SECURITY NEWS

Recent Security News at CCL

Meltdown & Spectre

By | Security News | No Comments

Meltdown and Spectre
Over the past week the IT community has been working hard to mitigate two widespread vulnerabilities, Meltdown and Spectre, identified by researchers.  These vulnerabilities are notable for the widespread and near universal impact on devices with processors, resulting in a significant number of patches being released and planned.  CCL has taken the necessary steps to secure our shared infrastructure platforms and we are actively assisting clients with advice and services to secure on-premise and cloud based environments.

We recommend that all clients assess and protect their environments against these vulnerabilities and ensure that systems are bought up to date and secured.  Care should be taken to follow patching instructions, as outages have occurred as a result of not following the prescribed steps.  Finally, Microsoft and other vendors have identified that some performance impact should be anticipated for certain workloads – estimates range from 5-30% decline in performance – older devices are more likely to be effected.

CCL IaaS platforms
CCL is programmatically addressing the identified vulnerabilities at the hardware and hypervisor levels.  Clients are responsible for patching their Operating Systems and applications residing on the platform unless these are managed by CCL.

Additional information will be provided through standard change control notifications or directly from your CRM.

Public Cloud platforms
All major public cloud providers have actively patched their environments and have taken steps to protect workloads. Similar to CCL, further patching may occur and we recommend monitoring each providers advisories.

Client dedicated virtual platforms, on-premise private cloud
For dedicated virtualisation platforms running earlier versions of VMware ESXi (ESXi 5.x) we are recommending a migration to ESXi 6.x, then patching to secure the hypervisor.  Patching is also required at the hardware firmware layer (microcode), operating system and application level in addition to the Hypervisor.  VMware has provided patches for ESXi which include microcode updates for popular CPUs.  vCenter patches are required and Virtual Hardware Version and VMware tools updates may also be necessary.  Outages will be required to complete patching including power cycling VM guest machines and guest OS server reboots.

Clients running Microsoft Hyper-V will need to apply updates at both the host and guest level.

On-premise infrastructure
Servers, desktops, and mobile phones are all impacted by these vulnerabilities and associated security patches are being released.  Patching will impact some workloads and performance may degrade as a result.  CCL recommends that clients follow standard patching processes including appropriate testing before release of patches to production systems.

Please note that anti-virus patches / registry key changes are required before the Microsoft patch can be successfully applied.  For CCL managed AV / Endpoint Security clients, the registry key has been deployed.

Patching will need to occur at a hardware firmware layer, operating system and application level in addition to the Hypervisor across multiple platforms to provide comprehensive protection against these vulnerabilities.  CCL has developed a guide for our engineering team to provide a best practice approach to managing the patching for Meltdown and Spectre.

If you would like more information or would like to discuss the potential performance impact to your workloads, then please contact support@concepts.co.nz or 0800 225 468

Additional information
The official Graz University of Technology research site containing information about the vulnerabilities and major vendor responses:

https://meltdownattack.com/

Additional vendor information:

https://kb.vmware.com/s/article/52245
https://support.microsoft.com/en-us/help/4073757/protect-your-devices-against-spectre-meltdown

Browser protections:

https://www.chromium.org/Home/chromium-security/ssca
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/

Performance impacts:

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
https://access.redhat.com/articles/3307751

Please contact CCL if you have any questions or concerns.