MSP Response Checklist for the Intel Foreshadow Vulnerability

Earlier in the year, Spectre and Meltdown caused a huge uproar within the IT community as people scrambled to ensure they were not at risk from the discovered vulnerabilities – but what about the latest security risk: Intel Foreshadow?

Being a Systems Engineer, I’ve personally spent my fair share of time patching hypervisors and OSes due to these cleverly crafted vulnerabilities. If you’ve been paying attention to the recent IT Security news, you’ve probably heard about the new vulnerability called Foreshadow or the L1 Terminal Fault issue. As an MSP it is critical to patch against these type of vulnerabilities as they are very dangerous, especially for multi-tenant environment services. The speculative execution vulnerabilities can allow one to obtain data from the underlying hardware that is hosting the multi-tenant infrastructure.

What is the Foreshadow Vulnerability?

As a high-level explanation of this newly found vulnerability, Foreshadow is similar to the Meltdown vulnerability in that it allows applications to access the contents in kernel memory. Foreshadow takes advantage of Intels SGX (Software Guard Extensions) feature which is available in new Skylake processor architecture. This new feature enables Trusted Execution Environments, that are secured environments in memory where data can be contained and protected. The Foreshadow attack will attempt to reach this encrypted data and use speculative execution to access it before the processor determines that the attack doesn’t have permission to access it.

MSP Checklist for Internal and Client Environments

As an MSP it is imperative to patch against the Foreshadow vulnerability. You may be wondering where to start and how to proceed with securing your clients’ environments. Below is a checklist that contains recommended steps as well as links to patches for each vendor:

1. Check for Known Risks

Start by inventorying your infrastructure for processors that are at risk to this vulnerability. According to Intel, as of right now, the following platforms are potentially impacted:

Intel® Core™ i3 processor (45nm and 32nm)
Intel® Core™ i5 processor (45nm and 32nm)
Intel® Core™ i7 processor (45nm and 32nm)
Intel® Core™ M processor family (45nm and 32nm)
2nd generation Intel® Core™ processors
3rd generation Intel® Core™ processors
4th generation Intel® Core™ processors
5th generation Intel® Core™ processors
6th generation Intel® Core™ processors
7th generation Intel® Core™ processors
8th generation Intel® Core™ processors
Intel® Core™ X-series Processor Family for Intel® X99 platforms
Intel® Core™ X-series Processor Family for Intel® X299 platforms
Intel® Xeon® processor 3400 series
Intel® Xeon® processor 3600 series
Intel® Xeon® processor 5500 series
Intel® Xeon® processor 5600 series
Intel® Xeon® processor 6500 series
Intel® Xeon® processor 7500 series
Intel® Xeon® Processor E3 Family
Intel® Xeon® Processor E3 v2 Family
Intel® Xeon® Processor E3 v3 Family
Intel® Xeon® Processor E3 v4 Family
Intel® Xeon® Processor E3 v5 Family
Intel® Xeon® Processor E3 v6 Family
Intel® Xeon® Processor E5 Family
Intel® Xeon® Processor E5 v2 Family
Intel® Xeon® Processor E5 v3 Family
Intel® Xeon® Processor E5 v4 Family
Intel® Xeon® Processor E7 Family
Intel® Xeon® Processor E7 v2 Family
Intel® Xeon® Processor E7 v3 Family
Intel® Xeon® Processor E7 v4 Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon® Processor D (1500, 2100)y

2. Patch EVERYTHING and TEST

You need to quickly protect all aspects of your system that are vulnerable in a tested environment FIRST. Do not skip this step. Last time there were many performance issues due to the Meltdown and Spectre patches so make sure you do yourself and your customers a favor and run any required patches through a test environment before deploying to any production devices. Below are the following major vendors that have released a patch for their systems. Also note, at the time of writing this article Microsoft has stated that Hyper-V servers with hyperthreading enabled can potentially weaken the microcode and OS updates that they released. If you are running Hyper-V be sure to follow this flowchart here along with each mitigation step listed here to best secure your environment based on the Server OS and features enabled:

VMware
Dell
HP
Cisco
Oracle
SUSE
Ubuntu
Debian
Gentoo
Microsoft

3. Patch Production Systems

After thoroughly testing any recommended patches and using them in some sort of “burn-in” test period, you are ready to patch production systems. Make sure to apply the microcode firmware updates for your hardware, as well as the OS patches where applicable.

4. Check Cloud Status

The three major public cloud vendors have already stated that they have deployed patches to their underlying hardware against this vulnerability so any systems utilizing these platforms are considered in very minor risk:

Azure
Google Cloud
AWS

5. Keep up to Date

Stay informed on the issue just in case there are further developments. A site has been created in order to inform people about the issue. As an MSP, it is important to keep your clients aware of the situation and that you are actively protecting their systems by providing regular updates on the current vulnerability status.

Whats Next?

As practitioners of the Professional IT scenery, we are once again tasked with undergoing yet another wave of vulnerability patches. Unfortunately, we are running through the same motions as we did with the Spectre and Meltdown incident. Is this going to become a normal practice for the IT World? If so, we are going to start to see even more and more emphasis on Security as critical vulnerabilities like these consume quite a large amount of time and call for more outage/maintenance windows. By following this checklist above, you will have a good success rate with patching your customers’ environments to prevent yet another speculative execution vulnerability.

Let me know in the comments below your experiences with the remediation of this new vulnerability and whether you run into any issues in doing so! We want to hear about it if you do!