24 hours after the wide scale release of the vulnerabilities, Rackspace is silent about Spectre and Meltdown. They do not have a plan for patching all of their Xen hypervisors. All their newer platform servers are HVM servers, which are vulnerable. Older PV servers are not vulnerable.
I have updated the Linux kernel of my HVM guests, but Rackspace has not updated any of their hypervisors. Will updating the guest kernel on an unpatched hypervisor prevent "bad guy" VMs from accessing memory leaked from my patched host?
Answer
From what I understand of the vulnerabilities, no - the speculative caching attacks bypass all of the CPU's protections against a process grabbing memory from whatever arbitrary address.
I believe this would include the neighbor VMs (even those patched to protect against the attack themselves) as well as the hypervisor's kernel memory space - but even if there is something that I'm missing that would protect against direct memory disclosure, there's also potential that the attacker could use their access to kernel memory to gain more complete access to the hypervisor.
You definitely don't want to risk running a sensitive workload on an unpatched hypervisor of any kind if you don't trust all of the VMs running on it.
No comments:
Post a Comment