Meltdown and Spectre

[Zhariak]

This quote is hidden because you are ignoring this member. Show Quote

If you run servers, 30% chances they are HP. Here's HP's stance which just got released today.


https://support.hpe.com/hpsc/doc/pub...a00039267en_us

Basically, 40% of servers that are newer got updates

The other 55% of server that are more than 3 years old, there is supposed to be an update but I can't find it anywhere published within HPE realm.

The other 5% of niche products, HP basically say sucks to be you. We will release it when it's ready.

Haha, thanks again! I needed that. I got an e-mail from the Storage team (HPe) sending me the internal docs for the storage products, but haven't seen anything on the server side...

[Zhariak]

This quote is hidden because you are ignoring this member. Show Quote

If you run servers, 30% chances they are HP. Here's HP's stance which just got released today.


https://support.hpe.com/hpsc/doc/pub...a00039267en_us

Basically, 40% of servers that are newer got updates

The other 55% of server that are more than 3 years old, there is supposed to be an update but I can't find it anywhere published within HPE realm.

The other 5% of niche products, HP basically say sucks to be you. We will release it when it's ready.


I have to go home and check the Win10 systems which I assume they force those registry setting (non-AV ones) as mandatory. I think they leave those as an option on servers so it's up to admins to either take the risk or take the performance penalty. Our synthetic DB test peg that penalty at ~7-10%. But it's all depends on load and age of equipment. Someone on forums claims their workload got hit up to 50%. I worry that inefficient DB calls may amplify this effect.

Hmm... Trying to patch my own fleet of DL360p Gen8s, the HPe doc says there's an updated BIOS, but there's no new BIOS to be found on the support portal...

[Xtrema]

This quote is hidden because you are ignoring this member. Show Quote

Haha, thanks again! I needed that. I got an e-mail from the Storage team (HPe) sending me the internal docs for the storage products, but haven't seen anything on the server side...

Storage is less of an issue because it's a closed system with no chance of running unauthorized 3rd party code, even some of their line (3PAR?) has Intel procs in them. The only risk is the some poor engineer compiled an update from an unsafe source and release it to the public. (Unless you bought one of the DL360 ReFS file systems that's basically Windows with a SAN backend).

This quote is hidden because you are ignoring this member. Show Quote

Hmm... Trying to patch my own fleet of DL360p Gen8s, the HPe doc says there's an updated BIOS, but there's no new BIOS to be found on the support portal...

Yup, the elusive 12/12/2017 update for Gen8. That's 50% of my environment.

The disorganization make me even worry if should even trust these updates. Kinda want someone else as a guinea pig first.

[Zhariak]

This quote is hidden because you are ignoring this member. Show Quote

Storage is less of an issue because it's a closed system with no chance of running unauthorized 3rd party code, even some of their line (3PAR?) has Intel procs in them. The only risk is the some poor engineer compiled an update from an unsafe source and release it to the public. (Unless you bought one of the DL360 ReFS file systems that's basically Windows with a SAN backend).



Yup, the elusive 12/12/2017 update for Gen8. That's 50% of my environment.

The disorganization make me even worry if should even trust these updates. Kinda want someone else as a guinea pig first.

If I can find it, I'll deploy it on one of my ESXi hosts and let you know how I make out.

On a side note, I'm really not looking forward to seeing the performance loss in my environment (and customer environments)... This really pisses me off with how much I have invested in this hardware, lol.

[Xtrema]

This quote is hidden because you are ignoring this member. Show Quote

If I can find it, I'll deploy it on one of my ESXi hosts and let you know how I make out.

On a side note, I'm really not looking forward to seeing the performance loss in my environment (and customer environments)... This really pisses me off with how much I have invested in this hardware, lol.

So I'm pretty sure you are aware, ESXi requires update too beyond firmware depends on what version you are on.

https://www.vmware.com/us/security/a...2018-0002.html


If you want to read all the responses on Meltdown from all the tech vendors, scroll to the bottom of the list here:
https://meltdownattack.com/

It's really depend on workload. Pure computation, I see almost no loss. MS SQL is about 5-10% based on a 100 user load from HammerDB (at least that's what my DBA told me). It's heavy storage and network access stand to be impacted most.

[revelations]

Interesting article in WIRED about how 4 independent teams discovered the flaw. Talk about synchronicity.

https://www.wired.com/story/meltdown...law-discovery/

[Zhariak]

This quote is hidden because you are ignoring this member. Show Quote

Interesting article in WIRED about how 4 independent teams discovered the flaw. Talk about synchronicity.

https://www.wired.com/story/meltdown...law-discovery/

I'm going to read that article later, I'm very curious.

Without having read that, I'm wondering if there is some 0day exploit being used (not publicly known, being privately used), and it's been observations of compromised systems that have led multiple researchers to discover the flaw. With how many businesses blindly going to the cloud, I'm wondering if there's been mass compromises that very few know about...

[rage2]

This quote is hidden because you are ignoring this member. Show Quote

This is like, totally wrong. Did you even read the Meltdown paper?

Thanks sonny, I know what OOOE is. Silly me, being a programmer and all that.

googe is mostly right on his description of Spectre. You’re right in that Meltdown is completely different. Only thing that’s wrong with googe’s description is that you can only reveal memory of your process, not others. At least that’s my understanding. But that’s still a big flaw as my browser cookie example shows.

[Zhariak]

This quote is hidden because you are ignoring this member. Show Quote

Yup, the elusive 12/12/2017 update for Gen8. That's 50% of my environment.

Just got off the phone with HPe support. They said the article is wrong and there's no Gen8 BIOS update as of yet. They said it could be a month or so. I was forceful, asked why the document says there was, she spoke to a manager and they confirmed the article was wrong and there's no Gen8 BIOS update.

