Vulnerability Note VU#584653 - CPU Hardware Attacks Solution

Bigdady92 said:
No one builds servers for an enterprise in this day and age. Cloud is all. Cloud let's me have vacations. Hardware problems are Someone else's problems. Network issues are The Cloud's problems. I'll enjoy my margarita's at the beach and not give 2 shits if a system 'dies' when autoscaling creates another one and if a system needs more resources 3 clicks and I'm done.

Unless you have a team of hundreds data centers are a ridiculous waste of resources for companies. Commodity VM's in the Cloud.****

****Not for everyone but for lots of companies. Fuck rebooting servers at 3AM on saturday 100miles away. Never again.
Click to expand...

Depends on your business.

I work for a software development company, and moving to the Cloud would literally put us out of business due to the costs.
We have TB's of VM's used for testing and demos, with new ones being spun up every week.

Plus, since we are a Microsoft developer, they give us a large number of production licenses, something we would have to pay for in a cloud environment.

All my servers have remote management boards in them, allowing me to physically reboot them or change bios settings if needed.
I've also virtualized everything under Hyper-V. It's pretty simple to migrate the virtual machines to other servers, then upgrade or work on the old server.
I've only had to come into the office after hours once the past couple years.
 
nutzo said:
Depends on your business.

I work for a software development company, and moving to the Cloud would literally put us out of business due to the costs.
We have TB's of VM's used for testing and demos, with new ones being spun up every week.

Plus, since we are a Microsoft developer, they give us a large number of production licenses, something we would have to pay for in a cloud environment.

All my servers have remote management boards in them, allowing me to physically reboot them or change bios settings if needed.
I've also virtualized everything under Hyper-V. It's pretty simple to migrate the virtual machines to other servers, then upgrade or work on the old server.
I've only had to come into the office after hours once the past couple years.
Click to expand...

I am anti cloud as well, they want to move all our production systems to IBMs cloud

Massive production outage costing hundreds of thousands in lost time? well you have a 24 hour SLA
Internet went out...not our problem you can't access a critical record, maybe store millions of paper copies(which is exactly what we are getting rid off and storing in offsite cheap locations) where you can't type in a few keywords and locate..

yada yada

and cost goes up not to mention we have crazy VM backup and failover capability in 5 minute intervals


MS Cloud is brutal as well...you run sharepoint OOTB and that's it...and risk their patching breaking anything and having to deal with it.

Not to mention cost is crazy high 200 low end VMs is over 1Mil
 
Pure dumb luck but I'm in the process changing my machines over to Threadrippers. Wanted more threads for some applications I write but compilers are still lagging behind full use of the chips.
 
I'm a sceptical sysadmin on that 100% for BOTH meltdown and spectre. I've been playing active attention to rapid info channels, and they're saying spectre is going to be very hard to address 100%. So, I call bunk!
 
so you have to install the updates, but I read in znet that hardware vendors have to upgrades bios too. Crap they rarely ever do that. Watch the number of Bsod jump sky high...
 
So far from what I have gleaned the majority of software patches are implemented via MS's endpoint security not an OS patch. I really hope I am dead wrong on that.

Also I did call my Dell account manager where I work and discussed what they offer for EPYC Solutions. Guess what.. I'm not alone in exploring this and yes Dell does have solutions, just not on their website.
 
Yea that article was VERY SPECIFIC in talking as little as possible about the fact that Intel is the most at risk CPU manufacturer. They said it.... in one paragraph, then focused completely on Specter. Sigh.
 
thesmokingman said:
Also, I'm sure Kraznich is pretty damn confident Intel will fix it with a bios patch right since he just dumped $24million of his stock lol?
Click to expand...
He dumped every share he could. He holds only the minimum number of shares, 250,000, under his contract.
 
