This article provides current support information for Spectre and Meltdown on the Steadfast Public Cloud.

Some brief contextual information:

• Spectre is also known as CVE-2017-5753 and CVE-2017-5715, and referred to in the Xen advisory 254 by the names SP1 and SP2 or as variant 1 and 2
• Meltdown is also known as CVE-2017-5754 and referred to in the Xen advisory 254 as SP3 or as variant 3
• Speculative Store Bypass is also known as CVE-2017-3639, XSA-263, or referred to as SP4 or as variant 4
• Lazy FP is also known as CVE-2018-3665, XSA-267, and the fix is referred to as Eager FPU
• Spectre variants 1.1 and 1.2 are known as CVE-2018-3693, but little information is yet available on these
• SpectreRSB is a new type of attack against Spectre and does not have a separate CVE or variant identifier
• NetSpectre is a new type of attack against Spectre and does not have a separate CVE or variant identifier
• The information contained in this article makes assumptions specific to Steadfast's Cloud environment and they are not necessarily applicable to other clouds

Current System Status

The current public cloud platform has been patched against Meltdown and Spectre variant 2 attacks.  The platform is based on CentOS 7 and Xen 4.8.  Prior to February 11th, the platform was based on CentOS 6 and Xen 4.4.  Xen 4.4 will not receive updates to fix either Meltdown or Spectre. On January 17th, the first patches that mostly mitigate Meltdown were made available for Xen 4.8, but no patches are yet available to mitigate Spectre.  Our migration to Xen 4.8 was the culmination of several months of testing and planning, which we started prior to disclosure of the security issues. We did not modify our plans as a result, other than to increase the urgency of our roll-out.

On February 23rd, the first available Xen patches which mitigate variant 2 of Spectre became available, however the solution required a compiler update and microcode updates that were not yet available on CentOS.  We deployed the update with initial mitigation once the compiler update was available in April.

In early June, we deployed CPU microcode updates once they were made available by Intel to mitigate spectre variant 2 using CPU assistance.

There is currently a mitigation in testing for Lazy FPU and the initial code to support a fix for Speculative Store Bypass is available but the required CPU microcode is not yet available.  We hope to roll out the Lazy FPU fix shortly.  This update will also include new performance improvements related to the Meltdown fix.

There is currently no known fix for Spectre variants 1.1 and 1.2, but it is unclear if Xen is affected.  Fixing these issues may require microcode updates.

In summary:

• Spectre (v1): No fix available, but very low risk in Xen
• Spectre (v2): Fully mitigated with compiler features and CPU microcode
• Meltdown (v3): Fully mitigated with Xen patches (performance improvements in testing)
• Speculative Store Bypass (v4): Available fix requires CPU microcode that is not yet released
• Lazy FP: Mitigation is in testing
• Spectre v1.1 and v1.2: Status of this vulnerability is currently unclear
• SpectreRSB: Fully mitigated with previous CPU microcode according to Intel
• NetSpectre: Fully mitigated with previous CPU microcode according to Intel

The status information indicated above may vary for customers with dedicated hypervisors based on maintenance arrangements.  We are continuously working to keep dedicated hypervisors in line with the public cloud.

Current Risks to VMs

Due to the way Xen is designed, Linux VMs do not need Meltdown kernel patches inside the VM.  They already cannot exploit the Meltdown issue using the normal Linux method.  However, Xen must be fixed to prevent users on Linux VMs from exploiting Xen directly to read the memory of other VMs on the same physical server.

Windows VMs cannot exploit the Xen variant of the Meltdown vulnerability, but Meltdown can be exploited inside a Windows VM to read its own memory from an unprivileged account unless the correct Windows Update package has been installed in the VM.  Linux VMs may be able to exploit the Xen issue to read the memory of unsuspecting Windows and Linux VMs even if they are patched.

Both types of VMs are vulnerable to Spectre, however the amount of exposure caused by Spectre is more limited and thus less of a danger overall than Meltdown. Some of the system updates available may mitigate part of Spectre, but the availability of patches varies wildly by operating system. Xen patches along with CPU microcode are required to provide complete mitigation.  Some of these fixes have been applied and some are coming soon.

