Last Updated May 22, 2018 at 08:09 CT
Update with Variant 3a and Variant 4. Update to Intel section
Initial details of these vulnerabilities were released the first week of the new year before a planned annoucement on January 9, 2018. As the scheduled release was preempted and the extent of the vulnerabilities covers such a wide range of technologies, companies are issuing new updates almost daily in response. This summary will change over time as new information become available.
What are they?
Spectre and Meltdown are the user-friendly names given to two different vulnerabilities covered by three different CVEs (Spectre: CVE-2017-5715 & CVE-2017-5753, Meltdown: CVE-2017-5754). Spectre takes advantage of speculative execution technology in processors from Intel, AMD and ARM to gain access to system resources, and the vulnerability allows for processes to escape sandboxing. Meltdown is a breakdown of memory isolation that is likely only found in Intel chips (further testing might find AMD and ARM processors with the same fault, but it doesn’t seem likely at this time) that allows attackers to access items in system memory, which could allow for privilege escalation or malicious links between hypervisor environments. Spectre is of special concern because exploits can be triggered remotely through Javascript running in browsers.
The impact is wide spread because the vulnerabilities are taking advantage of how processors have been designed for the past 20 years. OS and application vendors are/will be issuing patches, and it's likely that firmware updates will be needed. Desktops, servers, cloud services, mobile devices, routers, firewalls — all could have a compromised processor and will need remediation of some sort. It is also possible that these patches might result in performance slowdowns for some systems.
This article provides a deep dive into how these vulnerabilities work:
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
SANS had a webinar on January 4th covering both Spectre and Meltdown.
https://www.sans.org/webcasts/meltdown-spectre-understanding-mitigating-threats-106815
SANS Slides PDF Link: https://www.sans.org/webcasts/downloads/106815/slides
Illustrated article explaining how Meltdown and Spectre work
http://mailchi.mp/stratechery/meltdown-spectre-and-the-state-of-technology?e=a3c8ee045b
A Linux Kernel maintainer discusses the status of kernel changes
http://kroah.com/log/blog/2018/01/06/meltdown-status/
Explanation of how Spectre works relative to browsers/Webkit
https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/
On May 21, 2018, Google and Microsoft jointly announced discovery of two new Spectre-like vulnerabilities, referred to as Variant 3a (CVE-2018-3640) and Variant 4 (CVE-2018-3639), found in Intel CPUs. Intel will be releasing microcode updates to address the issue.
Side-Channel Vulnerability Variants 3a and 4
https://www.us-cert.gov/ncas/alerts/TA18-141A
Apple's initial response, About speculative execution vulnerabilities in ARM-based and Intel CPUs (https://support.apple.com/en-us/HT208394) [last updated January 9th] outlines how Spectre and Meltdown could affect Apple devices and details Apple's initial OS response. In this document, Apple states that iOS 11.2, macOS 10.13.2, and tvOS 11.2 are patched against Meltdown.
On Monday, January 8th, Apple issued iOS 11.2.2, Safari 11.0.2 for 10.11 and 10.12 and macOS High Sierra 10.13.2 Supplemental Update to address the Spectre vulnerabilities (CVE-2017-5715 & CVE-2017-5753) in iOS and macOS
https://support.apple.com/en-us/HT208401
https://support.apple.com/en-us/HT208403
https://support.apple.com/en-us/HT208397
Safari 11.0.2 was originally released in December 2017. The January 8th update maintains the same version number (11.0.2) but increments the build number. The build number for 10.11.6 is 11604.4.7.1.6, and the build number for 10.12.6 is 12604.4.7.1.6. The supplemental update requires 10.13.2 and is not applicable to 10.13.0 or 10.13.1. The supplemental update changes the OS build number to 17C205 and Safari's build number to either 13604.4.7.1.6 or 13604.4.7.10.6.
Apple released Safari 11.0.3 for macOS 10.11.6, 10.12.6 and 10.13.3 is now available as of January 23rd.
On Tuesday, January 23, 2018 Apple released Security Update 2018-001 El Capitan and Security Update 2018-001 Sierra. These updates patch 10.11.6 and 10.12.6 against the Meltdown vulnerability. https://support.apple.com/en-us/HT208465
To have mitigation for the Meltdown and Spectre vulnerabilities, the following criteria must be met:
tvOS received mitigation for Meltdown in tvOS 11.2. As of January 23, 2018, Apple has not clarified whether or not tvOS is still vulnerable to the Spectre vulnerabilites.
watchOS is not affected by either Meltdown or Spectre.
