(live-update) OVH – Spectre Variant 4 and 3a disclosure

Temps de lecture estimé : 3 minute(s)

Along with the rest of the IT industry, OVH was made aware of some specific security vulnerabilities (« Spectre variant 4 » and « Spectre Variant 3a« ) concerning certain processor architectures, affecting Intel products but maybe other CPU vendors. Two of these vulnerabilities make it possible to carry out side-channel attacks, based on the same kind of mechanism as a previous vulnerability disclosed in January 2018 named “Spectre” (CVE-2017-5753 and CVE-2017-5715).

Update 1, May 22th , 9:20 PM UTC

As expected, and as suggested by Intel, our first investigations seem to confirm that a CPU microcode update can mitigate both Spectre Variant 4 and 3a.

Like various others IT industry members, we have received BETA versions of some of these microcodes and are currently testing them. The estimated date of distribution by Intel of the final version of these microcodes is under NDA and is subject to change.

Rest assured that OVH is working closely with Intel on this topic and will continue to test every BETA and final microcode.

When the final version of these microcodes is available, motherboard manufacturers will be able to work on BIOS updates. We will provide and begin to deploy these microcodes and BIOS updates as soon as those manufacturers release them.

In the meantime, we are continuing our research to obtain an overview of the software updates that could potentially be needed, especially for non-linux OS and for hypervisors.

Here is the Intel official information webpage about these vulnerabilities : https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

 

Initial Publication :

Stemming from Spectre

These vulnerabilities are variants of « Spectre » and are called “Spectre Variant 3a” (CVE-2018-3640), and “Spectre Variant 4” (CVE-2018-3639), both also know as “SpectreNG” or “Spectre New Generation”. The specific “Spectre Variant 4” is also referred as “Speculative Store Bypass”.

Though they are closely related to « Spectre », they have enough difference to be considered specific flaws which will require additional action(s) for certain CPU architectures.

Spectre Variant 3a concern systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers, which may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis.

Spectre Variant 4 concern systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known, which may allow unauthorized disclosure of information to an attacker with local user access through a side-channel analysis.

We also know that Spectre Variant 4 may be carried out in a language-based runtime environment. The most common use of runtime is JavaScript, which is used in web browsers but at this time we are not aware of any successful web browser exploitation.

OVH closely monitor the situation

Once made aware of these vulnerabilities, OVH immediately mobilized its teams to clearly understand the implication of these flaws, evaluate risks, and develop an action plan to secure its infrastructures as well as determine the best course of action for its customers.

We will communicate in the coming hours a list of all concerned OVH product and services with the relative actions launched and planned by OVH, and actions needed on customers side to protect their infrastructures.

Mitigation of these flaws will need an addition of CPU microcode and software/operating system updates. As usual, we will continue to test every microcode or sensible update internally before deploying anything live, to ensure the security and the stability of our customers infrastructure.

From a SysAdmin point of view, we also strongly suggest to monitor operating system and hypervisor updates and keep theses systems up-to-date.

For individual customers, we put as a reminder that since January 2018, all major web browsers have been patched to mitigate Spectre Variant 1 in their managed runtimes. These patches make it more difficult to exploit side channel attacks via a web browser and we can assume that these patches, to some degree, could be applicable to Variant 4. With the current level of information available, OVH strongly urges its individual customers and public to verify and keep their web browser(s) up-to-date.

In a more global manner, we are actively and closely working with Intel, our partners and manufacturers on this topic and we are currently investigating potential risks represented by these flaws. We will keep you informed in real time of any information that we receive and will apply any potential security measures on the services concerned.

As always, we will also keep our customers and public informed about any corrective actions required on their side to reduce their machines’ and/or infrastructures’ exposure.