• Industry Solutions
    • Managed Service Providers
    • Enterprise Solutions
    • Developers & Startups
    • Healthcare
    • Trading and Financial
      • Chicago Managed Trading Servers
      • Trading and Financial Colocation: Chicago & New Jersey
    • IBM AS/400 and iSeries Users
  • Support
    • Register
    • View Tickets
    • Submit a Ticket
    • Knowledgebase
    • News
  • Steadfast Blog
  • Steadfast Podcasts
  • Contact Us
Home
  • Call Us
  • Call | 888.281.9449
  • Login
  • Search

This form logs you into your management portal account. To access your help desk account, click here and use the form to the right of the news.

  • Cloud Hosting
    • Cloud Hosting
    • Private Cloud
    • Hybrid Cloud
    • Public Cloud
    • Cloud Storage
      • Secure File Share
      • Wasabi Cloud Storage
    • Virtual Data Center Platform
  • Managed Hosting
    • Bare Metal Dedicated Servers
      • Deep Learning GPU Dedicated Servers
      • Linux Dedicated Servers
      • Windows Dedicated Servers
    • Virtual Private Servers
    • Data Center Colocation
      • Managed Colocation
      • Chicago: 350 E Cermak
      • Chicago: 725 S Wells
      • Edison, New Jersey
    • Security & Compliance
      • Managed Firewall
      • SSL VPN
      • DDoS Protection
      • Email Security
  • Backup & Disaster Recovery
    • Backup
    • Disaster Recovery
    • Veeam Backup & Replication
    • Veeam Cloud Connect
    • Wasabi Cloud Storage
  • Why Steadfast
    • Why Steadfast?
    • About Steadfast
      • Our History
      • News and Press
    • Data Centers & Network
      • Our Data Centers
      • Our Network
      • Network Test
      • Peering Policy
    • Customer Stories
    • Service Level Agreement
  • Industry Solutions
    • Managed Service Providers
    • Enterprise Solutions
    • Developers & Startups
    • Healthcare
    • Trading and Financial
      • Chicago Managed Trading Servers
      • Trading and Financial Colocation: Chicago & New Jersey
    • IBM AS/400 and iSeries Users
  • Support
    • Register
    • View Tickets
    • Submit a Ticket
    • Knowledgebase
    • News
  • Steadfast Blog
  • Steadfast Podcasts
  • Contact Us
Close
  • Support Home
  • Register
  • Submit a Ticket
  • Knowledgebase
  • News
 Login Subscribe

Log into the help desk to manage support tickets.


Lost password

Subscribe to general maintenance announcements and advisories.



 
 Knowledgebase
39Steadfast Cloud Platform 3Full Management 38Dedicated Servers & Colocation 4Control Panels 19Other
Search
Knowledgebase: Steadfast Cloud Platform
Steadfast Public Cloud CPU Side Channel Vulnerability Information
Posted by Kevin Stange, Last modified by Kevin Stange on 09 June 2020 05:53 PM

This article provides current support information for Spectre, Meltdown, and related side channel vulnerabilities on the Steadfast Public Cloud.

Here is a summary of the currently known issues:

Common Name CVE Xen Advisory Intel Advisory Aliases
Spectre v1 CVE-2017-5753 XSA-254
XSA-289
OSS-10002 SP1
Spectre v2 CVE-2017-5715 XSA-254 SA-00088 SP2
Meltdown CVE-2017-5754 XSA-254 OSS-10003 SP3
Spectre v3a CVE-2018-3640 N/A SA-00115
SP3a
RSRE
Speculative Store Bypass CVE-2017-3639 XSA-263 SA-00115 SP4
SSB
Lazy FP CVE-2018-3665 XSA-267 SA-00145 Eager FPU (Fix)
Spectre v1.1 and v1.2 N/A N/A N/A N/A
SpectreRSB N/A N/A N/A N/A
NetSpectre N/A N/A N/A N/A
L1 Terminal Fault CVE-2018-3620
CVE-2018-3646
XSA-273
XSA-289
SA-00161 L1TF
Microarchitectural Data Sampling CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2019-11091
XSA-297 SA-00233 MDS
ZombieLoad
RIDL
Fallout
SWAPGS CVE-2019-1125 N/A N/A N/A
TSX Asynchronous Abort CVE-2019-11135 XSA-305 SA-00270 TAA
Special Register Buffer Data Sampling CVE-2020-0543
XSA-320 SA-00320

