Another Intel vulnerability!

Wow, never considered that type of use case and the liability aspect, even banking I'd imagine that would apply and other markets too. Thanks for the goss :)
You might be just in time for 7nm APUs with Zen2 + Navi. That's something I'd be very excited for and may also jump then or next gen (if they include HBM on interposer), either way it's cheap, good iGPU fast laptops that won't break the bank.
Starting to sound like Intel isn't HIPAA compliant.

People need to start getting fired for buying Intel.

How did cts labs miss this one?
 
Sheesh...Once all these patches and fixes that degrade performance are implemented, my 3770K is going to be so bogged down that I'll probably miss my dual P-III 1000 system.

This probably just sealed the deal for going with a Ryzen next spring when I overhaul my gaming PC.
 
Sheesh...Once all these patches and fixes that degrade performance are implemented, my 3770K is going to be so bogged down that I'll probably miss my dual P-III 1000 system.

This probably just sealed the deal for going with a Ryzen next spring when I overhaul my gaming PC.

For you and me both. My next rig unless something DRASTICALLY changes will be an AMD build for CPU.
 
So yet another vulnerability that requires local access. Stop the presses!

Do you have a secure server room? Can anyone else physically access your servers? Are your USB ports shut down/disabled? Is your BIOS password protected?

If you don't have a secure server room for all of your intel machines and non approved people can physically access your servers then you're hosed.

If you have systems outside of the server room with server room level of access and active USB ports then you're hosed.

If you have all of that and the ports are disabled but the BIOS isn't password protected... then you're hosed.

Security is a picket fence where we need to pick and choose where our battles take place and where access's are prevented or allowed.

As intel continues to have vulnerabilities exposed the picket fences grow more gaps.

Yea to a home user some of these are eye-roll worthy. But if you work for a company with proprietary data (data being more valuable than Oil today.) and you need to control access to said data or risk devaluing your company, then these vulnerabilities ARE a big deal.

And Admins/Engineers/Managers and above that roll their eyes at these vulnerabilities should be fired and replaced with people that actually care.
 
From what I hear, they've been an issue since the Pentium IV, so I wouldn't hold my breath :D
more like Pentium pro, really intel drop every last bit of p6 architecture form your CPUs and make something 100% new for once.
No one might remember, but back in the late 90s we were talking about he holes in the Pentium pro, most of them unknowing lived on to today lol.
 
Last edited:
Sheesh...Once all these patches and fixes that degrade performance are implemented, my 3770K is going to be so bogged down that I'll probably miss my dual P-III 1000 system.

I had thought it was just software bloat on my 3770K slowing things down, but since I was planning to upgrade (3900X) I didn't care to do it right away. New system is blazing fast in comparison, as would be expected, but when I rebuilt my old machine to sell off it was still running notably slower than I recalled it doing in the past with a fresh Win 10 install.
 
Do you have a secure server room? Can anyone else physically access your servers? Are your USB ports shut down/disabled? Is your BIOS password protected?

If you don't have a secure server room for all of your intel machines and non approved people can physically access your servers then you're hosed.

If you have systems outside of the server room with server room level of access and active USB ports then you're hosed.

If you have all of that and the ports are disabled but the BIOS isn't password protected... then you're hosed.

Security is a picket fence where we need to pick and choose where our battles take place and where access's are prevented or allowed.

As intel continues to have vulnerabilities exposed the picket fences grow more gaps.

Yea to a home user some of these are eye-roll worthy. But if you work for a company with proprietary data (data being more valuable than Oil today.) and you need to control access to said data or risk devaluing your company, then these vulnerabilities ARE a big deal.

And Admins/Engineers/Managers and above that roll their eyes at these vulnerabilities should be fired and replaced with people that actually care.


That, and as Intel, motherboard manufacturers, and Microsoft partner up and rollout their remedies, the resulting performance degradation affects *everyone*.
 
That, and as Intel, motherboard manufacturers, and Microsoft partner up and rollout their remedies, the resulting performance degradation affects *everyone*.
some patches exclude ryzen cpu's (some older amd cpu's are affected) though there were couple controversies about patches being rolled out to ppl with ryzen/epyc systems while they only hurt performance without providing anything for them.
 
