Major Intel CPU vulnerability
-
Do we have to patch for this?
I can see cloud/providers patching of course, as its shared infrastructure. However, we run everything on our own completely owned hardware, in the office. The host/VMs running on our local servers are our hosts and VMs.
We run a risk that if somebody gains access to a VM or a host that they can do a range of unwanted things, however, with access they could do many things, not just this attack, and we would have far bigger problems...
So, is it worth patching for this on 'private' servers and potentially losing 30% of performance, or leave unpatched...
I will of course patch as i'd feel like an idiot for not patching should something happen; just curious as to whether leaving this patch off is valid in any way...
What do ya'll think? I'm currently live migrating a load of VMs off of one of our T630s to apply the patch and do some testing.
-
@dashrender said in Major Intel CPU vulnerability:
@jimmy9008 said in Major Intel CPU vulnerability:
Does anybody know if Dell have released firmware for T630 server for the hardware? I cant seem to find that info on Dells site...
-its ok, think I've found it, and its this... Update
Damn, on the bleeding edge on that one.
I looked for some HP things yesterday - nada.
I'm guessing by the end of January, we'll start seeing more firmware updates.
Now the question is, how far back are the vendors going to go?
I've applied the patch. Now Microsoft shows protection enabled for 'rogue data cache load', but shows as 'False' for 'branch target injection'.
I'm guessing that Dell will be sending out another update for their systems to address that. Anybody able to confirm?
I have opened a call with Dell Support to verify.
-
@jimmy9008 said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@jimmy9008 said in Major Intel CPU vulnerability:
Does anybody know if Dell have released firmware for T630 server for the hardware? I cant seem to find that info on Dells site...
-its ok, think I've found it, and its this... Update
Damn, on the bleeding edge on that one.
I looked for some HP things yesterday - nada.
I'm guessing by the end of January, we'll start seeing more firmware updates.
Now the question is, how far back are the vendors going to go?
I've applied the patch. Now Microsoft shows protection enabled for 'rogue data cache load', but shows as 'False' for 'branch target injection'.
I'm guessing that Dell will be sending out another update for their systems to address that. Anybody able to confirm?
I have opened a call with Dell Support to verify.
I restarted around 4 times, then ran 'Install-Module SpeculationControl' again and it worked.
-
@jimmy9008 You absolutely need to be patching, for the very reasons you've mentioned questioning whether patching is worth it for private industries.
-
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
-
-
In a cloud hosting scenario, VPS...
If the host is patched, and guest1 VM is patched, but guest2 VM is not patched... are there still meltdown or spectre vulnerabilities for guest1?
How exactly does this work?
-
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
-
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
-
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
While these are some pretty nasty vulnerabilities, I don't currently consider them that horrible. As I understand it (and I leave TONS of room to learn new things about these) you can only be affected if you run untrusted code on your system. Assuming that webpages can't take advantage, this amounts to the same level of issue as a typical virus.
Assuming hardware vendors don't produce updates for hardware more than say 3 years old - how many here are going to be replacing their machines/devices (don't forget your android phones are affected too - last I heard)?
-
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
-
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
While these are some pretty nasty vulnerabilities, I don't currently consider them that horrible. As I understand it (and I leave TONS of room to learn new things about these) you can only be affected if you run untrusted code on your system. Assuming that webpages can't take advantage, this amounts to the same level of issue as a typical virus.
Assuming hardware vendors don't produce updates for hardware more than say 3 years old - how many here are going to be replacing their machines/devices (don't forget your android phones are affected too - last I heard)?
In a desktop or laptop case, the risk is tiny compared to the big fear of shared computing environments.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
-
@dashrender said in Major Intel CPU vulnerability:
... (don't forget your android phones are affected too - last I heard)?
The risk is not based on OS, so can't be determined by something like "Android phone." Some Androids are affected, some are not.
-
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
While I understand the problem itself is with the chip, aren't the OS patches being released supposed to alter how memory is handled, which doesn't fix, but rather mitigates the problem (and potentially lowers performance)?
-
I want to know how this effects hosts... does just the host need patched, or every VM?
-
@tim_g said in Major Intel CPU vulnerability:
I want to know how this effects hosts... does just the host need patched, or every VM?
Every VM.
-
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
While I understand the problem itself is with the chip, aren't the OS patches being released supposed to alter how memory is handled, which doesn't fix, but rather mitigates the problem (and potentially lowers performance)?
That handles the one issue, not the other.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
While I understand the problem itself is with the chip, aren't the OS patches being released supposed to alter how memory is handled, which doesn't fix, but rather mitigates the problem (and potentially lowers performance)?
That handles the one issue, not the other.
The "other" being the chip design flaw itself?