SRBDS
CrossTalk

The information contained in this article makes assumptions specific to Steadfast's Cloud environment and they are not necessarily applicable to other clouds

Current System Status

The following table describes the current issues and the fix status for each:

Variant Hypervisor Status Hypervisor Fix Date VM Status
Spectre v1 Not vulnerable N/A Requires OS Update
Per XSA-254 and XSA-289, after much review no vulnerable code has ever been found in Xen, but some "risky" code has been fixed.
Spectre v2 Fully mitigated April 2018: Compiler
June 2018: Microcode
Requires OS Update
Fixed with compiler features and CPU microcode.
Meltdown Fully mitigated February 2018 Linux: No Update Required
Windows: Requires OS Update
Fixed with Xen patches.  Performance improvements were added in August 2018.
Spectre v3a Fully mitigated September 2018 No Update Required
Fixed with CPU microcode.
Speculative Store Bypass Fully mitigated September 2018 Requires OS Update
VM update relies on Xen patch and CPU microcode.
Lazy FP Fully mitigated August 2018 Requires OS Update 
Fix improves performance. CentOS 6 has a known issue which requires kernel option 'eagerfpu=off' to be used.
Spectre v1.1 and v1.2 Not vulnerable N/A Possible OS Update
This issue does not affect Xen, but may affect some VM operating systems.
SpectreRSB Fully mitigated June 2018 Possible OS Update
This is a proof of concept exploitation of Spectre v2 and is resolved by the v2 mitigation.
NetSpectre Fully mitigated June 2018 Possible OS Update
This is a proof of concept exploitation of Spectre v2 and is resolved by the v2 mitigation.
L1 Terminal Fault Fully mitigated September 2018 Requires OS Update
VM update relies on Xen patch and CPU microcode. Linux VMs need a kernel update to avoid a performance loss.
Microarchitectural Data Sampling Fully mitigated July 2019 Requires OS Update
VM update relies on Xen patch and CPU microcode.  Windows and Linux VM kernel mitigation will not be effective without the microcode being deployed.
SWAPGS Not vulnerable N/A Linux: No Update Required
Windows: Requires OS Update
This issue does not affect Xen, but affects Windows VMs.
TSX Asynchronous Abort Not vulnerable N/A No Update Required
This issue does not affect the hardware in the Steadfast environment.
Special Register Buffer Data Sampling Not vulnerable N/A No Update Required
This issue does not affect the hardware in the Steadfast environment.

The status information indicated above may vary for customers with dedicated hypervisors based on maintenance arrangements.  We are continuously working to keep dedicated hypervisors in line with the public cloud.

Platform History

The current public cloud platform has been patched against Meltdown and Spectre variant 2 attacks.  The platform is based on CentOS 7 and Xen 4.8.  Prior to February 11, 2018, the platform was based on CentOS 6 and Xen 4.4.  Xen 4.4 will not receive updates to fix either Meltdown or Spectre. On January 17th, the first patches that mostly mitigate Meltdown were made available for Xen 4.8, but no patches are yet available to mitigate Spectre.  Our migration to Xen 4.8 was the culmination of several months of testing and planning, which we started prior to disclosure of the security issues. We did not modify our plans as a result, other than to increase the urgency of our roll-out.

On February 23, 2018, the first available Xen patches which mitigate variant 2 of Spectre became available, however the solution required a compiler update and microcode updates that were not yet available on CentOS.  We deployed the update with initial mitigation once the compiler update was available in April.

In early June 2018, we deployed CPU microcode updates once they were made available by Intel to mitigate Spectre variant 2 using CPU assistance.

In early August 2018, we deployed a version of Xen containing the Lazy FP fix as well as performance improvements related to the Meltdown fix.  The fix for Speculative Store Bypass and Spectre v3a was included, but not effective at that time.  We deployed the required microcode update to support the SSB fix in late September 2018.

Available information indicates no fix is required in Xen for Spectre variants 1, 1.1, and 1.2.

Available information indicates that SpectreRSB and NetSpectre are proof of concept attacks for which the Spectre v2 fixes provided mitigation.

There are two different fixes for L1TF depending on the VM operating mode.  A complete fix for Windows VMs required a microcode update (the same as the SSB microcode update) and to disable hyperthreading features of the CPUs.  A complete fix for Linux VMs requires only a Xen software update.  The necessary code updates for L1TF were deployed in late September.  Hyperthreading was turned off completely in the environment in early 2019 to fully mitigate risks to Windows VMs.