On September 10, 2019, researchers from VU Amsterdam published a whitepaper titled, “NetCAT, Practical Cache Attacks from the Network.” In scenarios where a malicious actor has a direct network connection to the target system, NetCAT may enable a Prime+Probe style exploit that targets processors supporting Intel® Data-Direct I/O Technology (Intel® DDIO) and Remote Direct Memory Access (RDMA) to disclose system information

This issue has a low CVSS base score of 2.6. In scenarios where Intel DDIO and RDMA are enabled, strong security controls on a secured network are required, as a malicious actor would need to have read/write RDMA access on a target machine using Intel DDIO to use this exploit. In the complex scenarios where Intel DDIO and RDMA are typically used, such as massively parallel computing clusters, malicious actors typically don't have direct access from untrusted networks.

Employing previously published best practices for side channel resistance in software applications and cryptographic implementations, including using constant-time style code, can mitigate the exploits described in this research.

More information can be found in Intel Security Advisory INTEL-SA-00290.

Affected Products:
Intel® Xeon® E5, E7 and SP families that support DDIO and RDMA.

Doesn't look like the majority of our CPU's are even affected...
 
Do you have a secure server room? Can anyone else physically access your servers? Are your USB ports shut down/disabled? Is your BIOS password protected?

If you don't have a secure server room for all of your intel machines and non approved people can physically access your servers then you're hosed.

If you have systems outside of the server room with server room level of access and active USB ports then you're hosed.

If you have all of that and the ports are disabled but the BIOS isn't password protected... then you're hosed.

Security is a picket fence where we need to pick and choose where our battles take place and where access's are prevented or allowed.

As intel continues to have vulnerabilities exposed the picket fences grow more gaps.

Yea to a home user some of these are eye-roll worthy. But if you work for a company with proprietary data (data being more valuable than Oil today.) and you need to control access to said data or risk devaluing your company, then these vulnerabilities ARE a big deal.

And Admins/Engineers/Managers and above that roll their eyes at these vulnerabilities should be fired and replaced with people that actually care.

This one doesnt require physical access.. just access to the same network. Or at least that's how I read it.
The name of the paper is "NetCAT: Practical Cache Attacks from the Network"

And from the paper...
"By performing PRIME+PROBE in a loop, NetCAT can find out whenever the victim types something in a network connection."

So, it reads as if you need access to the network, not physical access to the machine, as I agree those are kind of, meh.
 
  • Like
Reactions: dgz
like this
So yet another vulnerability that requires local access. Stop the presses!

Sounds like this does not require physical access to the machine, just a connection on the network.

"Their research is prompting an advisory for Intel that effectively recommends turning off either DDIO or RDMA in untrusted networks."

Good qoute:

"Anyone who uses Intel-made processors inside data centers or other untrusted networks should carefully review the research, Intel's advisory, and any advisories by the network provider to ensure DDIO doesn't present a threat. People should also be aware that disabling DDIO comes at a significant performance cost. So far as the researchers know, chips from AMD and other manufacturers aren't vulnerable because they don't store networking data on shared CPU caches."

AMD doesn't share network data in shared cache so aren't affected... Now we know how Intel got that performance crown, lol.
 
It's all a plan for them to say we fixed our cpu look at how much faster it is then past year model...1.1x faster but 3x as fast once you run all the patches on the old rig lol
 
Who the F figures this shit out?

I swear some people just come up with ideas like... what if we tape aluminum foil to a 5ghz wifi coax, add a laser at 876nm, press f5 6 times, and inject a keylogger into an active session of battlefield V in the state of Rhode island at 1236am on july 31st we will discover a new intel exploit.
 
I can haz job @ intel marketing?


View attachment 186479


They already gave it to me.
upload_2019-9-12_19-54-47.png
 
Sheesh...Once all these patches and fixes that degrade performance are implemented, my 3770K is going to be so bogged down that I'll probably miss my dual P-III 1000 system.

This probably just sealed the deal for going with a Ryzen next spring when I overhaul my gaming PC.
I just upgraded from a 3770k myself... to a 6800k. CPU was $170, RAM was $160, motherboard was free.

Turns out, Broadwell-E on X99 still holds up pretty well, and there are excellent deals available on slightly older hardware: https://valid.x86.fr/0l6cps
 

Attachments

  • upload_2019-9-13_10-46-48.png
    upload_2019-9-13_10-46-48.png
    31.4 KB · Views: 0
Going Epyc?
Hyper-V servers are all running on 7551p’s now. My smaller onsite AD/DNS/DHCP servers will be replaced with the imbedded 3000 series epics. Don’t need a lot of power onsite anymore it makes administrating things way easier.

additional:
Getting those 7551p’s stable was a bitch and a half took a few bios revisions, firmware updates and changes to power delivery to make it work.
 
