Fresh Spectre Vulnerabilities May Force Cloud Providers to Disable Intel Hyper-Threading
Last year, when the news of the Spectre processor vulnerability first surfaced, researchers warned that it could be exploited in multiple ways. On Tuesday, four different exploits surfaced, all taking advantage of weaknesses in Intel processors. They have collectively called Microarchitectural Data Sampling (MDS), and affect all Intel processors since 2011, according to the chip maker.
While software providers are rushing patches out to remedy the vulnerabilities, end-users will still pay a performance penalty, as part of the remediation involves shutting off the performance-enhancing Hyper-Threading in Intel chips.
“This vulnerability is probably of greatest impact to dense, multitenant public cloud providers. In single-user environments, it’s far less interesting than in places where one tenant may be able to spy on another,” Twistlock Chief Technology Officer John Morello wrote in an e-mail. Because disabling Hyper-Threading will slow the processor speeds — Apple, for example, has seen “up to 40%” degradation in server performance from disabling Hyper-Threading — such measures “could introduce real costs from the loss of available density in these cloud providers’ environments,” he wrote.
DigitalOcean, for instance, has advised its users to update their internal Droplet kernels with the latest available bug fixes and security patches.
These vulnerabilities all can be used, in various ways, to gain read unauthorized access to privileged memory. According to a Red Hat advisory:
- CVE-2018-12126 (nicknamed “Fallout”) is a flaw that could lead to information disclosure from the processor store buffer (rated with a severity impact of Important).
- CVE-2018-12127 is an exploit of the microprocessor load operations that can provide data to an attacker about CPU registers and operations in the CPU pipeline (Severity impact: Moderate).
- CVE-2018-12130 (“ZombieLoad”) involves the implementation of the microprocessor fill buffers and can expose data within that buffer (Severity impact: Moderate).
- CVE-2019-11091 is a flaw in the implementation of the “fill buffer,” a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache (Severity impact: Moderate).
As disclosed last year, Spectre can be used to leak data from a single process, by abusing branch prediction and speculative execution of Intel microprocessors. The vulnerabilities can be remedied by a combination of updating the CPU microcode, applying kernel patches, and disabling Hyper-Threading.
Red Hat has already released kernel security updates to address these vulnerabilities, Red Hat Atomic Host, Red Hat OpenStack Platform, Red Hat Virtualization (RHV/RHV-H), Red Hat Enterprise Linux, going back to RHEL 5. It also advised container users to update their dependencies, notably kernel, kernel-rt, libvirt, qemu-kvm, qemu-kvm-rhev, and microcode_clt.
Red Hat and Twistlock are sponsors of The New Stack.
The post Fresh Spectre Vulnerabilities May Force Cloud Providers to Disable Intel Hyper-Threading appeared first on The New Stack.