MDS mitigation requires a new CPU capability which requires microcode updates for all affected processors, hyperthreading must be disabled, and Xen and guest kernels must be updated to take advantage of the new capability.  We obtained the required microcode on June 19, 2019 and all hypervisors were fully patched by July 2, 2019.

SWAPGS mitigation requires no action on the hypervisor because Xen does not use the vulnerable CPU feature.

TAA mitigation requires no action on the hypervisor because the CPU does not support the vulnerable feature.

SRBDS does not affect the hypervisor because the CPU does not support the vulnerable feature.

Important: To fully take advantage of all available mitigations it is necessary to upgrade your VM to the latest available kernel or Windows update version, then fully shut down and boot up the VM.  This will ensure that the CPU capabilities provided by the new microcode are seen by the OS and used optimally.

Current Risks to VMs

Due to the way Xen is designed, Linux VMs do not need Meltdown kernel patches inside the VM.  They already cannot exploit the Meltdown issue using the normal Linux method.  However, Xen must be fixed to prevent users on Linux VMs from exploiting Xen directly to read the memory of other VMs on the same physical server.

Windows VMs cannot exploit the Xen variant of the Meltdown vulnerability, but Meltdown can be exploited inside a Windows VM to read its own memory from an unprivileged account unless the correct Windows Update package has been installed in the VM.  Linux VMs may be able to exploit the Xen issue to read the memory of unsuspecting Windows and Linux VMs even if they are patched.

Both types of VMs are vulnerable to Spectre, however the amount of exposure caused by Spectre is more limited and thus less of a danger overall than Meltdown. Some of the system updates available may mitigate part of Spectre, but the availability of patches varies wildly by operating system. Xen patches along with CPU microcode are required to provide complete mitigation for Spectre and other side channel issues.

Current Mitigation Options

The most complete mitigation available is running on patched hypervisors.  All public cloud VMs are currently on these hypervisors since February 11th and are being kept up to date with patches are soon as they are ready.

If you are running Linux, you should also apply kernel updates that provide fixes to Spectre and other Side Channel issues.  Updates fixing Meltdown and TAA are not required. Please note that working kernels are now available for all CentOS VMs that fix all variants up to and including MDS:

  • It is safe to upgrade the kernel for CentOS 7 VMs to kernel-plus version 3.10.0-957.12.2.el7.centos.plus or newer.
  • It is safe to upgrade the kernel for CentOS 6 VMs to kernel version 2.6.32-696.20.1.el6 which includes limited Spectre fixes.
  • It is NOT safe to upgrade CentOS 6 VMs to kernel version 2.6.32-754.14.2.el6 or newer unless you add "eagerfpu=off" to the kernel command line.
    • This issue is caused by a bug with the Lazy FP fix inside the CentOS 6 kernel, so this fix must be turned off.
    • If you set "eagerfpu=off" it is safe to upgrade to 2.6.32-754.14.2.el6, which includes all other fixes through MDS.
    • If you feel that Eager FPU is an important fix, we suggest planning to upgrade to CentOS 7, or switching to kernel 4.4 provided by ELRepo.
  • Kernel updates are not needed to address SWAPGS when running under Xen.

If you are running Windows, you should apply Windows updates to patch issues up to and including SWAPGS:

  • Windows Server 2019: Build 17763.615 (KB4507469)
  • Windows Server 2016: Build 14393.3085 (KB4507460)
  • Windows Server 2012 R2: KB4507457 (Security only) or KB4507448 (Full update)
  • Windows Server 2008 R2: KB4507456 (Security only) or KB4507449 (Full update)

Important: After applying updates you should fully shut down your VM, then start it back up from the control panel.  This ensures the VM boots up with awareness of microcode features that enable all fixes to be effective.

If you trust your VM users, you may also want to consider a dedicated hypervisor, which guarantees all the VMs on the physical server are under your control.  This option does not itself prevent side channel vulnerabilities from being exploited, but limits the number of people who may have access to the server memory.  Keep in mind that if you operate applications that face untrusted users, an exploitable vulnerability in such an application could allow a user to run their own code and subsequently exploit Meltdown, Spectre, or other side channel vulnerabilities.  If you'd like to explore the option of switching to private hypervisors, please contact our sales team for further information.

References

  • Steadfast Meltdown and Spectre Advisory
  • Xen Security Advisory XSA-254
  • Xen Security Advisory XSA-263
  • Xen Security Advisory XSA-267
  • Xen Security Advisory XSA-273
  • Xen Security Advisory XSA-289
  • Xen Security Advisory XSA-297
  • Xen Security Advisory XSA-305
  • Xen Security Advisory XSA-320

If you need any help or have any questions regarding any of this information, please contact our support team.

