Like all the players from the IT sector, OVH has been informed on May 14, 2019 of security vulnerabilities following the discovery of hardware vulnerabilities on Intel processors.
These new vulnerabilities are similar to previous spectrum and meltdown vulnerabilities and affect Intel’s microprocessors, which are part of the components used by OVH.
Researchers have shown proof of concept attacks under the names RIDL, Fallout and ZombieLoad, which exploit the following attack vectors :
- CVE-2018-12126 [microarchitectural store buffer data sampling (MSBDS)]
- CVE-2018-12130 [microarchitectural fill buffer data sampling (MFBDS)]
- CVE-2018-12127 [microarchitectural load port data sampling (MLPDS)]
- CVE-2019-11091 [microarchitectural data sampling uncacheable memory (MDSUM)]
Without the intervention of OVH or its customers, these vulnerabilities could allow an experienced attacker to conduct a complex attack. If it were completed, this would potentially allow for access to some data hosted on our multi-tenant infrastructures. At this point of time, OVH has not received any information demonstrating that the relevant vulnerabilities have been exploited on its infrastructure. Building a trustable cloud involves great responsibilities and the data security of its customers has always been paramount for OVH. As soon as this information reached us, OVH immediately mobilized its crisis unit to identify the potential impacts of these flaws and to set up the most suitable framework to protect the data of its customers. Since some of the fixes for these vulnerabilities require a firmware update of Intel’s CPUs, we are in close contact with their team to ensure optimal microcode deployment. In order to complete the mitigation of these vulnerabilities, we invite our customers to update the operating system of their server. You can find information on the most common OSs below:
- Windows : https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot
- Linux Red Hat : https://access.redhat.com/security/vulnerabilities/mds
- Ubuntu : https://blog.ubuntu.com/2019/05/14/ubuntu-updates-to-mitigate-new-microarchitectural-data-sampling-mds-vulnerabilities
We will keep you informed as soon as possible on the action plan and the schedule of the associated update operations. To this end, do not hesitate to consult regularly: