimize impact to your critical systems. At this time performance issues related to patches and updates have been estimated to potentially impact performance by 5% to 30%.
Tip #1: Get a Risk Assessment
Get started with a risk assessment as soon as possible. An assessment will help identify the devices and systems that are affected and most susceptible to risk, and will help you understand the criticality of your systems to the business. An assessment should include:
- Review of access security policies (these vulnerabilities require system/device access to exploit)
- Current patch levels and firmware of all systems (not just servers, but also client devices, appliances, networking switches—essentially anything with a processor running an OS)
- Browsers used and their version levels (these vulnerabilities can leverage JavaScript to exploit)
- Current utilization rates of the systems you plan to patch
- Performance impact of applying patches
Tip #2: Test patches first
Our recommendation is to test patches on non-critical systems first. Find out how the mitigations impact performance AND compatibility before applying to critical systems. There are major concerns that patches may slow down systems, and rightfully so. Significant performance impacts from patches and other mitigations are being reported throughout the industry and it is important to understand the affect these patches and mitigations will have on each particular environment. In some instances, mitigations are causing crashes and other disruptions. Microsoft, for instance, has confirmed reports that its Meltdown and Spectre patch set for Windows is causing serious headaches for AMD owners—including an inability to boot post-installation.
As the nature of some patches will be to prevent or eliminate speculative execution (which had increased performance over native execution processes), it’s not unreasonable to expect some performance issues. If a particular compute environment is currently running at very high utilization rates for the platform, or if a heavily consolidated or virtualized environment with sharp peak loads experiences a burst, performance degradation could be much more significant, resulting in applications or systems crashing.
Tip #3: Check-in with your public cloud providers
Contact your cloud providers to find out how they have responded to Meltdown and Spectre. We’ve read announcements from cloud leaders such as Amazon AWS, Google Cloud, and Microsoft Azure for mitigating speculative execution side-channel vulnerabilities, but if you are leveraging smaller cloud providers we recommend reviewing your SLA and contacting them to understand how they have safeguarded your cloud instances. If your instances are operating in a multi-tenant environment all other instances could be vulnerable, and risk escalates considerably. Ask about their status update cadence, as all public cloud providers should be communicating these details with their customers.
Weaponization has likely begun—get ahead of it with WEI.
Find out where your company is at risk and what you can anticipate when applying a patch. WEI is on standby, ready to help as you begin to analyze your potential exposure. We can work with your team on a full risk assessment, and can assist with testing before applying patches to business-critical systems.
Check in with your OEMs to get a full update regarding their plan for patches and updates—or ask us what we have heard. Many OEMs are working backwards by releasing patches for their most recent solutions first, and there is a chance they may not release a patch for legacy equipment, even though those systems may be at risk from the CPU vulnerabilities. If an OEM has announced they are not providing a patch—it is highly recommended you include this finding in your risk assessment and understand options for mitigation. Our team can help with a migration plan and help implement a new solution to ensure your company is protected.
We encourage you to share this blog post on LinkedIn with your industry peers. New information will likely emerge in the coming days and weeks. We will do our best to communicate tips and insights as we learn more about the implications of this CPU security flaw.
