Security Update - Meltdown/Spectre Advisory
Over the past week there have been numerous reports regarding security vulnerabilities affecting processors. These vulnerabilities have been reported under a variety of names including Meltdown, Spectre, and Kaiser. Although initially reported as an Intel bug, it now appears to be far more wide ranging, including AMD, Apple, and ARM.
The Technical Explanation
The issue originates from a performance vs security tradeoff at the kernel level (the heart of the operating system). The kernel manages which programs has access to what memory (among other things), and prevents one program from accessing another's memory. The processor assists with this by ensuring the kernel can access the processor memory used by other programs, but not vice versa.
In order to improve performance, some processors allow "speculative execution". This allows instructions to be performed out of order, to optimise processor idle time. In theory, this is only done when the order doesn't matter, however the issue identified highlights that the order does matter, and the consequence is that information from processor memory can be leaked to a program that should not have access to it.
What Does It Mean?
Although the bug exists on many systems, the impact occurs where one user, or program, can be used to access another user's, or program’s memory. Therefore, risk is at its highest on shared servers, and potentially cloud services. Additionally, the risk only occurs if someone is able to run code on the machine.
Patching is key to addressing the issue. Microsoft released an out of cycle patch for supported versions of Windows last week, as have many Linuxvariations. Azure have announced maintenance changes January 10, which are assumed to be in order to deal with this issue, and AWS have sent out similar communications.
However, with a performance tradeoff likely, on internal systems there may be a case to limit patching if the performance impact is too great. There have also been reports of anti-virus products causing a Blue Screen of Death after the operating system patching has been performed. Tesserent recommends that a level of diligence and testing should be performed before widespread rollout of patches. The risk assessment associated with the implementation of these patches, should be carefully assessed by each organisation with the assistance of your relevant IT partner (Microsoft, Linux, AWS and so on).
Any Impact to the Tesserent Appliance?
The Tesserent firewall appliance is Intel based, but does not allow for users to run any programs on the appliance. The only software running on the Tesserent appliance is managed and monitored by our security engineers. This means that the fundamental risk of one user or their program, accessing another's processor memory, does not apply.
Still have questions? Talk to the experts.
If you have further questions about Meltdown, Spectre or any other cyber security business matter, don't hesitate to contact us or call 03 9880 5555.