UPDATE 1/22/2018: Due to instabilities found in some Intel based servers operating with microcode patches, multiple vendors including VMware and Redhat Enterprise Linux have reverted their microcode patches. As a result, many servers will still be vulnerable to one version of the Spectre attack (CVE-2017-5715), even after updating their hypervisors and operating systems. GlobalCerts is closely monitoring this effort and is awaiting a more comprehensive update to mitigate all three variants of the vulnerability.
A major flaw in the inherent design of almost every modern Intel CPU and many AMD and ARM (mobile) processors has been discovered. The vulnerabilities were detailed Wednesday in a release from Google Project Zero. Apparently, the vulnerability was discovered much earlier in 2017. It was privately disclosed to the various CPU and operating system manufacturers to allow them time to create firmware updates and patches.
Almost all modern CPUs use a technique called “speculative execution” to predict and perform operations that will likely be needed. This speeds up the execution of many programs by allowing work to be done in parallel. The problem is this execution allows for a non-privileged user process to potentially read information stored in system (kernel) memory. For example, the processor will start working on a command to read the value stored at a certain memory address BEFORE checking that the value is “in bounds” for the calling program. Through a variety of techniques, this speculative command’s result can be leaked to the program and the information exploited. At it’s worst, this means that a user process running on a phone, laptop, computer, or server, could read arbitrary system memory. This memory stores sensitive data for the OS and other programs.
Effect on GlobalCerts’ Solutions
These vulnerabilities are not a huge concern on the SecureMail Gateway™ (SMG) system itself, since access to the system is restricted to trusted administrators and GlobalCerts technical support. However, there is a real potential for exploitation at the hypervisor level. If the SMG is running on top of a VMware or Hyper-V hypervisor, there is the potential for other VM guests being able to access the kernel space of the VMware host. It is therefore possible, but not very likely, for SMG information residing in system memory to be accessed via another VM guest on the same host.
VMware and Microsoft have already issued patches. For more information and the latest information on VMware’s patches to address these vulnerabilities, please visit https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html. If you are running the SMG on top of a Hyper-V hypervisor please see the following article from Microsoft: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
GlobalCerts recommends updating hypervisors hosting any SecureMail Gateway to the latest patches as soon as possible to address these vulnerabilities. Our Fast&Secure™ hosted environment (VMware) has already been patched to address these vulnerabilites as of today January 5, 2018.
The operating system the SMG operates on (CentOS Linux) has released a kernel patch to address this vulnerability and will be deployed in the next SMG patch cycle (version 5.0.0 PR_00200). This patch will include upgrading to the latest Linux kernel image (2.6.32-696.18.7.el6.x86_64) We are currently testing this patch for functionality, performance, and stability before rolling out to all customers.
If you are a current GlobalCerts customer and would like to receive more information about these vulnerabilities and how they affect our solutions, please contact us directly at firstname.lastname@example.org or (855) 614-CERT.
Relevant CVE numbers: CVE-2017-5715 and CVE-2017-5753 (Spectre), CVE-2017-5754 (Meltdown)
VMware Inc (2018, January 4). VMSA-2018-0002. Retrieved from https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Brad Chacos and Michael Simon (2018, January 4). Meltdown and Spectre FAQ: Fix for Intel CPU flaws could slow down PCs and Macs. Retrieved from https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html
Peter Bright (2018, January 4). What’s behind the Intel design flaw forcing numerous patches?. Retrieved from https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches/