Leading cloud providers have said they are aware of and working on securing systems after the disclosure of two major chip-level security vulnerabilities earlier this week.
As first reported by The Register, a ‘fundamental’ design flaw in Intel’s processor chips, dubbed Meltdown, was followed by another flaw, called Spectre, found in chips from Intel, AMD and ARM. The latter was confirmed by Google researchers in a blog post published yesterday.
The key to the vulnerability is through a processor technique called ‘speculative execution’. In other words, modern processors can estimate what task needs to be done next, and if it is correct, then is executed in a much quicker time than otherwise. As the Google blog notes, malicious actors ‘could take advantage of speculative execution to read system memory that should have been inaccessible’, such as passwords or encryption keys.
So how does this affect cloud providers? A blogger going under the name of Python Sweetness asserted on January 1 that the vulnerability will affect major cloud providers. “There are hints the attack impacts common virtualisation environments including Amazon EC2 and Google Compute Engine,” the post reads.
In a security bulletin, Amazon Web Services (AWS) said ‘all but a small single-digit percentage of instances across the Amazon EC2 fleet’ were already protected. Microsoft said in a statement that it was “in the process of deploying mitigations to cloud services”, as well as releasing security updates. Google issued a bulletin for its cloud products with Compute Engine, Kubernetes Engine, Cloud Dataflow and Cloud Dataproc requiring updates, while a statement from Josh Feinblum, chief security officer at DigitalOcean, recommended server reboots for users and promised urgent maintenance if this was unsuccessful.
A statement from Intel issued yesterday said the company was committed to product and customer security and was working with AMD, ARM, and others ‘to develop an industry-wide approach to resolve this issue promptly and constructively.’
“Intel has begun providing software and firmware updates to mitigate these exploits,” the statement added. “Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
AMD also issued an update, stressing the importance that the research was performed in lab conditions and the threat had not been seen in the public domain.