1

I've been reading into the Meltdown and Spectre bugs recently and the issues they cause for virtualised servers, as memory in one VM can potentially be accessed by another user in a separate VM with the same host.

I found this article on DigitalOcean (here), where they talk about making sure to apply new kernel patches to servers to help mitigate the effects of the bugs. In the comments I see people talking about protecting their server droplets (DigitalOcean's brand of VPSs) this way, and that's where I got confused. Surely any security updates applied on their VM will not affect the execution of the bug in another VM on an older OS update? When an attacker on the same host is on an old version of an OS wouldn't they be able to exploit the bugs just fine, as they're the ones executing the code required, not the updated VM they are trying to retrieve memory from?

So my question is, am I correct in thinking that there is no way the bugs can be mitigated this way for virtual servers? If so, are virtual servers going to remain unsecure for a long time to come?

Thanks.

Letal1s
  • 99
  • 6

1 Answers1

2

The OS patch doesn't remove the CPU side-channel vulnerability. It adds mitigations to the OS kernel to avoid sensitive data being leaked in the processor cache in a way that can be abused by Meltdown and Spectre.

The updates protect the victim, rather than removing a capability from an attacker. As such, it doesn't matter what OS version an attacker on an adjacent VM is using.

CPU microcode updates make it more difficult to exploit these vulnerabilities. You need both the microcode update and OS update to remain acceptably secure against this type of attack.

In addition, some standard libraries (e.g. MSVCRT) have Spectre-mitigated versions that offer additional protection against cache side-channel attacks, although you need to recompile applications with this library for it to be effective. This isn't mandatory if you already have the microcode and OS patches installed - it's more of a defence in depth measure.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Thanks for the info, so that would mean any updates people are trying to apply to their virtual servers would not really do much if the people owning the underlying hardware weren't to apply these microcode updates? – Letal1s Sep 27 '21 at 20:24
  • 1
    @Letal1s Patching the OS and applications makes it harder for them to exploit, but yes, that's generally correct. However, no VPS host is going to skip applying the microcode updates, because attacks can target the hypervisor too, so it doesn't just impact customer VMs. – Polynomial Sep 27 '21 at 20:50
  • Understood. A final question: would it be safe to assume that most known places hosting VPS's nowadays have the measures put into place to protect against these, as otherwise their hypervisor itself is just as much at risk? Or should they all generally be approached with caution? – Letal1s Sep 28 '21 at 12:21
  • @Letal1s It's a very good bet that they'll have applied mitigations, especially with the more popular hosts. They have a direct financial and operational incentive to do so. But you can always contact support and ask them to give you an overview of what specific steps they've taken to protect against side-channel attacks between adjacent VPSes on the same physical host. – Polynomial Sep 28 '21 at 14:37