Grimlaking said:
Yea, are you going to tell your enterprise that. "Hey look I know we can't buy from HP easily... as getting a quote is hard. But really I can build some 2u rack servers for our mission critical DB servers. Will I have parts on call if something breaks.. I mean sure kinda if you want to buy them. 4 hour response no matter what.. I mean maybe.. Install base of thousands of customers proving reliability.. well no not really.

For my home system I will build my own all day... and for a small business sure. But for an enterprise? It doesn't make sense.
Click to expand...

Funny I thought both google and Facebook built their own...
 
WhoMe said:
You should be fine until the porn servers slow down to a crawl (since they were near maxed out)...but slow motion porn is still good right?
Click to expand...

I usually watch it in slow motion anyway.
 
  • Like
Reactions: WhoMe
like this
Megaslug said:
Yes, so I will allow people to access my servers and watch for passwords.
Yes, it's bad, but there is no need to overreact. All these theoretical exploits require access to the target machine.
Click to expand...

That's not nearly as difficult as you would think it is. Given that there's a JavaScript proof of concept out there, your point is invalid.
 
viscountalpha said:
That's not nearly as difficult as you would think it is. Given that there's a JavaScript proof of concept out there, your point is invalid.
Click to expand...

Far from invalid. Javascript still requires having direct access to your computer, via the web browser. It's not like they just tunnel into your system from out of nowhere and start hacking your data out. They need a process running on the machine, that sends the data back. In this case, that's Javascript. Javascript exploits in general have existed for quite a while, though this one's scope is indeed bad. Furthermore, some articles suggest that in order to see anything beyond the web browser's dataspace (if even that), the browser would have to have been granted administrative access.

I wouldn't say it's overblown. This is a bad bug. But realistically if you don't visit any dangerous pages and/or maybe put your browser in a sandbox, this should be mitigated for most users. It's not like the web servers for your favorite games will suddenly start injecting malicious code into their games. It's bad, but we've been running this long with this bug in the wild. I highly doubt that the clever people at Google were seriously the only ones to ever have discovered this issue.
 
C128.png


Problem solved! Lol.
 
Budzman said:
Now is a good time to consider the other side Intel peeps.
Click to expand...
Feh. I'm sticking with the hardware I have until I see a compelling reason to change or upgrade. And lots of reputable knowledgable folk are saying AMD is affected, too.

The odds of my computer being attacked (can't remember the last time it was even tried, I don't engage in high-risk behaviors) are low, and the probable damage inflicted by a successful attack are also low. Why should I pay lots of money to prevent a tiny chance of a tiny loss? Why would any ordinary user?

I'll patch eventually. Since I have ceased gaming at 4K, my computer is woefully overpowered for what I do with them.
 
I am trying to figure out how his is really going to cause havoc on everything out there. If people are web surfing on their core servers/systems, that’s just bad security practice (should be blocked by default).

Yes the flaw exist, it’s serious, but I fail to see how it can’t be easily prevented.

Haven’t looked at it from a cloud perspective or performance hit some servers might get.
 
Hakaba said:
I am trying to figure out how his is really going to cause havoc on everything out there. If people are web surfing on their core servers/systems, that’s just bad security practice (should be blocked by default).

Yes the flaw exist, it’s serious, but I fail to see how it can’t be easily prevented.

Haven’t looked at it from a cloud perspective or performance hit some servers might get.
Click to expand...

Yes the effect is more enterprise and datacenters and the concern is not the everyday casual users, the concern is intels as their money is made on big enterprise/HPC systems.

Also your PC is vulnerable to breach everytime you log into a online mailing platform, or use a game UI like steam or origin and even while your computer connects to the MS database for updates, you are open to attack and to think that you are not, and while they are not there for malicious purposes you can be rest assured that you have probably been intruded without knowledge and fortunately for you harm.
 
OrangeKhrush said:
Yes the effect is more enterprise and datacenters and the concern is not the everyday casual users, the concern is intels as their money is made on big enterprise/HPC systems.