Customers with dedicated hypervisors are protected from other customers, but the risks within VMs still apply as described above.  If you trust all the VMs on a single physical server, along with all the users and applications hosted on them, the risks associated with Spectre and Meltdown may be relatively low and you may not need to urgently upgrade.  If you have concerns about Meltdown on your private hypervisors, please contact our support team and we will plan out an upgrade to the patched Xen 4.8 version right away.  Otherwise, we will be contacting customers with dedicated hypervisors soon to work on upgrade planning soon.

Current Mitigation Options

The most complete mitigation available is running on patched hypervisors.  All public cloud VMs are currently on these hypervisors since February 11th and are being kept up to date with patches are they are ready.

If you are running Linux, you should also apply kernel updates that provide fixes to Spectre.  Updates fixing Meltdown are not required. Please note that working kernels are now available for all CentOS VMs that fix Spectre variants 1 and 2 and Lazy FPU:

• It is safe to upgrade the kernel for CentOS 7 VMs to kernel-plus version 3.10.0-693.21.1.el7.centos.plus or newer.
• It is safe to upgrade the kernel for CentOS 6 VMs to kernel version 2.6.32-696.20.1.el6 or newer.
• It is NOT safe to upgrade CentOS 6 VMs to kernel version 2.6.32-754.2.1.el6 or newer unless you add "eagerfpu=off" to the kernel command line.
  • This issue is caused by a bug with the Lazy FPU fix inside the CentOS 6 kernel, so this fix must be turned off for now.

If you are running Windows, you should also apply Windows updates:

• Windows Server 2016: Build 14393.2007 (KB4056890)
• Windows Server 2012 R2: KB4056898
• Windows Server 2008 R2: KB4056897 or KB4056894

If you trust your VM users, you may also want to consider a dedicated hypervisor, which guarantees all the VMs on the physical server are under your control.  This option does not itself prevent Meltdown or Spectre from being exploited, but limits the number of people who may have access to the server memory.  Keep in mind that if you operate applications that face untrusted users, an exploitable vulnerability in such an application could allow a user to run their own code and subsequently exploit Meltdown or Spectre.  If you'd like to explore the option of switching to private hypervisors, please contact our sales team for further information.

References

• Steadfast Meltdown and Spectre Advisory
• Xen Security Advisory XSA-254
• Xen Security Advisory XSA-263
• Xen Security Advisory XSA-267

If you need any help or have any questions regarding any of this information, please contact our support team.

Updates

August 1, 2018 @ 11:05 AM

• Added information about NetSpectre and SpectreRSB

July 17, 2018 @ 5:15 PM

• Added information related to Speculative Store Bypass, Lazy FPU, and Spectre variants 1.1 and 1.2
• Updated status information for public cloud hypervisors to indicate that Spectre variant 2 is mitigated
• Removed the meltdown patch information that is outdated
• Added a warning about the Lazy FPU bug preventing new CentOS 6 kernels from booting

March 13, 2018 @ 3:00 PM

• Updated to include CentOS 7 safe kernel-plus package from the official distribution instead of Steadfast-released version.
• Added a note about the newly available Xen SP2 Spectre patch.

February 12, 2018 @ 10:45 AM

• Updated to indicate that public cloud VMs are now running on Meltdown-patched hypervisors.

February 7, 2018 @ 6:35 PM

• Updated to indicate that both CentOS 7 and CentOS 6 users can upgrade to working kernels

January 26, 2018 @ 3:35 PM

• Updated to indicate that only CentOS 7 users need to avoid kernel updates now that CentOS 6 kernel 2.6.32-696.20.1.el6 is available

January 22, 2018 @ 1:45 PM

• Updated references to testing of Meltdown patch to indicate testing is complete.

January 18, 2018 @ 6:30 PM

• Rewrote the "Current Risks to VMs" section to be clearer and less redundant
• Clarified that applications that face untrusted users should be considered during risk analysis
• Added some clarifications around dedicated hypervisors
• Added a clarification about the optional status of the patched hypervisors and when the migration will become mandatory'