This is sadly becoming all too familiar. This security issue in question this article discusses is :
“CVE-2018-3646: This affects hypervisors and virtual machines. According to Intel, “systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis.” This will require the microcode, operating system, and hypervisor updates to protect data.”
What this seems to be stating (confirmed further down by Intel) is that a guest virtual machine running on a Hyper Visor has the potential to access data from another virtual machine. Holy *@%^&*. That’s some security hole.
This is bad bad news on any number of fronts. Cloud vendors large and small are leaving their customers open to attack if they don’t apply patches. They are also likely to be liable to fines under GDPR.
What Intel Say
“There is a portion of the market – specifically a subset of those running traditional virtualization technology, and primarily in the datacenter – where it may be advisable that customers or partners take additional steps to protect their systems. This is principally to safeguard against situations where the IT admin or cloud provider cannot guarantee that all virtualized operating systems have been updated. These actions may include enabling specific hypervisor core scheduling features or choosing not to use hyper-threading in some specific scenarios. While these additional steps might be applicable to a relatively small portion of the market, we think it’s important to provide solutions for all our customers.”
“For these specific cases, performance or resource utilization on some specific workloads may be affected and varies accordingly. We and our industry partners are working on several solutions to address this impact so that customers can choose the best option for their needs. As part of this, we have developed a method to detect L1TF-based exploits during system operation, applying mitigation only when necessary. We have provided pre-release microcode with this capability to some of our partners for evaluation, and hope to expand this offering over time.”
I particular like the “portion of the market – specifically a subset of those running traditional virtualization technology”. Words designed to give the impression the issue is small potatoes – as if!
What Everyone Else Is Saying
Of course with this little bomb shell exploding lots of people have lots to say And system administrators and cloud vendors need to sit up and take note.
- Microsoft’s Statement
- VMWare’s Statement
- Xen’s Statement
- Canonocal’s (Ubuntu) Statement
- Redhat’s Statement
Software bugs affect the software vendor and their users but CPU bugs affect pretty much everyone. It would be a little easier to take if the issues were limited to the odd CPU. But many CPUs are built on yesteryears microcode and include the previous generations flaws.
Take A Chill Pill
Now take a deep breath …… ahh, that’s a bit better.
The good news is these vulnerabilties have been known about for a while. That means patches, if not already released, should be soon.
So get ready to get your Hyper Visors patched and sleep easier ….. until the next cock up is announced.
To quote Scotty from the Search for Spock “The more they overthink the plumbing, the easier it is to stop up the drain.”