Meltdown and Spectre Vulnerabilities

Last week two major vulnerabilities were released that affect most modern processors. These vulnerabilities may allow for unauthorized disclosure of information to an attacker. The vulnerabilities are:

Meltdown

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.  If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information.

Spectre

Spectre breaks the isolation between different applications. It allows an attacker to trick any program including bug-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.  Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.

For more complete information regarding both vulnerabilities please visit: https://meltdownattack.com/

ITS Recommendations

  • Install the patch for any virtualization software you manage (VMWare, Red Hat Virtualization, Hyper-V, etc).  Patching your virtualization software will protect against information disclosure between guests that reside on the same host.  Patches have been released for each of the above hypervisors, and we strongly suggesting patching these immediately.
  • Patch any Server or Workstation you manage.  It is important to understand that there is likely to be a negative performance impact as a result of the patch.  There is no definitive guide for determining this impact but Red Hat has released this information that may provide some clarity: https://access.redhat.com/articles/3307751

Addressing the Meltdown and Spectre vulnerabilities effectively will be an ongoing effort, and we will post more information as it becomes available.