5

If I'm running a VM on Amazon EC2 or Microsoft Azure, and they've patched the underlying hypervisor, do I need to upgrade my Linux kernel to protect against Meltdown or Spectre?

Assume that I'm not running any untrusted software in my VM.

I know that if I don't patch my kernel, I'm at risk from untrusted software running in my VM. This is no different from a normal (non-virtual) server, and thus not interesting.

If the hypervisor's patched, but my kernel isn't, am I at risk from neighbouring (compromised or malicious) guests?

Roger Lipscombe
  • 2,307
  • 3
  • 14
  • 20
  • 1
    I think you should remove the "untrusted software" from you question cause that just add confusion, you can never be 100% sure you never run untrusted code. stuff can sneak in from exploits. – Sam Saffron Jan 04 '18 at 21:57
  • @SamSaffron - If he's intentionally running untrusted code, Meltdown is a perimeter vulnerability. Otherwise, the risk of exploits using it for privilege escalation is a defence-in-depth precaution only. – paj28 Jan 04 '18 at 22:20
  • The entire point of the question is to ask about untrusted versus trusted software in the guest, so, no, I won't be making that edit. – Roger Lipscombe Jan 05 '18 at 08:22
  • I'm asking "do I need to patch now, or can it wait until my next scheduled maintenance window, later in the month" – Roger Lipscombe Jan 05 '18 at 08:23
  • As ever so often, this depends on your risk model. The problem with the Spectre case right now is, that we don't know about any attacks, that are out in the open. To your particular case, we don't know what exactly you are doing on that VM, so we don't know about possible attack vectors. The only thing one can say here is: the guest OS is still vulnerable, even if the hypvervisor is patched. – Tom K. Jan 05 '18 at 08:33
  • "we don't know what exactly you are doing on that VM" -- hence the "assume I trust the software in the guest"; it removes from you the need to know. – Roger Lipscombe Jan 05 '18 at 09:09
  • Well, then the answer is completely independent of any vulnerability. If you trust all software and all executed code, the surrounding systems (the hypervisor in this case) are patched, then your machine is safe. This is a rather moot point though. – Tom K. Jan 05 '18 at 10:21
  • 1
    Do I need to patch *my* kernel (as well as the hypervisor) to get full protection from other guests? Or is the hypervisor sufficient? – Roger Lipscombe Jan 05 '18 at 10:32

1 Answers1

4

To answer the question you originally asked: whether or not you're running untrusted code, if you want to protect against Meltdown or Spectre, you still need to upgrade your kernel, even if your cloud provider has patched the underlying hypervisor.

The GCE customer announcement (linked from the Google security blog post, which is a bit light on detail but also links to the project zero writeup which is full-on) says under “Mitigation Status”:

Infrastructure patched against known attacks. Customers must patch/update guest environment.

If you don’t trust Google, AWS has their own security bulletin which states:

While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems. Updates for Amazon Linux have been made available, and instructions for updating existing instances are provided further below along with any other AWS-related guidance relevant to this bulletin.

The reason why this is necessary is because paravirtualization allows the guest kernel to have control over the TLB in the CPU directly, without mediation from the hypervisor (it’s one of the major performance improvements of paravirt over full virt, along with direct I/O). Thus, if the guest OS kernel doesn’t implement the mitigations, processes running in the VM can still grab data from the kernel and other processes running in the same guest.

The answer to the second question you've edited your question to add, as to whether you're at risk from your neighbours, appears to be, with the information currently available, "no". The answer to the third, seemingly implied question, of whether you should patch now or in your regular patch cycle, isn't answerable with the information you've provided, as it is deeply rooted in your own organization's risk profile and threat models, and I'd go so far as to say that you're bordering on "primarily opinion-based" with that one.

womble
  • 157
  • 4
  • Assume I'm not running untrusted software in the guest... – Roger Lipscombe Jan 05 '18 at 08:19
  • That's a different question to the one you originally asked. – womble Jan 05 '18 at 09:45
  • 1
    No it's not; check the edit history "Assume I'm..." has been in the question body since the beginning. I bolded (and other edits) it to make it more obvious. – Roger Lipscombe Jan 05 '18 at 09:46
  • Yes, I know about edit history. Your question previously had the "no untrusted code" bit as an afterthought. The title and first paragraph were quite clear. – womble Jan 05 '18 at 11:41
  • Tbh if you’re only running trusted code with no known (other) vulnerabilities on one box (bare-metal being the isolation barrier here), you don’t strictly need to patch (right now, but should certainly as soon as you’re able). That being said, there’s only a patch for Meltdown, AIUI, not for Spectre. – mirabilos Jan 05 '18 at 17:45