Red Hat responds to the Intel processor flaw

How are the Linux vendors addressing the recently-exposed Intel processor flaw? I asked Red Hat and got some solid answers.

What is the nature of the problem?

Discovered some time ago, but only just yesterday brought into public view, the CPU flaw allows an attacker to bypass restrictions to gain access to privileged memory (which should be inaccessible) — possibly stealing sensitive information from computer systems, mobile devices, and cloud deployments. There are actually two problems and they’ve been dubbed “Meltdown” and “Spectre”. They potentially affect 90% of computer servers and virtually every Intel microprocessor.

The Meltdown flaw is specific to Intel while Spectre is a design flaw that has been used by many processor manufacturers for decades.

These problems seem to have come about as a result of “speculative execution” — an optimization technique that involves doing work before it is known whether that work will be needed. Correcting the vulnerabilities, therefore, comes at a performance price. More information on this tradeoff is available from this Red Hat post. Patches could slow down systems by as much as 30% — a hit that most users are likely to feel. However, the specific performance impact will be workload dependent. To address Spectre in the short term, Red Hat has modified the kernel by default to not use the performance features that enable the vulnerability. Their customers do have the option to disable the patch and use the performance features. While Red Hat is working with chip manufacturers and OEMs on a longer-term solution, this option gives customers a way to make their own security and performance decisions

According to Red Hat, the problem affects many hardware platforms including x86 (Intel and AMD chipsets), POWER 8, POWER 9, System z, and ARM, that could allow unauthorized read access to memory. There are three unique attack paths that could allow an attacker to bypass protections and read memory they should have no access to. They are described by thee CVEs (Common Vulnerability and Exposures). These are:

• CVE-2017-5754: The most severe of the three, this exploit allows a local attacker to read memory using speculative cache loading and is corrected with kernel patches
• CVE-2017-5753: This one is a bounds-checking exploit and is also corrected with a kernel patch
• CVE-2017-5715: This issue is an indirect branching poisoning attache that can cause data leakage. It can allow a virtualize guest to read memory from the host system. It is corrected with microcode and with kernel and virtualization updates to guest and host virtualization software.

What should users do?

Because of the threat and the possibility of vulnerability chaining (exploiting one vulnerability leading to the ability to exploit another vulnerability), Red Hat suggests that their customers update their systems even if they do not believe the threat will affect them. They have advised that these Red Hat systems are affected:

• Red Hat Enterprise Linux 7.x
• Red Hat Enterprise Linux 6.x
• Red Hat Enterprise Linux 5.x
• Red Hat Enterprise Linux for Real Time
• Red Hat Enterprise Linux for SAP Applications
• Red Hat Enterprise Linux for SAP HANA
• Red Hat Enterprise Linux for SAP Solutions
• Red Hat Enterprise MRG 2
• Red Hat OpenShift 3.x
• Red Hat OpenShift 2.x
• Red Hat Virtualization (RHEV-H/RHV-H) 4.1
• Red Hat Virtualization (RHEV-H/RHV-H) 3.6
• Red Hat OpenStack Platform 12
• Red Hat OpenStack Platform 11
• Red Hat OpenStack Platform 10
• Red Hat OpenStack Platform 9
• Red Hat OpenStack Platform 8
• Red Hat OpenStack Platform 7
• Red Hat OpenStack Platform 6

Red Hat has provided background information on the flaw at this URL.

More information on Metldown and Spectre is available at meltdownattack.com.

Red Hat statements

Statement from Chris Robinson, manager of Product Security Assurance, Red Hat:

“These vulnerabilities (CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754) represent an access restriction bypass flaw that impacts many CPU architectures and many of the operating systems that enable that hardware. Working with other industry leaders, Red Hat has developed kernel security updates for products in our portfolio to address these vulnerabilities. We are working with our customers and partners to make these updates available, along with the information our customers need to quickly secure their physical systems, virtual images, and container-based deployments.”

Statement from Denise Dumas, vice president, Operating System Platform, Red Hat:

“These vulnerabilities have a broad impact on the IT industry, affecting many modern microprocessors and enabling an attacker to bypass restrictions to gain read access to privileged memory which would otherwise be inaccessible through side-channels. In short, these vulnerabilities could allow a malicious actor to steal sensitive information from almost any computer, mobile device, or cloud deployment. Importantly, several technology industry leaders, including Red Hat, worked together to create patches that correct this issue, underscoring the value of industry collaboration. It is key that people – from consumers to enterprise IT organizations – apply the security updates they receive. Because these security updates may affect system performance, Red Hat has included the ability to enable them selectively in order to better understand the impact on sensitive workloads.”