Potential Performance Issues
Be advised that most Macs released in circulation will likely not have performance impacted by potential fixes. Macs with processors that include Process-context identifiers (PCID) should handle the fix better than those that don't. This is a working list of which Macs have processors that have PCID: https://docs.google.com/spreadsheets/d/1E_FDTmRKb6cXsCzIlYoApqbEiaHeBksFf41wWpZUY-8/edit#gid=0
You can also query a Mac to confirm PCID status with this command: sysctl machdep.cpu.features | grep -o PCID
Measuring OS X Meltdown Patches Performance in 10.13.2
https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/
Meltdown/Spectre vulnerability status for Chrome OS devices
https://www.chromium.org/a/chromium.org/dev/chrome-os-devices-and-kernel-versions
Check this list for which hardware series has been updated or not for Meltdown. Chrome OS is not susceptible to one of the Spectre variants and should not be vulnerable to the other Spectre variant, though the OS might introduced additional safeguards in Chrome OS v65.
Meltdown and Spectre Status Update
https://insights.ubuntu.com/2018/01/12/meltdown-and-spectre-status-update
Updated kernels:
Some 16.04 systems had boot issues with the initial kernel update (4.4.0-108). Kernel 4.4.0-109 should resolve these issues.
Security Notice for Meltdown
https://usn.ubuntu.com/usn/usn-3522-3/
https://usn.ubuntu.com/usn/usn-3522-4/
Security Notice for Spectre
https://usn.ubuntu.com/usn/usn-3531-1/
Once patches are available, you should be able to use the following to confirm the patch has been applied:
debsecan | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
Plans to release updates to their OSes soon.
https://access.redhat.com/security/cve/cve-2017-5715
https://access.redhat.com/security/cve/cve-2017-5753
https://access.redhat.com/security/cve/cve-2017-5754
Once patches are available, you should be able to use the following to confirm the patch has been applied:
rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
Summary from Microsoft about protecting Windows systems
Microsoft released emergency updates the week of January 1st (20180103)
These links also contain information on how to verify patches have been applied to client and server systems and additional instructions.
On January 9th, Microsoft pulled the patch for Windows systems running on systems with AMD processors due to boot failures. https://www.theverge.com/2018/1/9/16867068/microsoft-meltdown-spectre-security-updates-amd-pcs-issues
On January 29th, Microsoft has issued a second out-of-band update (KB4078130) that “…specifically disables only the mitigation against CVE-2017-5715 – ‘Branch target injection vulnerability.’” without also installing Intel's microcode updates, which, at this time, are still causing boot issues for certain systems.
Be aware these updates might conflicts with some anti-virus software.
Additionally, some anti-virus software developers might not make the required Registry changes, which could conflict with Windows Updates in the future https://twitter.com/GossiTheDog/status/950325474022092800
This document is tracking Windows AV software compatibility:
Article outlining performance impact on various versions of Windows
Microcode (firmware) updates coming to close Spectre holes
http://www.amd.com/en/corporate/speculative-execution
As of April 2nd, Intel has published Microcode Revision Guidance which provides details of availability of microcode updates. https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf
The January 22nd press release provides an overview of the microcode issues
This Security Notice has ongoing updates with the latest microcode update news from Intel
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Performance metrics from Intel
Inital metrics
January 17th updates
Q2 2018 Speculative Execution Side Channel Update
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
US-CERT is maintaining a list of links to responses and updates from all affected vendors https://www.us-cert.gov/ncas/alerts/TA18-004A
It is possible for the Spectre vulnerabilities to be triggered via browser attacks. Properly patched versions of the major browsers are:
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
https://support.google.com/chrome/answer/7623121?hl=en-GB
https://support.google.com/faqs/answer/7622138
Virtualization products, both desktop and server products, will need updates. VMware outlines ESX, Fusion and Workstation patch levels here https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Further details on VMware's response are detailed here https://kb.vmware.com/s/article/52245
Fusion 8.5.10 Release Notes
https://docs.vmware.com/en/VMware-Fusion/8.0/rn/fusion-8510-release-notes.html
Fusion 10.1.1 Release Notes
https://docs.vmware.com/en/VMware-Fusion/10/rn/fusion-1011-release-notes.html
Intel Sightings in ESXi Bundled Microcode Patches for VMSA-2018-0004 (52345)
[Notes on Intel microcode updates and ESXi hosts]
https://kb.vmware.com/s/article/52345
VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52337)
Kbase will be updated in the future with performance impact of patches to VMware products
https://kb.vmware.com/s/article/52337
Amazon Web Services will need to undergo host and guest OS patching and restarts. At this time it is unclear how this will impact S3 and Cloudfront services. https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
Digital Ocean has published How To Protect Your Server Against the Meltdown and Spectre Vulnerabilities
As of January 10, 2018, Linode has started the mitigation plan. VMs will be restarted at least once and likely twice as hosts are updated. If your Linode VM is set to us the latest Linode kernel, you should not need to apply additional kernel updates. As of January 14th, Linode kernel 4.14.12 is the patched kernel.
CPU Vulnerabilities: Meltdown & Spectre
Kbase updates are ongoing as Linode makes changes and updates.
https://blog.linode.com/2018/01/03/cpu-vulnerabilities-meltdown-spectre/
What You Need to Do to Mitigate Meltdown and Spectre (FAQ)