Public cloud vendors work to protect users from industry-wide Meltdown and Spectre chip vulnerabilities
As the technology industry races to protect itself against major chip vulnerabilities disclosed yesterday, the cloud sector is no different.
All three major public cloud vendors have issued guidance for customers on how to protect against the bugs, which have been dubbed ‘Meltdown’ and ‘Spectre’.
Chips made by Intel, AMD and ARM manufacturers are all affected, meaning all manner of devices are implicated.
Essentially, the vulnerabilities affect the kernel of the chips and could allow an attacker to read information that should otherwise be inaccessible. This means an attacker could obtain passwords, encyption keys or steal information from other applications.
Google’s Project Zero security team became aware of the flaws late last year and said it had been working to protect its services, including G Suite applications and Google Compute Platform (GCP).
“GCP has already been updated to prevent all known vulnerabilities,” it told customers. “Google Cloud is architected in a manner that enables us to update the environment while providing operational continuity for our customers. We used our VM Live Migration technology to perform the updates with no user impact, no forced maintenance windows and no required restarts.”
It did add that those using their own operating system with CGP might need additional updates and that some action was needed for Google Compute Engine and Google Kubernetes Engine customers.
Amazon Web Services (AWS) said its updates should be completed soon and urged customers to patch their instance operating systems and consult with any third party software vendor.
“AWS is aware of the issue described in CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754,” a spokesperson told Silicon. “This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices.
“All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours. We will keep customers apprised of additional information.”
Microsoft said it had been aware of the vulnerabilities and had been working on fixes for some time. It added that it had not received any information that suggested the exploit was being used in the wild to attack Azure customers.
The company said the “majority” of Azure infrastructure had already been updated and that all planned maintenance had been brought forward following the public disclosure. Some customers had already been requested to ‘reboot’ their instances and the remainder would be rebooted in the immediate future.
Updates for Windows, Linux and Mac have all been patched following the discovery, although Intel hasn’t denied that this might impact performance. It did however say that most users wouldn’t notice the change.
What is clear though is just how far reaching the impact of these vulnerabilities has been. Indeed, it would hardly be hyperbole to suggest it is unprecedented.