Mitigate speculative execution side-channel vulnerabilities

Seems the new year bring us some bad surprises in terms of security. There has been some rumors and now turned out to be truth that certain processors are vulnerable to certain attacks. Yes processors. That means that affects a wide variety of Operating Systems. As Microsoft puts it:

Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors.

Source: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

I cannot explain into details about how these vulnerabilities work but if you want to read Google has it on Reading privileged memory with a side-channel .

With this post I want to lay out some advises on how to protect from these vulnerabilities or future ones with Azure:

  1. The first think you have to do is to patch your servers no matter if they are Linux or Windows. Azure has solution that will help you patch your servers. Update Management solution is part of Azure Automation service under the OMS umbrella. It patches both Linux and Windows and it will tell you which systems are not patched yet. The best of this solution that is free for Azure and non-Azure VMs and you only pay for the data stored in Log Analytics which is neglectable for the features you get. You can find more information here:
  2. Detect malicious behaviors on your servers with Azure Security Center. ASC brings the big guns in terms of security detection, protection and response. It has rich behavioral analytics that will detect malicious behaviors happening on your machines. Currently those behavioral analytics work only on Windows machines but we can expect that Linux machines will be covered in the future as well. After all Microsoft loves Linux. You can read more for those detections here:

  3. Prevention. ASC also has another feature Adaptive Application Controls that will help you protect your environment from vulnerabilities like these. As these vulnerabilities relay on executing software on your servers what better for protection than allowing only approved software to run on your servers. This is what Adaptive Application Controls does. It learns what software is being ran on your servers and creates policies to allow only that software to run, any other will be blocked from execution. Pretty smart. Currently it works only for Windows but we know Microsoft love Linux Smile . You can read more about this feature here:

Hope that those advises will help you protect your environment not only from these vulnerabilities but from others as well.

Note: The vulnerabilities can affect VMs as well. Source: Windows Server guidance to protect against speculative execution side-channel vulnerabilities.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.