Cloud providers are on the defense because of recently discovered security flaws impacting chipsets that power just about every form of computing device. Many of the data centers that power cloud deployments rely on commodity servers powered by chipsets vulnerable to the bugs.
In a blog post, Google said an internal security team – ominously labeled “Project Zero” – last year discovered the security bugs within modern microprocessors. The bugs impact architectures used by AMD, ARM, and Intel; other computing devices; and operating systems, including those based on Linux.
Google’s research found three attack vectors that if completed would allow for access to memory data. This could include passwords, encryption keys, and other information open in applications that are stored on memory.
The attacks take advantage of CPUs that in order to improve performance “may choose to speculatively execute instructions based on assumptions that are considered likely to be true.”
“During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions,” explained Matt Linton, senior security engineer, and Pat Parseghian, technical program manager, at Google, in the post. “It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound and can lead to information disclosure.”
Google testing also showed an attacker could infiltrate a virtual machine (VM) and gain access to the physical memory of the host machine. This would also allow access to the memory of a different VM on the same host.
For its own services, Google has updated all known vulnerabilities to its Google Cloud Platform (GCP). The updates were performed using its VM Live Migration technology that did not require any forced maintenance windows or system restarts.
Customers using their own operating systems on top of GCP might be required to perform additional steps to cure possible vulnerabilities.
Google’s Kubernetes Engine (GKE) is protected against the bugs. However, the company said customers would need to update their runtime environments so that applications running within each runtime environment were protected from each other.
Google said once discovered, it began working with hardware and software manufacturers on the problem. A joint announcement was scheduled for Jan. 9 – coinciding with the annual Consumer Electronics Show in Las Vegas – but reports on the bug began surfacing this week, prompting some to address the news.
Microsoft Azure Impact
The company did accelerate planned updates, which includes the rebooting subsets of impacted VMs. The moves will not impact established service level agreements (SLAs), though Microsoft did admit some customers might see an impact of networking performance.
“The majority of Azure infrastructure has already been updated to address this vulnerability,” the company’s security team explained. “Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required.”
Amazon Web Services (AWS) explained its response via Reddit. The cloud giant said only a small percentage of instances on its Elastic Compute Cloud (EC2) platform were initially impacted, with those having since been patched.
AWS did note the CPU bugs have existed for more than 20 years.
Similar to Microsoft and Google, AWS recommends customers update their runtime environments to fully protect from the bugs.