Spectre and Meltdown: Reducing Your Risk on IBM i
By now everyone is aware of a recently discovered major vulnerabilities name Spectre and Meltdown that affect most hardware chips, including the POWER chips used to run your IBM i servers. Spectre and Meltdown are not viruses; they are vulnerabilities that can expose your sensitive data to the wrong person. The Spectre and Meltdown problem is inherent in the chip design itself and how it makes sensitive data available to the CPU for faster processing. This issue has existed for decades and was just recently identified.
Spectre and Meltdown exposure is not accessible from outside the network, so you’re not at risk of having your passwords and encryption keys being accessed from the web. Like most risks, the threat comes from your internal users. That’s why these vulnerabilities are such a problem for companies. Most breaches are accomplished from inside the company. Rogue employees can cause irreparable damage to your company’s sensitive data. You only have to look at the Equifax breach last year, to understand why it’s critical to patch your firmware and OS. However, there is something important to consider before you apply IBM firmware and IBM i PTFs to counter Spectre and Meltdown, and that is what the performance impact will be after the fixes are applied.
What are Spectre and Meltdown?
Spectre and Meltdown are exposures caused by how data is processed at the chip level. There are three areas that are exposed by these vulnerabilities. While all three of these vulnerabilities can expose sensitive data to the wrong person, they are slightly different in how they work.
Spectre is made up of two vulnerabilities, which make it possible for a program to access data that the program is not authorized to access. This exposure happens in the speculative execution processing of the chip, which essentially allows the chip to guess what the computer will need to perform during its next function. When this happens, sensitive data is briefly exposed. A rogue programmer could call the speculative execution process and gain access to this exposed data. This vulnerability is harder to access; however, it is the more dangerous of the two vulnerabilities because it is also harder to mitigate against. Analyst expect that more vulnerabilities will be found in this area in the near future.
Meltdown is a single vulnerability that makes it possible for a program to bypass hardware security. This exposure makes it possible for a program to access data which it normally is not authorized to, including things only QSECOFR should have access to. This exposure is limited only to specific chips, and the POWER chip set is one of the exposed chips, which is why you need to be aware of it. Meltdown is easier to mitigate with firmware fixes and PTFs than Spectre is.
How do I reduce the risk to my IBM I servers?
IBM has released Spectre and Meltdown POWER firmware updates and PTFs for the IBM i operating system. If you are running unsupported hardware or software, now is the time to get current because IBM will not release firmware upgrades or PTF’s for unsupported systems or OS releases.
The PTF’s which have been released will support Power 7, Power 7+, Power 8 and Power 9, which means if you’re still on a Power 6 or below you will not receive any PTFs for these vulnerabilities. The PTF’s will only support those OS versions that are supported by the supported hardware, i.e. IBM i 7.1 and higher. And with i 7.1 going end of life on April 30, you really should consider upgrading now, if you haven’t already.
The information listed below is from the IBM Security Bulletin on Spectre and Meltdown, which specifies how to mitigate the risk by applying the PTF’s. There is a separate Web page for IBM POWER system firmware updates for Spectre and Meltdown, that can be accessed by clicking here.
PTFs released on February 8, 2018
On February 8, 2018, IBM released the following IBM i PTFs that when used in combination with their recent POWER Firmware fixes, are required to mitigate vulnerabilities on all Power 7, Power 7+, and Power 8 hardware models running the IBM i operating system.
Release 7.1 – MF64599, MF64602, MF64603, MF64604, MF64609, MF64612, MF64615, MF64616, MF64617, MF64618, MF64619, MF64620
Release 7.2 – MF64598, MF64601, MF64607, MF64611, MF64614
Release 7.3 – MF64597, MF64600, MF64605, MF64610, MF64613
PTFs released on January 26, 2018
IBM’s January 26, 2018 PTFs are required to mitigate the vulnerabilities on all Power 8 hardware models running the IBM i operating system. These PTFs can also be loaded on any other POWER hardware models but they are not required to mitigate the vulnerabilities. Additional PTFs addressing other hardware models will be released as they become available.
Release 7.1 – MF64571
Release 7.2 – MF64565
Release 7.3 – MF64568
PTFs released on January 10, 2018
IBM released their first PTFs for Power 7 and above systems on January 10, 2018, which are:
Release 7.1 – MF64553
Release 7.2 – MF64552
Release 7.3 – MF64551
The Unknown: Performance Impact
While IBM has been quick to release PTFs for both IBM POWER hardware and the IBM I operating system, they have not discussed the implications of applying these fixes. Since the Spectre and Meltdown exposures are at the execution level of the hardware and allow for faster processing, the question is how will the patches affect system performance? This is the big unknown right now. Obviously, these patches will slow down the execution of machine code, to reduce the risk of data exposure. The thing to consider is, how this will affect your users. IBM is not discussing the potential performance hits to the processing of POWER hardware. We suspect this is because they have no way of knowing.
It’s important to keep your IBM i OS and firmware current to comply with regulations and protect your business from a potential breach. You also need to protect your environment with firewalls and other security solutions. SEA can help you to secure your IBM i environment and help protect your company from the threat of Spectre and Meltdown. Visit our website at https://seasoft.com for more information.