Knowledge base
How to secure your operating system against the Bounds-Check and Branch Target Injection vulnerabilities
Posted by PaweĊ‚ Gazda on 01.02.2018 18:59

Undoubtedly, the beginning of this year is a busy period for IT system administrators, all due to the discovered security gaps in Intel and AMD processors. Luckily, the patches are now available and we keep an eye on this subject. However, the process is a bit more complex and we can not do everything alone. The update procedure also requires actions on the Oktawave clients side.

 



What have we already done?

On the Oktawave side, we immediately proceeded to implement the VMSA-2018-0002 update (https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html). The implementation was successful. Despite the media speculation (regarding a possible reduction in CPU performance up to 30%), the tests we carried out in all five subregions after the implementation of the update, do not show any deterioration in the performance of OCI instances.


What will we do?

In order to address the issue, a second patch VMSA-2018-0004 is required (https://www.vmware.com/security/advisories/VMSA-2018-0004.html). Unfortunately, despite the start of this operation, we received information about the need to suspend the update of the CPU microcode due to the risk for the Broadwell and Haswell processors. The topic is described in more detail here: https://kb.vmware.com/s/article/52345.

In conclusion, we have decided to suspend the microcode and hypervisor updates and to continue updating the so-called "hardware version" of virtual machines.


What do Oktawave customers have to do?

In the future, after Intel solves the problems, in addition to hypervisors, the microcode of processors will also be updated. This forces us to raise the so-called "hardware version" of virtual machines up to version 10 (the current version is marked with the number 8). There is a small risk that after this update some applications that our clients installed on their OCI will not start correctly. A list of differences between "hardware version" 8 and 10 can be found at this address: https://kb.vmware.com/s/article/2051652.

The most important action after the update is to add the support of the CPU: PCID flag (Process Context Identifiers). Due to the complexity of the problem, an action is necessary here that must be carried out by the clients themselves. You do not need to wait for the microcode update, and the procedure should be carried out according to the following scheme.

1. Turn off the OCI instances.
2. Create a snapshot on it (it is necessary to return to the previous version of OCI in case of a failure).
3. Implement the Hardware version update (described in more detail below).
4. Turn the machine on.
5a. If the machine is working properly:

  • turn the machine off,
  • remove the snapshot,
  • turn the machine on.

5b. If the machine is not working properly, please restore it from the snapshot and contact customer@oktawave.com.
6. We recommend removing all snapshots from before the upgrade (their restoration would undo the upgrade).


Hardware version upgrade

The hardware version upgrade procedure is available for machines that have not yet been upgraded. An attempt to update the hardware version, where it is not necessary, will result in a validation error being returned.

To initiate the hardware update process, select the Oktawave Cloud Instance from the list of services, go to a specific instance and select the Update hardware version link on the tab.

The effectiveness of the update can be verified by checking the CPU flag available on the virtual machines. The PCID flag should appear. For this purpose, we issue the command cat/proc/cpuinfo, as a result of which we should see the following result.

flags: fpu VME de pse tsc msr pae mce CX8 apic sep mtrr PGE mca CMOVE pat pse36 CLFLUSH mmx fxsr SEZ SSE2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc aperfmperf trunks pclmulqdq ssse3 fma CX16 pcid sse4_1 sse4_2 X2apic movb popcnt aes xsave avx f16c rdrand hypervisor lahf_lm ida arat epb pln pts dtherm fsgsbase smep


Operating system update

After successfully completing the above-described operation, we recommend updating the operating system software in accordance with its own security policy. The Bounds Check vulnerabilities and Branch Target Injection are now available on most operating systems as they have a high priority.

Detailed instructions on updating individual Linux distributions can be found at: https://www.cyberciti.biz/faq/patch-meltdown-cpu-vulnerability-cve-2017-5754-linux/.

Additional information, broken down into specific distributions:

(0 vote(s))
This article was helpful
This article was not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below. This is required to prevent automated registrations and form submissions.