Blog Tags: 

Meltdown and Spectre: What TurnKey users need to know

By now, I'm sure that you've already heard of the latest vulnerabilities doing the rounds; tagged Meltdown and Spectre. As seems to be the fashion, these new vulnerabilities have cool names, their own website, and the funky looking logos, just below.

I'll provide some more specific details and links for further reading below. I'll also cover checking that you are running a patched kernel, as well as some notes for AWS users.

Essentially, they are a class of CPU hardware vulnerabilities, where applications can read areas of memory (technically CPU cache) which don't belong to them, which they shouldn't be able to access.

meltdown logo: shield meltingspectre logo: ghost with stick

Personally, I recommend that you educate yourself about them, hence why I am providing a basic overview, with a resource section for more reading. But if you want to jump straight to the patching, please do so. Please also be aware though, that so far only Meltdown has been patched (all OS, not just Linux)! Some reports suggest that some Spectre mitigation is also provided, but I haven't been able to confirm that. Further mitigation patches for Spectre are expected at a future (as yet unknown) time.

TBH, I almost started this blog post late last week. However, the media cycle kicked into full spin quite quickly and Alon and I decided to hold off until we actually had something to add to the discussion. Or at least some specific info for TurnKey users. Anything else would have just been adding to the noise, which has now become deafening IMO.

Well, we have now reached that point! More so that we have some specific info for TurnKey users! :)

The Vulnerabilities

Just to confuse you, despite the 2 names, there are actually 3 variants of vulnerability, namely:

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

    Spectre comprises of variants 1 & 2; Meltdown is the moniker for variant 3.

    Essentially they comprise of a series of hardware vulnerabilities, described by Google's Project Zero member, Jann Horn as "arbitrary virtual memory read vulnerabilities across local security boundaries"

    Or to directly quote the more newb-friendly first paragraph from the website:

    Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

    Even more concerning for Cloud users is the next brief paragraph (emphasis is mine):

    Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.[!]

    So they potentially allow running processes, to snoop on the CPU cache (specific memory on the CPU die) of other processes. The implications of that are that sensitive data could be compromised by malicious processes (or malicious users with access to the hardware). My reading suggests that damaging or altering the data is not possible via these vulnerabilities, but e.g. reading your passwords or private GPG keys may be possible!

    It's worth also noting, that as of today, only Meltdown is completely patched. I have been lead to believe that some mitigation against Spectre has also been applied, but I can't 100% confirm that. These vulnerabilities are hardware related, so any software patches are mitigation, rather than proper fixes. At this point, there is a school of thought that suggests that at least one of the Spectre variants, may not be able to be software patched at all! Luckily for us, Meltdown is the easiest one to leverage, so having a patch for that will reduce any potential attack vector significantly.

    If you'd like to learn more, I suggest that you start at the website and if you're still hungry, read the related papers (Meltdown paper & Spectre paper). I can speak from experience, that vast majority of online articles relating to Meltdown and Spectre are just regurgitating the info you'll read there. Although both vulnerability website and the Debian CVEs contain additional links. I've post links that I thought might be useful in the resources section below.

    Patched kernel to mitigate against Meltdown

    As hinted above, the Meltdown vulnerability has been mitigated by a kernel patch which is now available for both Debian Jessie (basis of v14.x) and Debian Wheezy (basis of v13.x). No other previous versions of TurnKey (e.g. v12.x and earlier) are supported so will NOT receive any updates! If you are still running a v12.x (or earlier) TurnKey appliance, now would be a great time to migrate your data to a supported release!

    TurnKey v14.x

    The kernel update for Debian Jessie (v14.x) is covered by Debian Security Advisory; DSA-4082-1. As you may note, the kernel update covers a number of CVEs, but the most important one (for our current purposes) is CVE-2017-5754 (variant 3, aka Meltdown).

    If your auto security updates are working as they should, then you should already have the latest kernel. To check, run this command:

    apt-cache policy linux-image-amd64

    On a v14.x server, with latest secupdate installed, that should return the following:

      Installed: 3.16+63+deb8u1
      Candidate: 3.16+63+deb8u1
      Version table:
     *** 3.16+63+deb8u1 0
            500 jessie/updates/main amd64 Packages
            100 /var/lib/dpkg/status
         3.16+63 0
            500 jessie/main amd64 Packages

    Beyond that, you also need to be running this latest kernel. To check that, run this:

    uname -v
    (AWS Marketplace users may need to prepend this command with "sudo").

    On a patched system, that should return the following (note the version matches the package version above):

    #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64 GNU/Linux
    If you get something other than that (but apt shows the right package installed) then you need to reboot. Please double check after you have rebooted. If it shows anything other than noted above (as of today and probably the next few days at least) then chances are, you are NOT patched! Please feel free to ask in the comments and I'll clarify if you are uncertain.

    TurnKey v13.x

    The instructions and context for v13.x are almost identical to v14.x. The only difference is that the package version you need to check for is "3.2+46+deb7u1" (rather than "3.16+63+deb8u1"). The commands are identical, it's just the output that will be different.

    TurnKey v12.x and earlier

    Please note that v12.x and earlier WILL NOT get an update for this issue (or any others for that matter). Users of v12.x or earlier and STRONGLY advised to migrate to a currently supported version of TurnKey. If you need some guidance, please post in the forums.

    Special note for AWS users

    Considering the nature of this issue, as noted above, there has been considerable concern for servers running on shared hardware. However, AWS patched their servers last week, as well as also developing and applying patches to Xen (the hypervisor used by AWS). To quote their Security announcement:

    All instances across the Amazon EC2 fleet are protected from all known instance-to-instance concerns of the CVEs previously listed. Instance-to-instance concerns assume an untrusted neighbor instance could read the memory of another instance or the AWS hypervisor. This issue has been addressed for AWS hypervisors, and no instance can read the memory of another instance, nor can any instance read AWS hypervisor memory. We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads.

    The updates that they have applied ensure that instances can't leverage these attack vectors to gain unauthorised access to another instance's data. Whilst they do say that all instances are protected, both AWS and Xen suggest that PV instances may not be quite as isolated as would be ideal. So you would be well advised to migrate to an HVM instance if you are still using an old PV instance.

    Primary vulnerability resources

    Meltdown/Spectre website
    Meltdown paper
    Spectre paper
    Google Project Zero blogpost - by Jann Horn
    GitHub repo with PoC Meltdown exploit code and some videos of the exploit in action

    Hardware, AWS and Xen advisories

    Intel advisory - INTEL-SA-00088
    AMD advisory
    AWS advisory - AWS-2018-013
    Xen advisory - XSA-254

    Debian CVEs and DSAs/DLAs

    DSA-4082-1 (Debian Jessie/v14.x)
    DLA-1232-1 (Debian Wheezy/v13.x)

    As per always, if you have further questions or concerns, please post below in the comments, or open a new thread in the forums.

  • You can get future posts delivered by email or good old-fashioned RSS.
    TurnKey also has a presence on Google+, Twitter and Facebook.

    Post new comment