Last edited:
A year ago we heard that the patches for meltdown and specter impacted performance up to 10%.
What is the impact of these other 20 holes that need to be patched?

If I get a CPU that doesn't have hyper threading, am I safe from these vulnerabilities and the subsequent slowdowns that the patches will cause?

Thinking of buying an i7 9700 (which doesn't have hyper threading capabilities).
 
Hyper-Threading is exploited by the Foreshadow vulnerability, and disabling only partially alleviates the vulnerability.
Well, when my 6700K started to feel like a 2600K in most tasks, especially VMs, I decided to give up the ghost and drop Intel CPUs all together.

As long as they are patched, it isn't a big deal, but where this starts to hurt is just how many exploits are still going to continue to be found due to Intel's "shortcuts" for their performance gains.
Just got tired of the constant patches, vulnerabilities, random performance hits (depending on the tasks), loss of features, and mainly paying for the cost of a processor that ends up having 2/3 the performance as was originally advertised.

If you want to go with Intel CPUs, go for it and vote with your wallet, but understand the potential future-risks going into it, and the potential loss of features and value going forward as well.
AMD is the only company truly innovating with x86-64 at this point in time, and Intel has so many issues to deal with, that this may well be the hole that ends up growing to be big enough to sink the ship within the next decade.
 
Don’t most of these vulnerabilities require physical access to the machine? I can’t remember one that doesn’t but I don’t really pay attention to these. I was planning on having all AMD for a while so ignored the Intel side of things.
 
Don’t most of these vulnerabilities require physical access to the machine? I can’t remember one that doesn’t but I don’t really pay attention to these. I was planning on having all AMD for a while so ignored the Intel side of things.

many doesn't.. no.

Meltdown, foreshadow, spectre etc require code to run on the machine.
websites can do that :)

This one requires network access, not exactly physical :)
 
Don’t most of these vulnerabilities require physical access to the machine? I can’t remember one that doesn’t but I don’t really pay attention to these. I was planning on having all AMD for a while so ignored the Intel side of things.

As I stated above, most of the impact is on servers. For the home user, most of these (as I understand them) will require elevated permissions, so it's a moot point. The notable exceptions were Spectre and Meltdown where administrative access was not needed.
 
Yea these vulnerabilities are a freaking nightmare.

Imagine you work for an enterprise and lets say you have over 1500 VM servers running in a 4-1 over allocation to processor threads. (not uncommon)

Now lets say that an intel vulnerability comes out and the fix from Vmware is to turn off hyperthreading for the hosts.

Do you do this and take your 4-1 over allocation and with the flip of a switch make it 8-1 over allocation? Can you AFFORD to loose 1/2 of your effective compute resources? Or do you choose to take the risk and keep your ESXi Hosts and associated guests exposed?

This is a freaking nightmare scenario that MANY Engineers are having to deal with. I would STRONGLY lean AGAINST using Intel Compute in a Vmware cluster if I were building a new one today.
 
Just look in vCenter at your hosts' CPU utilization...

Ours before all the spectre/meltdown shit were typically 10-20% utilized on the CPU, with the RAM at about 70% to 80% utilized. i.e. full clusters.

So far the hit from spectre meltdown in our environment (1400 hosts, 10k+ vm's) has only impacted a few clusters that had spikes into high cpu utilization of 70to80% before the spectre/meltdown fixes were applied.

ESXi side-channel aware scheduler is enabled, so the largest possible hit we should feel (up to 30%). But, since RAM in most typical virtual environments is the limiting factor, we haven't really felt this that much.

Even with a 30% perf hit, cpu utilization would go from 20% to 50%, in out environment. Still have room for the occasional cpu spiking vm even.

The ones with the spiking cpu utilization (cas boxes for exchange email) we've been more careful with balancing the vm's, enabled high performance options in the bios settings, and added a couple hosts.

There probably are virtual environments where these impacts have been felt more strongly, but luckily not ours.

Moving 1400 hosts to AMD isn't going to happen... incompatible with Intel EVC modes so no hot migration. Can you imagine trying to coordinate the powering off of 14k vm's with all those varied system administrators/customers? Plus these hosts are only tech refreshed every 5 to 7 years. Probably the same for most server floors.
 
Last edited:
Back
Top