Also your PC is vulnerable to breach everytime you log into a online mailing platform, or use a game UI like steam or origin and even while your computer connects to the MS database for updates, you are open to attack and to think that you are not, and while they are not there for malicious purposes you can be rest assured that you have probably been intruded without knowledge and fortunately for you harm.
Click to expand...

For most of the above, I am fine. My 7700K is used for media consumption/gaming, 90% of my gaming systems have 2FA that relies on my phone. Password alone won’t bother me. Having to fight fraudulent charges isn’t anything new to me, so get the cc the info.

I use my Surface for banking, Bittrex, outlook configured mail to reach back to services, this machine is vlan’d by itself.

Now my proxmox box, which holds my data, firewalls, VMs etc... Those VMs are what I do the majority of my web surfing on. Those VM also only have 1 writable folder on the NAS, I just ssh in and move files around though MC.

I am still looking for info on how an infected VM may cause issues.

Now I am not immune, I know this, I already do what I can to minimize access and already accept a level of loss if it happens.

I have been in the Military for the last 18 years, all of my personal information has been lost or stolen multiple times.
 
Hakaba said:
For most of the above, I am fine. My 7700K is used for media consumption/gaming, 90% of my gaming systems have 2FA that relies on my phone. Password alone won’t bother me. Having to fight fraudulent charges isn’t anything new to me, so get the cc the info.

I use my Surface for banking, Bittrex, outlook configured mail to reach back to services, this machine is vlan’d by itself.

Now my proxmox box, which holds my data, firewalls, VMs etc... Those VMs are what I do the majority of my web surfing on. Those VM also only have 1 writable folder on the NAS, I just ssh in and move files around though MC.

I am still looking for info on how an infected VM may cause issues.

Now I am not immune, I know this, I already do what I can to minimize access and already accept a level of loss if it happens.

I have been in the Military for the last 18 years, all of my personal information has been lost or stolen multiple times.
Click to expand...

I have asked the same, we really need to see the effect on VMware and cloud systems etc, this is the entire undertow of the furore, I don't think companies like google, MS etc are going to be happy to know how easily their database is breached because the users CPU acts like a jealous sister in law at a bachelorette party, spilling out all the dirty secrets.
 
OrangeKhrush said:
Yes the effect is more enterprise and datacenters and the concern is not the everyday casual users, the concern is intels as their money is made on big enterprise/HPC systems.
Click to expand...

I am pretty sure HPC guys aren't concernd.
 
Methadras said:
Am I the only one that thinks that this might have been a deliberately placed bug? Or am I being conspiratorial here?
Click to expand...

Yes. you are the only one.

Use occam's razor on this, which is more likely,


All the major chip makers got together and during a week long hooker and coke binge, decide to place an exploitable flaw in their CPU's.

or,

Due to the way x86 architecture works, and to maintain compatibility everyone ended up with an exploitable flaw.
 
motomonkey said:
Yes. you are the only one.

Use occam's razor on this, which is more likely,


All the major chip makers got together and during a week long hooker and coke binge, decide to place an exploitable flaw in their CPU's.

or,

Due to the way x86 architecture works, and to maintain compatibility everyone ended up with an exploitable flaw.
Click to expand...
Spectre would imply a flawed/incomplete concept but meltdown however...
 
naib said:
Spectre would imply a flawed/incomplete concept but meltdown however...
Click to expand...

True, will have to see how this falls out. if someone finds attack software that predates the public knowledge of these exploits, all bets are off.
 
motomonkey said:
Due to the way x86 architecture works, and to maintain compatibility everyone ended up with an exploitable flaw.
Click to expand...
It's not really an x86 thing, It's a high-single-thread-performance micro-architecture thing. That's why some high-end ARM processors are vulnerable too, even though they don't execute x86.

