In the beginning of 2018 vulnerabilities like Spectre [1] and Meltdown changed the world of computing. They were from the family of next generation vulnerabilities, found in CPU hardware layer, instead of the traditional defects existing in computing software layer. What makes these CPU vulnerabilities more serious and dangerous is the fact that they exists in the hardware layer underneath the workload and even the operating system. Situation is extremely critical in virtualized environments, for example in the Cloud, where multiple tenants operate in same resources seamlessly. In May 2019 Intel announced a new set of vulnerabilities similar to Spectre and Meltdown, called Microarchitectural Data Sampling (MDS). All previously mentioned vulnerabilities reside in Intel CPUs (Cores and Xeon) and particularry in Intel implementation of Hypertreading and speculative execution. Exploiting these vulnerabilities, attacker can obtain leaked data across processes, privilege boundaries and Hyperthread. As this feature resides in the hardware itself, all know operating systems, all hypervisors and container solutions running on top of Intel processor are affected. How to mitigate Zombie(load)s [Z] in the Cloud? If you run untrusted or unpatched software stack, multiple tenants and/or services open to the Internet, you have increased risk of being bit by a Zombieload. Here is a list of steps we have performed for our customers to mitigate Zombies:
- Run all workloads, hypervisors and containers in Hyperthread DISABLED hardware. This will not make MDS vulnerabilities go away, but minimizes the attack vector.
- All major public cloud vendors have published patched versions of their operating systems, like Amazon AMI [2]. Run your workload on the latest OS.
- Google has patched their Kubernetes Master [3], update your Master and nodes with the latest, launch nodes HT disabled. Disabling Hyperthreading in a modern Intel CPU has a performance impact of 8-10%, depending on the source of information. Notice that currently operating system patches nor disabling HT do not completely mitigate the risk of MDS as the affected code still resides in the CPU. [Z] https://zombieloadattack.com/ [1] https://en.wikipedia.org/wiki/Spectre_(security_vulnerability) [2] https://alas.aws.amazon.com/ALAS-2019-1205.html [3] https://cloud.google.com/kubernetes-engine/docs/security-bulletins#may-14-2019
