What IT pros need to know about the Meltdown exploit - Technical.ly Philly

Dev

Jan. 8, 2018 12:16 pm

What IT pros need to know about the Meltdown exploit

It's time to revisit your cloud architecture, writes Anexinet's Ned Bellavance.

A European data center in 2010.

(Photo by Flickr user Leonardo Rizzi, used under a Creative Commons license)

This is a guest post by Anexinet Director of Cloud Solutions Ned Bellavance.

The recently announced exploits Meltdown and Spectre have far-reaching consequences that are difficult to even estimate at this point. While the blast radius of Meltdown is confined to Intel processors, the Spectre exploit impacts almost every major manufacturer of CPUs. Fortunately Spectre is a much harder exploit to pull off, so I’d like to focus on Meltdown for the moment. I certainly won’t try and rehash all the details of Meltdown, but here is a brief summary along with my recommendations for action.

Meltdown is an exploit that takes advantage of how modern Intel CPUs execute instructions out-of-order in an attempt to be more efficient and performant. Exploiting this vulnerability gives the attacker access to most, if not all of the privileged data stored in memory. This exploit operates at the hardware level, and therefore applies to all operating systems, including Windows, Linux and macOS. It also enables a guest virtual machine to break into hypervisor memory and containers to break into host memory. As such, this exploit affects not only desktop and server operating systems, but also resources hosted in the cloud.

In light of the exploits, the major OS vendors have created a safeguard that mitigates the vulnerability. The safeguard has been applied successfully to most of the major cloud vendors, including AWS, Azure and GCP. The patching did require a reboot of the hypervisor, and so some organizations may have seen unexpected downtime during this period of maintenance.

For those affected by the required maintenance, I recommend looking at your current cloud deployment and verifying that it is configured in a highly available manner, in line with the best practices of the public cloud vendor. For instance, Azure VMs should be placed in availability sets and EC2 instances should be located in two or more availability zones.

Advertisement

In addition to revisiting your cloud architecture, you should also take care to patch your existing virtual machines with the updates available from your vendor. Both Linux and Windows patches are available. Tread lightly, though, as the patches for Windows have been running into some problems with anti-virus software. If you deploy cloud VMs from an image, make sure that the image has also been patched or updated by the vendor.

For your on-premises machines, it is time to roll out this patch to your servers and desktops. Again, follow best practices and test the patch on non-production machines first. Any templates you use in your virtualization environment or for imaging should also be patched as well. It is worth noting that many vendors use Linux as the basis for their appliance deployments.  Although nothing has been reported yet, it is possible that some firewalls, load balancers and other network equipment is also vulnerable to the Meltdown exploit. I recommend checking with your appliance vendors as well.

Finally, the fix put in place to mitigate Meltdown — known as KAISER — has potentially serious implications for the performance of your applications. The fix effectively forces the CPU to switch between user and kernel mode far more often than before, and performance hits of up to 30 percent have been shown in the wild. Once you have patched your systems, I recommend keeping a close eye on performance metrics, especially on database servers, to see if you need to increase hardware resources to compensate.

Organizations: Anexinet
-30-
LEAVE A COMMENT

Advertisement

Next month, your site could be marked as ‘Not secure’ by Google. One South Jersey firm has a fix

Cheesesteaks and Rocky gotta go: How to update Philly’s image

Meet the Army vet leading Dreamit’s new SecureTech vertical

SPONSORED

Philly

UX, UArts and the importance of human-centered design

Chesterbrook, PA

Deacom

Deacom | Creative Marketing Writer

Apply Now
Chesterbrook, PA

Deacom

EDI Specialist

Apply Now
Philadelphia

Inspire

Associate Product Manager

Apply Now

We need a Philadelphia story for the tech age

‘Slow’ hiring, acupuncture and other keys to company culture at CardConnect

Oh, the things you’ll do at Philly Tech Week

SPONSORED

Philly

Pitch to win up to $360,000 in funding at WeWork’s Creator Awards

Philadelphia

Perpay

Product Designer

Apply Now
30 S 15th St #1400, Philadelphia, PA 19102

Inspire

Fall 2018 – Cleantech Connect Project Mentee

Apply Now
Philadelphia

Practice

Director of Sales

Apply Now

Sign-up for daily news updates from Technical.ly

Do NOT follow this link or you will be banned from the site!