It's possible that other architectures have the flaw, but x86 and ARM cover so much of the market, who cares about those other (e.g., MIPS, POWER) enough to check?
 
deeppow said:
It indicates that AMD is "Affected" yet several posts says it is not. Does this relate to old AMD cpus versus newer? Clarification is needed.

Drilling down through the links isn't clear, at least in first quick read.

I should add, thanks Kyle for your following and posts on the general subject!!
Click to expand...
AMD Pro and FX series chips are affected ...Ryzen based is fine.
 
pcgeekesq said:
It's not really an x86 thing, It's a high-single-thread-performance micro-architecture thing. That's why some high-end ARM processors are vulnerable too, even though they don't execute x86.

It's possible that other architectures have the flaw, but x86 and ARM cover so much of the market, who cares about those other (e.g., MIPS, POWER) enough to check?
Click to expand...

IBM Power and Z-series are affected as well. Not only people cared to check, but fixes for IBM architectures are already being introduced in operative systems.
 
spugm1r3 said:
So is this like Zeka bad, where everyone freaks out disproportionately to the actual impact? Or is this more like polio, where everyone freaks out and it is legitimately terrible? Just curious about the legitimacy of me knee-jerk reaction to build a Ryzen system...
Click to expand...
It's Zeka bad, disproportionately to actual impact.
It doesn't really affect AMD.
And if your rig is Intel and you game, your games will function like a pinheaded kid. If it's AMD, your kid will look like a super genius.
 
quasar56 said:
AMD Pro and FX series chips are affected ...Ryzen based is fine.
Click to expand...

RyZen is vulnerable. From the Spectre paper:

Experiments were performed on multiple x86 processor architectures, including Intel Ivy Bridge (i7-3630QM), Intel Haswell (i7-4650U), Intel Skylake (unspecified Xeon on Google Cloud), and AMD Ryzen. The Spectre vulnerability was observed on all of these CPUs.
Click to expand...
SUSE already adding a patch for Zen-based CPUs:

An update that fixes one vulnerability is now available.

Description:

This update for kernel-firmware fixes the following issues:

- Add microcode_amd_fam17h.bin (bsc#1068032 CVE-2017-5715)

This new firmware disables branch prediction on AMD family 17h processor
to mitigate a attack on the branch predictor that could lead to
information disclosure from e.g. kernel memory (bsc#1068032 CVE-2017-5715).
Click to expand...
https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00004.html

CVE-2017-5715 is one of the known Spectre attacks. AMD family 17th = Zen-based CPUs.
 
pcgeekesq said:
It's not really an x86 thing, It's a high-single-thread-performance micro-architecture thing. That's why some high-end ARM processors are vulnerable too, even though they don't execute x86.

It's possible that other architectures have the flaw, but x86 and ARM cover so much of the market, who cares about those other (e.g., MIPS, POWER) enough to check?
Click to expand...

Speculative execution has been around since the S/360 in 1968. It's certain at least a couple of eggheads predicted this kind of attack since then and got told to shut up. Remember how PK encryption played out? On the upside, considering how many direct vectors of attack there have been up until this point, it's somewhat comforting to know that tricky side-channel attacks are now required to achieve worthwhile access.
 
kju1 said:
Funny I thought both google and Facebook built their own...
Click to expand...

Economies of scale. Google/Facebook have the growth rate and purchasing power to... you know what... never mind. You are right. Good luck in your enterprise level one off server building in the future.
 
Grimlaking said:
Economies of scale. Google/Facebook have the growth rate and purchasing power to... you know what... never mind. You are right. Good luck in your enterprise level one off server building in the future.
Click to expand...

Hey you said enterprise's dont do that. I was just pointing out it is in fact done. Also twitter does it. I know what economies of scale are. You made an overly broad statement and I called you on it.

There are plenty of companies that could do this if they wanted. Its just not something their interested in because they don't need the .1% extra performance. Unless they are in the HPC biz and then they are probably heavily involved in the design....
 
You must log in or register to reply here.
Back
Top