Overview
The RIDL (CVE-2018-12130, CVE-2018-12127, CVE-2019-11091) and Fallout (CVE-2018-12126) vulnerabilities, described by Intel as “Microarchitectural Data Sampling” (MDS), can allow an attacker to leak confidential data across arbitrary security boundaries in real-world settings. These vulnerabilities affect modern Intel CPUs, processors from other vendors (AMD and ARM) do not appear to be affected.
Impact Summary
In a nutshell, these vulnerabilities are the result of physical design of some modern microprocessors. In order to increase the perceived speed of the core, the processor is designed to anticipate the next likely set of instructions, pre-process that result in parallel to whatever it is currently working on, and store that result. If that execution path is followed, the work is already done and the core can move on to whatever is next, if not, there is minimal cost for having done this predictive work.
The RIDL and Fallout speculative execution attacks allow attackers to leak private data across arbitrary security boundaries on a victim system, for instance compromising data held in the cloud or leaking your data to malicious websites. [1]
In reality, an attack is very difficult to orchestrate, but virtually any data in an unpatched system could potentially be exposed. Patches have been applied at the hypervisor level for all Engine Yard maintained instances.
More about MDS
https://access.redhat.com/security/vulnerabilities/mds
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS
Initial Response
For AWS and other multi-tenant service providers, it was vital to roll-out these updates immediately to ensure there was no risk of inappropriate data exposure between guests across hypervisor and hardware boundaries. Your Engine Yard supplied virtual environment is not multi-tenant, so the patches applied to the hypervisor level ensure your data is secure to the local system. Any remaining exposure, would either be the result of an internal attack, or through a secondary exploit the existence of which would be problematic all on its own.
Ongoing Response
At the time of this writing there are still bugs and issues being identified in the upstream Linux Kernel patches which may impact operational stability. Engine Yard is monitoring all relevant developments with regard to the MDS vulnerabilities, and specifically keeping track of the status of relevant Linux Kernel patches and updates addressing the MDS vulnerabilities. Engine Yard will fully resolve MDS, to the extent a resolution is available in software, as soon as the available resolutions have matured to a stable state.
Once updates have been released, they will require a stack upgrade and either instance replacement or manual upgrade with reboot. These updates will only be available for Engine Yard Stacks Stable-v5 and higher.
Due to the nature of the mitigation required so far against these vulnerabilities, the applied Linux kernel updates will reduce performance for some workloads. The magnitude of the performance impact will vary depending on the specifics of the workload. We encourage customers to monitor the performance of critical workloads after the update is applied. Setting up a staging environment to gauge the impact of these updates is recommended. If you need any assistance with this please reach out to our support team.
Please monitor this post and the Engine Yard dashboard ‘Notices’ section for updates.
Comments
Article is closed for comments.