How to secure your operating system against the Bounds-Check and Branch Target Injection vulnerabilities
Posted by Paweł Gazda on 01.02.2018 18:59
Undoubtedly, the beginning of this year is a busy period for IT system administrators, all due to the discovered security gaps in Intel and AMD processors. Luckily, the patches are now available and we keep an eye on this subject. However, the process is a bit more complex and we can not do everything alone. The update procedure also requires actions on the Oktawave clients side.
What have we already done?
On the Oktawave side, we immediately proceeded to implement the VMSA-2018-0002 update (https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html). The implementation was successful. Despite the media speculation (regarding a possible reduction in CPU performance up to 30%), the tests we carried out in all five subregions after the implementation of the update, do not show any deterioration in the performance of OCI instances.
In conclusion, we have decided to suspend the microcode and hypervisor updates and to continue updating the so-called "hardware version" of virtual machines.
What do Oktawave customers have to do?
In the future, after Intel solves the problems, in addition to hypervisors, the microcode of processors will also be updated. This forces us to raise the so-called "hardware version" of virtual machines up to version 10 (the current version is marked with the number 8). There is a small risk that after this update some applications that our clients installed on their OCI will not start correctly. A list of differences between "hardware version" 8 and 10 can be found at this address: https://kb.vmware.com/s/article/2051652.
The most important action after the update is to add the support of the CPU: PCID flag (Process Context Identifiers). Due to the complexity of the problem, an action is necessary here that must be carried out by the clients themselves. You do not need to wait for the microcode update, and the procedure should be carried out according to the following scheme.
1. Turn off the OCI instances. 2. Create a snapshot on it (it is necessary to return to the previous version of OCI in case of a failure). 3. Implement the Hardware version update (described in more detail below). 4. Turn the machine on. 5a. If the machine is working properly:
turn the machine off,
remove the snapshot,
turn the machine on.
5b. If the machine is not working properly, please restore it from the snapshot and contact firstname.lastname@example.org. 6. We recommend removing all snapshots from before the upgrade (their restoration would undo the upgrade).
Hardware version upgrade
The hardware version upgrade procedure is available for machines that have not yet been upgraded. An attempt to update the hardware version, where it is not necessary, will result in a validation error being returned.
To initiate the hardware update process, select the Oktawave Cloud Instance from the list of services, go to a specific instance and select the Update hardware version link on the tab.
The effectiveness of the update can be verified by checking the CPU flag available on the virtual machines. The PCID flag should appear. For this purpose, we issue the command cat/proc/cpuinfo, as a result of which we should see the following result.
After successfully completing the above-described operation, we recommend updating the operating system software in accordance with its own security policy. The Bounds Check vulnerabilities and Branch Target Injection are now available on most operating systems as they have a high priority.