Intel Firmware and Processor ‘Kernel memory leaking’ vulnerabilities

POSTED ON 4 January, 2018

Overview

Intel has recently published a series of vulnerabilities that affects to the implementation and design of some of their processors and firmwares, which threat affects from devices to servers platforms.

In the following sections it’s described how these vulnerabilities affects to networking devices and server based infrastructure in a data center.

Intel Firmware Vulnerability

In order to address the risks of these vulnerabilities, Intel has published recommendations to help system and security administrators to address these threats by providing some resources:

Intel-SA-00086 Security Review
Intel-SA-00086 Support Article
Intel-SA-00086 Detection Tool

It is recommendable to read the observations above and apply the firmware updates that the different vendors have provided in order to maintain a safe infrastructure in case of future attacks that could take advantage of these weaknesses.

In regards to how these vulnerabilities affect to the networking infrastructure in a data center, we can summarize the following premises:

1. These vulnerabilities affect to the vast majority of Intel processors and it’s likely to be affected by any of them.
2. These vulnerabilities are based on a privilege escalation threat, and hence, they require local access to the operating system in order to be able to execute arbitrary code. Or at least, remote access as administrator are required to take advantage of these vulnerabilities.
3. It’ll be required to apply the firmware updates provided by the vendors and disable whether it’s possible the services: Intel Management Engine (Intel ME), Intel Trusted Execution Engine (Intel TXE), Intel Server Platform Services (SPS) and Intel ATM.
4. Harden local and remote access to the operating system by isolating the management network and avoid user or processes access privileges to the operating system.
5. It’s affected to virtual or hardware platforms, on-premises or cloud environments, or even micro-services. Every layer should take care the protection of this threat.

Kernel Memory Leaking vulnerability or Intel CPU bug

Intel CPUs have been impacted by a critical chip-level security bug that cannot be fixed by a microcode update, but at OS level and affects to all of them (Windows, Linux and macOS.

The Kernel Memory Leaking vulnerability face the issue where every user space program (databases, javascript, web browsers, etc.) could access illegally to certain contents in protected kernel memory, by overpassing the virtual memory boundaries specified in the operating system. The fix at OS level comes with the implementation of the Kernel Page Table Isolation (KPTI) to ensure the kernel memory invisible to the user processes.

But, as this is not a perfect world, the enhanced security applied by this patch introduces a big performance penalty for user programs of around a 30%. Also, the slowdown will depend massively on the workload and the I/O intensive usage between the kernel and user space programs. For the specific cases of networking functions within a data center, it’s not so critical as their tasks are clear and doesn’t treat with too much data processing although intensive layer 7 functions like SSL offload, content switching, etc.

This vulnerability can be abused mainly by programs or logged-in users to read the data content of the kernel’s memory. For that reason, resource shared environments like virtualization, micro-services or cloud systems are more likely to be affected and abused.

Until a definitive patch at OS level is provided, the points of prevention that we’ve set in the past section, will be enough for now.

AMD has confirmed that their processors are not being affected by the vulnerability and hence, by the penalty performance.

Meltdown and Spectre attacks

Meltdown and Spectre attacks are referred to side-channel vulnerabilities found in several CPU hardware implementations, that take advantage of the ability to extract information from CPU instructions executed using the CPU cache as a side-channel. Currently, there is a few variants of these attacks:

Variant 1 (CVE-2017-5753, Spectre): Bounds check bypass
Variant 2 (CVE-2017-5715, also Spectre): Branch target injection
Variant 3 (CVE-2017-5754, Meltdown): Rogue data cache load, memory access permission check performed after kernel memory read

Further technical explanation of these attacks in http://www.kb.cert.org/vuls/id/584653.

Impact of Meltdown and Spectre in Zevenet Load Balancers

The risk of these vulnerabilities in Zevenet Load Balancer is low as an attacker should have local access to the operating system and they should be able to execute malicious code with user privileges in order to take advantage of them. Zevenet Enteprise Edition is a networking specific appliance that doesn’t allow a local non-administrative user to execute third-party code, so this is unlikely to happen and it could be prevented with good administration practices.

In addition, Load Balancers management network are usually private and there is no by default any additional user than an administrative user, so the risk is low. By other hand, multi-tenant systems like public virtual environments, containers platforms and cloud environments can face the greatest risk.

In order to prevent the attack, please follow the security recommendations that we listed above.

Currently, there are some patches at Operating System level to completely mitigate these vulnerabilities but they produce some performance side effects. Our Security Team is working to provide a definitive patch to mitigate this security threat as soon as possible with the minimum impact in your application delivery services.

Further communications will be provided by the Official Support Channels.

Share on:

Documentation under the terms of the GNU Free Documentation License.

Was this article helpful?

Related Articles