Processor Speculative Execution – Operating System Updates

AWS recently published AWS Security Bulletin AWS-2018-013 for the newly disclosed research regarding side-channel analysis via speculative execution on modern computer processors. This bulletin refers to three security advisories: CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. These advisories are based on research from Google Project Zero that identified new methods for side-channel analysis in modern computer processors. Because these methods target foundational technology, namely speculative execution, that is part of many manufacturers’ processors, this research has wide-reaching implications: from hypervisors to operating systems to web browsers, and from your phone to servers running in datacenters that make up the cloud.

EC2 instance isolation

All instances across the Amazon EC2 fleet are protected from all known instance-to-host and instance-to-instance concerns of the CVEs previously listed. Instance-to-instance concerns assume an untrusted neighbor instance could read the memory of another instance or the AWS hypervisor. This issue has been addressed for AWS hypervisors, and no instance can read the memory of another instance, nor can any instance read AWS hypervisor memory. We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads.

Operating system patches

Modern operating systems have multiple types of process isolation, including isolating the kernel from “userspace” processes, and isolating processes from each other. All three of the disclosed issues can have an impact on process isolation in any setting where an operating system is running on the affected processors. The protections implemented in a hypervisor do not extend to the process-level isolation within an operating system, therefore operating system patches are required to mitigate risks.

It is important to note that there are no operating system level protections to address process-to-process concerns of CVE-2017-5754 for paravirtualization (PV) instances. While PV instances are protected by AWS hypervisors from any instance-to-instance concerns as described above, customers concerned with process isolation within their PV instances (e.g. process untrusted data, run untrusted code, host untrusted users), are strongly encouraged to migrate to HVM instance types for longer-term security benefits. For more information on the differences between PV and HVM (as well as instance upgrade path documentation), please see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/virtualization_types.html

We strongly recommend that customers patch their instance operating systems to isolate software running within the same instance and mitigate process-to-process concerns of CVE-2017-5754.

Customers using AWS Systems Manager can use Patch Manager to maintain security and compliance by setting up patch rules, updating their instances, and viewing compliance. Alternatively, customers can use Run Command for directly updating their instances with rate control. More details are available at: https://forums.aws.amazon.com/ann.jspa?annID=5351

Below are patching details for the following operating systems:

  • Amazon Linux & Amazon Linux 2
  • CentOS
  • Debian
  • Fedora
  • Microsoft Windows
  • Red Hat
  • SUSE
  • Ubuntu

Amazon Linux & Amazon Linux 2

An updated kernel for Amazon Linux is available within the Amazon Linux repositories. EC2 instances launched with the default Amazon Linux configuration on or after January 8th, 2018 will automatically include the updated package, which addresses KPTI bugs and improves mitigations for CVE-2017-5754, and CVE-2017-5715 with kernel version 4.9.76 or newer.

NOTE: Customers must upgrade to the latest Amazon Linux kernel or AMI to effectively mitigate CVE-2017-5754, CVE-2017-5715 within their instance. We will continue to provide Amazon Linux improvements and updated Amazon Linux AMIs; incorporating open source Linux community contributions that address this issue as they become available.

Customers with existing Amazon Linux AMI instances should run the following command to ensure they receive the updated package: sudo yum update kernel.

As is standard for any update of the Linux kernel, after the yum update is complete, a reboot is required for updates to take effect.

More information on this bulletin is available at the Amazon Linux AMI Security Center https://alas.aws.amazon.com and further can be found at https://aws.amazon.com/security/security-bulletins/AWS-2018-013.

CentOS

CentOS has updated their AMIs and the kernels in their global repositories to mitigate CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715. Customers should update their kernels for CentOS 6 and 7.

Customers with existing CentOS 6 or 7 instances should run the following command to ensure they receive the updated package: sudo yum update kernel.

More information on this bulletin is available at: https://www.centos.org/forums/viewtopic.php?f=51&t=65703

Debian

An updated kernel for Debian 7, 8 and 9 is available within the Debian Linux repositories. EC2 instances launched with the Debian AMIs (https://wiki.debian.org/Cloud/AmazonEC2Image) will automatically include the updated package, which addresses KPTI bugs and improves mitigations for CVE-2017-5754 (Meltdown).

More information on this bulletin is available at:
https://www.debian.org/security/2018/dsa-4082
https://security-tracker.debian.org/tracker/linux

Fedora

Fedora has provided kernel updates for Fedora 26 and 27 (kernel version 4.14.11) and Rawhide (kernel 4.15 release candidate), which addresses CVE-2017-5754. 

More information on this bulletin is available at:
https://fedoramagazine.org/protect-fedora-system-meltdown/
https://torrent.fedoraproject.org/

Microsoft Windows

We have updated AWS Windows AMIs, which have the necessary patch installed and registry keys enabled.

Microsoft have provided Windows patches for Server 2008R2, 2012R2 and 2016. Patches are available through the built-in Windows Update Service for Server 2016. We are pending information from Microsoft on patch availability for Server 2003, 2008SP2 and 2012RTM.

AWS customers running Windows instances on EC2 that have "Automatic Updates" enabled should run automatic updates to download and install the necessary update for Windows when it is available.

Please note, Server 2008R2 and 2012R2 patches are currently unavailable through Windows Update requiring manual download. Microsoft previously advised these patches would be available Tuesday, January 9th, however we are still pending information on their availability.

AWS customers running Windows instances on EC2 that do not have “Automatic Updates” enabled should manually install the necessary update when it is available by following the instructions here: http://windows.microsoft.com/en-us/windows7/install-windows-updates.

Please note, for Windows Server, additional steps are required by Microsoft to enable their update’s protective features for this issue, described here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution.

Red Hat

Red Hat has updated their AMIs and the kernels in their global repositories to mitigate CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715. Customers should update their existing instances kernels on RHEL 6, RHEL 7 through the Red Hat Update Infrastructure (RHUI).

Customers with existing RHEL 6 or 7 instances should run the following command to ensure they receive the updated package: sudo yum update kernel.

More information on this bulletin is available at: https://access.redhat.com/security/vulnerabilities/speculativeexecution

SUSE

An updated kernel for SUSE Linux is available within the SUSE Linux repositories. EC2 instances launched with the default SUSE Linux image on or after January 4th, 2018 will automatically include the updated package, which addresses KPTI bugs and improves mitigations for CVE-2017-5754. 

For further information, please refer to the SUSE Linux security bulletin: https://www.suse.com/support/kb/doc/?id=7022512.

Ubuntu

An updated kernel for Ubuntu is available within the global Ubuntu repositories. EC2 instances launched with the default Ubuntu configuration on or after January 10th, 2018 will automatically include the updated package, which addresses CVE-2017-5754.

Customers with existing Ubuntu 14.04, 16.04, and 17.10 instances should run the following commands to ensure they receive an updated kernel package:

sudo apt-get update
sudo apt-get dist-upgrade

More information on this bulletin is available at: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown