The Digital Edge Security Team is aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern CPUs and virtual memory access. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.
In short, a process that is running on the same physical server can read an information from another process or a virtual machine or a physical host.
This vulnerability is related to virtual memory mapping and handling.
Current computer systems use virtual memory mapping for better handling of code, data and physical resources. For example: there is one computer with Windows OS and 2 programs running. Each program needs to display a message box. Each program does not write code to draw a message box window – pixel by pixel - but instead uses a function commonly written for all Windows programs and implemented as User32.dll. To obtain access to the functionality that draws the message box, each program “load” and “link” User32.dll into its memory space. So theoretically User32.dll would be loaded 3 times. One to be loaded in the OS space, and 2 copies in each process space of each program.
In reality, OS loads this DLL only once and maps memory space of User32.dll to each process. So each process “thinks” that it has its own copy of User32.dll.
The vulnerability is related to the memory mapping and access protection mechanism. Each process should be self-contained and isolated. However, according to the newly discovered mechanism it is possible that one process can trick the CPU and access memory allocated to another process.
Everything so far what is loudly but obscurely media is talking about. Here is the real problem:
If you apply the same concept to the cloud world – each virtual machine is a process inside a physical server. A process running inside of a virtual machine is in reality a process running on the physical machine but isolated from anything else. With this exploitation it is possible that one VM on Amazon or Azure (or anything else) can read data of another VM on the same cloud host.
Only today people started talking about implication of this vulnerability on the public cloud. In our earlier security articles Digital Edge Security Team was predicting that jail break attacks on public cloud will come and this one is a really vivid case of the risks of deployments in the public clouds.
Public cloud will be hit hard.
Here is the news from 1/4/2017 by The Verge – “Google representative said the company’s cloud services had been protected against both Meltdown and Spectre, although they declined to elaborate on the Spectre protections. Amazon did not respond to a request for comment”.
Does anybody believe that Google would patch all servers already? Do you think Amazon, running proprietary hypervisor already came up with the fix and applied it?
The POC of the exploit is implemented by many security specialists. What needs to be done is purchase a VM on Amazon and scan memory blocks on the host, shut down, kill the VM, re-create it again (there is a big chance that it will be created on another physical host) and scan again. Continue doing it until you find something interesting. Someone next to your VMs in cloud can be scanning your machines as you read this article.
What is frightening, is that network segregation would not help in this situation as a jailed VM would have access to ALL information residing on the physical host.
We can speculate that if VM can have access to the physical host, it can also gain access to the storage.
Possible Remediation
- Each vendor prepares patches for their platforms. Microsoft, Linux and VMware patches are available.
When Should You Worry?
- If you are running on public cloud.
- If you are running multi-tenant environments where clients absolutely cannot see each other.
When You May Not Have to Worry So Much?
- If you share servers but all your users are internal users and you trust them.
- If you do not share your servers or virtual platform.
For technical details, Digital Edge would like you to refer to US_CERT article and Project Zero Team at Google.
Please contact Digital Edge’s Support Team if you feel that you need help with this vulnerability.
Digital Edge helps clients to implement and operate their infrastructures in public or private clouds in compliance with ISO and NIST frameworks.
If you want to talk to us about your cloud initiatives or cloud security, please contact us at https://www.digitaledge.net/contact/.