Vulnerabilities are always a nightmare. And, when it’s related to server hardware, the impact is enormous.
Intel CPU owners are in big trouble with the recent vulnerability called Zombieland or MDS. It can allow attackers to retrieve data being processed inside a CPU.
Unfortunately, it affects Linux, Windows server and even the virtual machines. And, the fix involves updating processor, patching the kernel version, etc.
Let’s now discuss on how 1 onlyhost’ Engineers identify and fix Intel CPU MDS vulnerability as part of our Server Management Services.
Details on Intel CPU MDS vulnerability
Before proceeding further, let’s learn on how attackers make use of the Zombie load vulnerability.
In layman terms, “zombieload” is a quantity of data that a processor can’t handle on its own. The processor chip then asks for help from its microcode to prevent an application crash. It uses a technique called Microarchitectural Data Sampling aka MDS. That’s how the vulnerability get its name.
In general, applications and processes running on virtual machines and containers can only see their own data. But the Zombieload vulnerabilities enable an attacker to spy on data of other containers. This happens due to the vulnerability that exists on all modern Intel processors.
Is my server under risk ?
Now, the question arises: Does it affect my servers?
The answer will be Yes, if you are running an Intel processor made after year 2011. Again, this vulnerability affects all users of the 5.1 kernel series.
Moreover, the operating system do not matter much with this vulnerability. Windows as well as Linux distributions are vulnerable to Intel CPU MDS vulnerability. That’s because the problem really lies with Intel’s underlying processors and not operating systems as such.
Unfortunately, Linux-based containers and VMs are also open to attack.
Therefore, the first step of investigation lies in finding whether your server is vulnerable or not. For Windows servers, we can make use of the Microsoft’s PowerShell script to find if vulnerability lies in your box. Again, there are couple of online tools that can show vulnerability in Linux and Windows servers.
How to fix Zombieload or MDS vulnerability?
Now, when you know that your server is under risk, it’s really critical to patch-up the server at the earliest.
Soon after the vulnerability disclosure, Intel has released microcode patches. Fortunately, these help to clear the server processor’s buffers, thus preventing data from being read.
Therefore, to defend the server against MDS attack, our Security Engineers recommend updating your processor, patching your operating system, and for highest level of protection, disable Hyper-Threading feature on CPU as well.
To protect the servers, our Dedicated Engineers patch the following Linux files: Kernel, kernel-rt, libvirt, qemu-kvm, qemu-kvm-rhev, and microcode_ctl on all affected systems.
Steps to patch servers
Being in the server management industry for more than a decade, we understand the need to patch servers as per the operating system in use. Let’s check how our Security Engineers work with various servers.
1. Red Hat, CentOS servers
To handle the Intel MDS vulnerability, Red Hat and CentOS has released new kernel version 3.10.0-957.12.2.el7 with the security fixes. Therefore, on CentOS 7 servers, we upgrade the kernel and confirm that kernel is at
3.10.0-957.12.2.el7.
2. CloudLinux servers
Similarly, CloudLinux has also come up with the patch for the vulnerability.
In case of servers running CloudLinux 7 and CloudLinux 6, we patch their installations by running the following commands in a terminal.
For CloudLinux 7
yum install kernel-3.10.0-427.36.1.lve1.4.43.el7 kmod-lve-1.4-43.el7
For CloudLinux 6
yum install kernel-2.6.32-673.26.1.lve1.4.24.el6 kmod-lve-1.4-24.el6
Additionally, we take steps to upgrade microcode and the complete set of commands will be:
yum upgrade microcode_ctl && yum install kernel-3.10.0-962.3.2.lve1.5.25.8.el7 --enablerepo=cloudlinux-updates-testing
3. Windows servers
Microsoft has also come up with patches for the Windows servers. Therefore, to make the Windows servers secure, we install the updates on servers. The update list include:
2019-05 Servicing Stack Update for Windows Server 2016 for x64-based Systems (KB4498947)
2019-05 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4494440)
As the updates are at kernel level, we always reboot the system for the new kernel version to take effect.
4. For virtual machines
For customers running Virtual Machine, we patch the Linux Kernel inside the VM. Again, our Dedicated Engineers make sure that the host node is updated as well.
For servers using KernelCare, patches are delivered automatically by KernelCare and we just confirm that the server uses the latest kernel.
[Do you need help patching against MDS vulnerability? Our experts can help you right away.]
Conclusion
In short, patching the server against Intel CPU MDS vulnerability is the need of the hour. Today, we examined the vulnerability as such and how our Dedicated Engineers patch different servers.