How to Protect Your Server Against the Meltdown and Spectre Vulnerabilities
Recently multiple vulnerabilities in the design of modern CPUs were disclosed. Taking advantage of certain processor performance optimizations, these vulnerabilities—named Meltdown and Spectre—make it possible for attackers to coerce applications into revealing the contents of system and application memory when manipulated correctly. These attacks work because the normal privileges checking behavior within the processor is subverted through the interaction of features like speculative execution, branch prediction, out-of-order execution, and caching.
Meltdown and Spectre affect most of the modern processors. The processor optimizations that are used in these vulnerabilities are a core design feature of most CPUs, meaning that most systems are vulnerable until specifically patched. This includes desktop computers, servers, and compute instances operating in Cloud environments. Patches to protect against Meltdown are being released from operating system vendors. While updates are also being released for Spectre, it represents an entire class of vulnerabilities, so it will likely require more extensive ongoing remediation.
In cloud and virtualized environments, providers will need to update the underlying infrastructure to protect their guests. Users will need to update their servers to mitigate the impact within guest operating systems.
Full protection against this class of vulnerability will likely require changes in CPU design. In the interim, software updates can provide mitigation against exploits by disabling or working around some of the optimized behavior that leads to these vulnerabilities. Unfortunately, because these patches affect the optimization routines within the processor, mitigation patches may decrease the performance of your server. The extent of the slowdown is highly dependent on the type of work being performed, with I/O intensive processes experiencing the largest impact.
Current Mitigation Patch Status
Distributions that have released kernel updates with partial mitigation (patched for Meltdown AND variant 1 of Spectre) include:
- CentOS 7: kernel 3.10.0-693.11.6
- CentOS 6: kernel 2.6.32-696.18.7
Distributions that have released kernel updates with partial mitigation (patched for Meltdown) include:
- Fedora 27: kernel 4.14.11-300
- Fedora 26: kernel 4.14.11-200
- Ubuntu 17.10: kernel 4.13.0-25-generic
- Ubuntu 16.04: kernel 4.4.0-109-generic
- Ubuntu 14.04: kernel 3.13.0-139-generic
- Debian 9: kernel 4.9.0-5-amd64
- Debian 8: kernel 3.16.0-5-amd64
- Debian 7: kernel 3.2.0-5-amd64
- Fedora 27 Atomic: kernel 4.14.11-300.fc27.x86_64
- CoreOS: kernel 4.14.11-coreos
If your kernel is updated to at least the version corresponding to the above, some updates have been applied.
Operating systems that have not yet released kernels with mitigation include:
- FreeBSD 11.x
- FreeBSD 10.x
Ubuntu 17.04, which is reaching end of life on January 13, 2018 will not receive patches. Users are strongly encouraged to update or migrate.
Because of the severity of this vulnerability, we recommend applying updates as they become available instead of waiting for a full patch set. This may require you to upgrade the kernel and reboot more than once in the coming days and weeks.
How Can You Apply the Updates?
To update your servers, you need to update your system software once patches are available for your distribution. You can update by running your regular package manager to download the latest kernel version and then rebooting your server to switch over to the patched code.
For Ubuntu and Debian servers, you can update your system software by refreshing your local package index and then upgrading your system software:
- sudo apt-get update
- sudo apt-get dist-upgrade
For CentOS servers, you can download and install updated software by typing:
- sudo yum update
For Fedora servers, use the dnf tool instead:
- sudo dnf update
Regardless of the operating system, once the updates are applied, reboot your server to switch to the new kernel:
- sudo reboot
Once the server is back online, log in and check the active kernel against the list above to ensure that your kernel has been upgraded. Check for new updates frequently to ensure that you receive further patches as they become available.
Spectre and Meltdown represent serious security vulnerabilities; the full potential of their possible impact is still developing. To protect yourself, be vigilant in updating your operating system software as patches are released by vendors and continue to monitor communications related to the Meltdown and Spectre vulnerabilities.