Updates

June 9, 2020 @ 5:45 PM

  • Updated SRBDS information to indicate no vulnerability exists on the environment

June 9, 2020 @ 12:50 PM

  • Added initial information for Special Register Buffer Data Sampling

November 11, 2019 @ 3:15 PM

  • Added initial information for TSX Asynchronous Abort

August 7, 2019 @ 12:30 PM

  • Added initial information for SWAPGS

July 2, 2019 @ 5:30 PM

  • Updated MDS information to indicate mitigation is fully deployed to the public cloud environment

June 25, 2019 @ 11:40 AM

  • Updated MDS information to indicate that microcode is now being deployed
  • Add notes to indicate VMs should be shut down and then started up manually to ensure microcode features are detected by VMs

June 19, 2019 @ 4:30 PM

  • Updated MDS information to indicate that microcode is now in testing
  • Removed outdated information related to private hypervisors

May 20, 2019 @ 3:05 PM

  • Added initial information for MDS (Microarchitectural Data Sampling)
  • Updated Spectre v1 information to clarify there are no known hypervisor vulnerabilities
  • Added Spectre v3a information
  • Added clarifications of dates now that more than a year has passed
  • Added additional details related to Intel Advisories
  • Minor wording corrections and clarifications

September 24, 2018 @ 5:15 PM

  • Converted the information to tables and cleaned up the details
  • Updated the status to indicate that L1TF and SSB mitigation is now available on public cloud hypervisors

September 14, 2018 @ 2:30 PM

  • Corrected the status of SSB mitigation to clarify that the hypervisor is not vulnerable, but mitigation still is needed for VMs

August 30, 2018 @ 3:55 PM

  • Corrected status of L1TF and SSB to indicate full mitigation including CPU microcode is now in testing

August 30, 2018 @ 11:30 AM

  • Added information about L1 Terminal Fault
  • Updated mitigation status to indicate that Lazy FP is now mitigated and that Spectre 1.1 does not affect the environment
  • Added notes regarding Meltdown performance improvements
  • Updated patching version information for Windows and Linux VMs

August 1, 2018 @ 11:05 AM

  • Added information about NetSpectre and SpectreRSB

July 17, 2018 @ 5:15 PM

  • Added information related to Speculative Store Bypass, Lazy FPU, and Spectre variants 1.1 and 1.2
  • Updated status information for public cloud hypervisors to indicate that Spectre variant 2 is mitigated
  • Removed the meltdown patch information that is outdated
  • Added a warning about the Lazy FPU bug preventing new CentOS 6 kernels from booting

March 13, 2018 @ 3:00 PM

  • Updated to include CentOS 7 safe kernel-plus package from the official distribution instead of Steadfast-released version.
  • Added a note about the newly available Xen SP2 Spectre patch.

February 12, 2018 @ 10:45 AM

  • Updated to indicate that public cloud VMs are now running on Meltdown-patched hypervisors.

February 7, 2018 @ 6:35 PM

  • Updated to indicate that both CentOS 7 and CentOS 6 users can upgrade to working kernels

January 26, 2018 @ 3:35 PM

  • Updated to indicate that only CentOS 7 users need to avoid kernel updates now that CentOS 6 kernel 2.6.32-696.20.1.el6 is available

January 22, 2018 @ 1:45 PM

  • Updated references to testing of Meltdown patch to indicate testing is complete.

January 18, 2018 @ 6:30 PM

  • Rewrote the "Current Risks to VMs" section to be clearer and less redundant
  • Clarified that applications that face untrusted users should be considered during risk analysis
  • Added some clarifications around dedicated hypervisors
  • Added a clarification about the optional status of the patched hypervisors and when the migration will become mandatory'
(5 vote(s))
Helpful
Not helpful

Comments (0)

I consent to allow Steadfast to process my data and agree to the Acceptable Use and Privacy Policies

  • 312.602.2689
  • ColoHouse Sales
  • Facebook
  • Twitter
  • YouTube
  • LinkedIn

Services

  • Cloud Hosting
  • Managed Hosting
  • Backup & Disaster Recovery

Solutions By Industry

  • Enterprise Solutions
  • Trading & Financial
  • Healthcare
  • Developers & Startups
© 2023 Steadfast
  • Log In
  • Site Map
  • Legal Info & Privacy Policy