Edit: Hopefully you are running current systems / firmware.
Originally posted January 9, 2018 on AIXchange
You’ve most likely heard the news that emerged last week regarding a security vulnerability impacting all microprocessors. There will be patches and fixes forthcoming for different architectures and microprocessors, including IBM POWER processors, as indicated in this Jan. 3 post from IBM’s PSIRT blog:
If this vulnerability poses a risk to your environment, the first line of defense is the firewalls and security tools that most organizations already have in place. Complete mitigation of this vulnerability for Power Systems clients involves installing patches to both system firmware and operating systems. The firmware patch provides partial remediation to this vulnerability and is a prerequisite for the OS patch to be effective. These will be available as follows:
Firmware patches for POWER7+, POWER8 and POWER9 platforms will be available on January 9. We will provide further communication on supported generations prior to POWER7+, including firmware patches and availability.
Linux operating systems patches will start to become available on January 9. AIX and i operating system patches will start to become available February 12. Information will be available via PSIRT.
Clients should review these patches in the context of their datacenter environment and standard evaluation practices to determine if they should be applied.
PSIRT also issued this post that includes links for POWER and System z:
For a detailed explanation, check out this post from Security Intelligence, an IBM-sponsored site:
A hardware vulnerability, discovered independently by researchers from academia and Google, underscores a microprocessor flaw that, if exploited, could allow an attacker to read data from privileged kernel memory.
Since this flaw impacts all modern microprocessors, it can affect any device that uses them, including multiple operating systems running on mobile devices, laptops, workstations and servers.
It is important to note that to exploit this vulnerability, a malicious actor would need to execute untrusted code on the physical system or on a virtual machine linked to that system. This may include running content from webpages loaded in web browsers or accessed through mobile apps.
This article also provides these recommendations for mitigating risk:
This new triple-pronged flaw requires a risk assessment process for all organizations. Security teams will have to inventory their assets and determine which ones may be vulnerable. Then, after setting criticality and sensitivity scores, assets should be patched or applied mitigating controls.
An attacker must be able to place code into an application running on the system itself or on a virtual machine attached to the system to use this exploit this vulnerability. Therefore, protections to prevent unauthorized access into systems from outside the infrastructure can serve as a first barrier, as well as existing access controls for internal users.
The most immediate action security teams can take to protect assets is to prevent execution of unauthorized software, or access of untrusted websites, on any system that handles sensitive data, including adjacent virtual machines. Assume that any type of execution, including binary execution, carries the potential for attack.
Also, ensure security policies are in place to prevent unauthorized access to systems and the introduction of unapproved software or software updates.
If the organization is operating environments where preventing execution of unauthorized software is not possible, or is inconsistent, protection may only be possible by applying updates to system firmware, operating systems, and application code, as well as leveraging system-level protections to prevent the execution of unauthorized code.
In cases of update impact issues, mitigating controls should be applied in the interim, but patching is ultimately the remediation needed to prevent potential attacks. Please note that most patches released so far require rebooting systems and must be evaluated for the potential impact of such event on a given asset.
These hardware bugs, incidentally, are being called Meltdown and Spectre. For a quick overview, see this RedHat-produced video, and read this primer:
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit
Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.
The Internet Storm Center has more. This page also links to a podcast segment where Meltdown and Spectre are explained.
For those working with Linux distributions, here are some tips for patching vulnerabilities on Spectre and Meltdown. Those on desktop machines need to keep in mind the need to update firmware, OS and browsers.
As I see more information from IBM Support, I will do my part in getting it out there, both on this blog and on Twitter, where you can follow me @robmcnelly.