[Xtrema]

This quote is hidden because you are ignoring this member. Show Quote

Just got off the phone with HPe support. They said the article is wrong and there's no Gen8 BIOS update as of yet. They said it could be a month or so. I was forceful, asked why the document says there was, she spoke to a manager and they confirmed the article was wrong and there's no Gen8 BIOS update.

Thanks. I had HP rep look into it for me, still waiting for a reply.

Pretty sure that's the answer I'll get. HPE isn't the same since they fired crap loads of people in Calgary.

[D'z Nutz]

I initially thought Meltdown was gonna be a pain in the ass, but it might end up being a blessing in disguise at work. We have a bunch of old servers that are no longer supported by the vendor that we've been wanting to decommission for years but clients refuse to let them go. Now they may not have a choice haha

[BerserkerCatSplat]

Great, can't wait for all my Ivy Bridge-era hardware to get fucked in the ass after the patch.

[Xtrema]

This quote is hidden because you are ignoring this member. Show Quote

I initially thought Meltdown was gonna be a pain in the ass, but it might end up being a blessing in disguise at work. We have a bunch of old servers that are no longer supported by the vendor that we've been wanting to decommission for years but clients refuse to let them go. Now they may not have a choice haha

Those customer won't care. I tried it on them about a few Windows 2003 servers we still have.

Thank god at least they are on ESX so I don't have to worry about hardware end.

[Gestalt]

So is this something we non computer people need to fix? Home type computers? What needs be done?

[Xtrema]

This quote is hidden because you are ignoring this member. Show Quote

So is this something we non computer people need to fix? Home type computers? What needs be done?

Yes.

If you have a system with Intel CPU, look for latest firmware update from manufacturer, most likely dated Dec 2017 or newer.

Get the latest update from other OS manufacturers:

- 2018-01 update needed for Windows 7,8,10 (but make sure your AV scanner is also fixed before trying to update)
- 10.13.2 for MacOS (iMac, Macbook etc)
- 11.2.2 for iOS (iPhone and iPad)
- Jan 5, 2018 security patch level for all Androids (not much you can do here if your droid update is being held back by manufacturer/telcom).
- Home NAS devices (Synology, Qnap, Dlink etc, check vendors for guidance)

Until you have reached this level, I would avoid doing anything financial on that device and avoid installing new apps or visiting websites with ads.

On the other hand, probably good to follow best practices/hygiene on all your cloud access (online banking/paypal/sites that have your CC info cached). Reset password monthly or quarterly. Avoid using public wifi or machines etc.

The other side of this is people like us may not have all the fixes in until late Feb. We can mitigate to a degree but it won't be fully fixed until vendors who are scrambling to understand and releases fixes for their products we rely on. Some probably don't even know what hit them yet. So there is a window of opportunity here to exploit cloud infrastructures for at least the next 4-5 weeks. And the problem with this exploit is that nobody know they got hit unless info is already out in public.

And the full architecture redesign won't be ready for another 3-4 years at least. So upcoming devices for at least the next year or so will have this defect in them. Everything we do is trying to cover that defect with software.

Also, phishing scams are already out about Meltdown and Spectre. So careful about anything you see/read about someone offering fixes on this. Always get your fixes from official sites and not links provided by email or 3rd party.

[Xtrema]

Nvidia released drivers update:

http://nvidia.custhelp.com/app/answers/detail/a_id/4611

[Xtrema]

This quote is hidden because you are ignoring this member. Show Quote

Just got off the phone with HPe support. They said the article is wrong and there's no Gen8 BIOS update as of yet. They said it could be a month or so. I was forceful, asked why the document says there was, she spoke to a manager and they confirmed the article was wrong and there's no Gen8 BIOS update.

My rep say this Friday. But I am skeptical because:

http://www.zdnet.com/article/meltdow...eds-to-do-now/
"In addition, devices that use pre-Haswell Intel CPUs (Ivy Bridge and earlier designs) are most likely to suffer serious performance issues as a result of software updates."

Gen8 is IvyBridge.

[mazdavirgin]

This quote is hidden because you are ignoring this member. Show Quote

Yes.

If you have a system with Intel CPU, look for latest firmware update from manufacturer, most likely dated Dec 2017 or newer.

Meltdown impacts more than just Intel CPU's. We know for sure ARM is impacted, possibly AMD but that's still to be seen(There's rumblings certain cores may be impacted still to be seen though).

Spectre impacts pretty much everything including Intel, ARM, IBM, AMD...

[Xtrema]

This quote is hidden because you are ignoring this member. Show Quote

Meltdown impacts more than just Intel CPU's. We know for sure ARM is impacted, possibly AMD but that's still to be seen(There's rumblings certain cores may be impacted still to be seen though).

Well, I doubt ARM devices manufacturers will focus on firmware like Intel PCs. And I would bet that any consumer grade PC and motherboard older than 3 years will probably not get updates anyway.

The problem with ARM is you have too many different brands Qualcomm, Mediatek, Apple A series, Kirin (?). And only 6-8 lines of ARM cores are compromised. I only mapped that out to be the Snapdragon 800 series (except 810) and may be a couple 600 series.

And since ARM is used in so many IoT besides cell phones, you really don't know. Is your self driving car with Nvidia K1 at risk? How about the Shield Tablet that Nvidia say there will be no more updates?

Can someone eventually find out a remote exploit for these unpatched IoT devcies out there? Who knows.

[ZenOps]

This is one of those times that I'm glad that I have a cheap Cortex-A53 tablet. Not much performance testing has been shown for ARM yet, as the fixes are coming through much slower as mentioned for the vast array of different devices based on portable ARM's.