Meltdown and Spectre: AWS, Google and Microsoft rush to patch cloud chip flaws

As the cloud provider community mobilises to protect users from two long-standing processor-based security flaws, researchers suggest a rip and replace of their underlying CPU hardware may be required to eradicate the risk of exploitation.

According to an advisory notice issued by the Carnegie Mellon University Software Engineering Institute, the flaws – dubbed Meltdown and Spectre – need to be addressed by applying updates and replacing the affected CPU hardware.

“The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing the vulnerable CPU hardware,” the institute advised.

Both flaws could pave the way for hackers to steal data being processed on devices and servers featuring the affected hardware through the use of malicious programs, it is claimed.

Meltdown is thought to potentially affect every Intel processor made since 1995 that implements out-of-order execution, with the exception of Itanium and Atom. At the time of writing, it is not thought to affect competing processors from AMD and ARM.

The Spectre vulnerability, however, has been verified by researchers as affecting chips made by Intel, AMD and ARM.

“While programs are not typically permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs,” claimed the researchers, who uncovered the flaws, in a blog post.  

These “secrets” could include login details saved in password managers or browsers, personal photos, emails or instant messages, and business-critical documents, the researchers added.

“Meltdown and Spectre work on personal computers, mobile devices and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers,” they wrote.

The blog post went on to state that cloud providers which make use of Intel CPUs and Xen-based para-virtualisation techniques are at risk, unless they patch their systems.

“Furthermore, cloud providers without real hardware virtualisation, relying on containers that share one kernel, such as Docker, LXC or OpenVZ, are affected,” the researchers added.

In light of the cloud threat, Amazon Web Services (AWS), Google and Microsoft have all moved to assure users of their respective cloud platforms that action is being taken to mitigate the risks posed by Meltdown and Spectre.

As previously reported by Computer Weekly, details of the security flaws first came to light in late 2017, on the back of work carried out independently by several research teams and individuals, including Jann Horn from Google’s Project Zero initiative.

Since receiving word from Project Zero about the vulnerabilities, Google claims its engineers have been working closely to protect users of its G Suite of productivity services and the Google Cloud Platform (GCP) from both threats.

“G Suite customers and users do not need to take any action to be protected from the vulnerability,” the company said in a blog post. “GCP has already been updated to prevent all known vulnerabilities. Google Cloud is architected in a manner that enables us to update the environment while providing operational continuity for our customers.”

AWS, meanwhile, released a statement saying all “but a small single-digit percentage” of Amazon EC2 instances were protected, at present, from exploitation.

“The remaining ones will be completed in the next several hours,” it said. “We will keep customers appraised of additional information with updates to our security bulletin.”

Similarly, Microsoft confirmed in a statement that it was actively developing and testing a series of “mitigations” to the threats, and was in the process of deploying fixes for its cloud customers. 

“We have not received any information to indicate that these vulnerabilities have been used to attack our customers,” Microsoft added.