Meltdown and Spectre: Case Analysis and Remediation for AWS Cloud

A group researchers reported a serious vulnerability in the CPU architecture of Intel, ARM and AMD which has impacted most of the devices across the world.  The reported bugs Meltdown and Spectre potentially affects all Intel processors since 1995 which implements out-of-order execution, except Itanium and pre-2013 Atoms.

The researchers discovered details of three closely related vulnerabilities involving the abuse of speculative execution in modern CPUs:

  • CVE-2017-5753: Known as Variant 1, a bounds check bypass
  • CVE-2017-5715: Known as Variant 2, branch target injection
  • CVE-2017-5754: Known as Variant 3, rogue data cache load

These have been grouped into two branded vulnerabilities:

  • Meltdown (Variant 3)
  • Spectre (Variants 1 and 2)

In other terms, Meltdown breaks the most fundamental isolation between the user application and the operating system. This attack allows a program to access the memory and all the secrets of other programs and the operating system.

Spectre, on the other hand, breaks the isolation between different applications. It allows an attacker to trick error free programs which follow best practices into leaking the secrets. In fact, the safety checks of the said best practices actually increase the attack surface. Spectre is harder to exploit than Meltdown.  According to Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw,  Meltdown is “probably one of the worst CPU bugs ever found. ”

Why do you need to be worried?

The vulnerability pretty much affects everyone and  every computing device including laptops, desktops, tablets, smartphones and even cloud computing systems. The problem is magnified for cloud services such as Amazon’s Web Services, Microsoft Azure and Google’s Cloud Platform, due to the scale of their computing resources and the potential impact on performance of the fixes.  

Below are the links where customers can read more about updates on patches from the leading public cloud providers and operating systems:

What should I do as an AWS Cloud user?

You need to update all your servers with suggested patches and reboot them to avoid this vulnerability.

5 steps to fix Meltdown and Spectre vulnerability in AWS environment

  1. Plan your update
  2. Backup your server data
  3. Install patch as advised
  4. Activate a Tech-QA team to verify if the servers are up and running gracefully as usual
  5. Look for any other updates on same

FAQ’s for reference

Listed below are some of the frequently asked questions by cloud engineers while fixing Meltdown and Spectre vulnerability.

What AWS services are affected?

What action has AWS taken to mitigate the issue?

AWS is applying  necessary updates to protect the underlying infrastructure, and is encouraging customers to patch their operating systems.  As mentioned in AWS forum, While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems.

Most operating systems have patches or will soon have patches, which we recommend customers apply to their EC2 instances. These patches are designed to mitigate the issues as they apply to the operating systems running in customers’ individual instances. Updated Amazon Linux AMIs have been made available, and instructions for updating existing instances are provided in the security bulletin.

Do customers need to apply OS-level patches in addition to the mitigations made by AWS?

Yes, in order to avoid any security leaks customers need to immediately apply patches in addition to the mitigations made by AWS.

Is Amazon Linux affected, and if so, what version(s)?

Yes, pretty much all the versions are affected.

Where can customers find required patches for other operating systems, if required?

Most operating systems have patches or will soon have patches, which we recommend you to visit respective vendor support site.

If I have 100+ servers, do I need to update and reboot them all?

Unfortunately Yes, to ensure a complete and  holistic security compliance it is important to update and reboot all the servers.

How do you plan to update 100+ servers?

Use industry standard CI tools like Ansible, Puppet etc to streamline your update easily.

What if I don’t update my servers?

Experts expect that hackers will quickly develop programs to launch attacks now that the information is available. Dan Guido, chief executive of cybersecurity consulting firm Trail of Bits, said: “Exploits for these bugs will be added to hackers’ standard toolkits.”

I have launched my server today. Do I need to update?

Update is only required for servers launched/ updated on or before 10:45 PM (GMT) January 3rd, 2018.

While the threat of these newly discovered flaws may still hypothetical, it requires very minimal technical workaround to exploit them. After all, it takes just an annoying banner ad to compromise your device. Botmetric is updating its own servers and is in process of informing its customers to do the needful.

So to be clear: Cloud users absolutely need to push those buttons and update their own servers.

We wish you a happy cloud weekend.