BlogTech

You’ve probably already read about one of the most widespread security issues in modern computing history — colloquially known as “Meltdown” (CVE-2017-5754) and “Spectre” (CVE-2017-5753 and CVE-2017-5715) — affecting practically every computer built in the last 20 years, running any operating system.

What are Spectre and Meltdown?

Spectre and Meltdown are the names of the flaws found in a number of processors from Intel, ARM and AMD that could allow hackers to access passwords, encryption keys and other private information from open applications.

The flaws, found by a number of people including a member of Google’s Project Zero, are sending shock waves through the IT world. Namely, it was revealed that they had been present in chip designs for over 20 years, and that they affect a number of companies’ processors, meaning the flaws could be found on a huge number of devices, from PCs to web servers and even smartphones.

So should you be worried?

So far it doesn’t look like the Spectre or Meltdown flaws have been used in an attack, and device manufacturers are working with Intel, ARM and AMD to fix these flaws.
Intel has claimed that the exploits can’t corrupt, modify or delete data. While it’s good to see companies set aside their differences to find a fix for these flaws, it has emerged that one flaw, Spectre, may need a processor redesign to fix.
However, this does mean that future processors should be free from the Spectre and Meltdown security flaws. So, don’t be too alarmed, but keep an eye on any updates your device offers, and follow our advice on how to protect against the Meltdown and Spectre CPU security flaws.

Before making any changes:

1 Make sure that you have full backups of your data
2 If you or your client are using any Antivirus software, you/they should first check compatibility with the software vendor

How can you/your customers patch these Vulnerabilities?

We have already patched parts of our infrastructure to avoid a Virtual Machine gaining Access to another VMs data. We have also updated most of our core VM Templates to include the latest patches (please read below our regular updates).

To ensure your Virtual machine is updated please update/upgrade the OS running.

For Debian/Ubuntu:

1 Update and upgrade your packages using apt-get:
2 #apt-get update && sudo apt-get dist-upgrade
3 You’ll need to reboot your server to apply the changes:
4 #reboot

For CentOS/Fedora, use either of the two methods mentioned below:

1 You can initiate a full yum update using the below command:
2 #yum update
3 Just update the kernel packages:
4 #yum update “kernel*”
5 You’ll need to reboot your server to apply the changes:
6 #reboot

For Windows:

1 Apply the latest Windows update available

Please Note: Applying the patches may have a negative impact on overall performance. We do nor recommend updating without carefully reading and testing the impact Microsoft is seeing on parts of their upgrades and currently MS upgrades have rendered machines useless. If you are not sure, contact us so we can help. Microsoft recommends currently not to apply the patches on IO intensive workloads like databases or large Websites.

Steps are documented on Microsoft’s website.

Due to the way this vulnerability was made public, not all patches and updates may not be currently available.

Updates:

Update January 10th, 19:31

Following templates have been updated to includes the latest Kernel Patches for the respective to use.

Ubuntu 16.04 LTS
Debian 7.0 and Debian 8.0

Update January 6th, 16:19

Microsoft has confirmed the availability of Patches to prevent Meldown/Spectre attacks. Please make sure that Windows Update is enabled on all your Windows Virtual Servers and realCloud Instances to receive the latest patches.

Patches to address the issue are available for Win 7, 8.1, 10, Win Server 2008R2, 2012, 2012R2, 2016 at the Microsft Security TechCenter portal.


Update January 6th, 16:12

Following templates have been updated to includes the latest Kernel Patches for the respective to use.

CentOS 7.4 x86_64
Red Hat Enterprise Linux 7.4 x86_64

Update January 6th, 07:30

We have succesfully patched our underlying Infrastructure to the latest releases.

Start the discussion at community.bamboozle.me