Spectre & Meltdown Vulnerabilities Summary

Last Updated April 9, 2018 at 10:55 CT

Update to Intel section

Initial details of these vulnerabilities were released the first week of the new year before a planned annoucement on January 9, 2018. As the scheduled release was preempted and the extent of the vulnerabilities covers such a wide range of technologies, companies are issuing new updates almost daily in response. This summary will change over time as new information become available.

What are they?

Spectre and Meltdown are the user-friendly names given to two different vulnerabilities covered by three different CVEs (Spectre: CVE-2017-5715 & CVE-2017-5753, Meltdown: CVE-2017-5754). Spectre takes advantage of speculative execution technology in processors from Intel, AMD and ARM to gain access to system resources, and the vulnerability allows for processes to escape sandboxing. Meltdown is a breakdown of memory isolation that is likely only found in Intel chips (further testing might find AMD and ARM processors with the same fault, but it doesn’t seem likely at this time) that allows attackers to access items in system memory, which could allow for privilege escalation or malicious links between hypervisor environments. Spectre is of special concern because exploits can be triggered remotely through Javascript running in browsers.

https://meltdownattack.com

https://spectreattack.com

The impact is wide spread because the vulnerabilities are taking advantage of how processors have been designed for the past 20 years. OS and application vendors are/will be issuing patches, and it's likely that firmware updates will be needed. Desktops, servers, cloud services, mobile devices, routers, firewalls — all could have a compromised processor and will need remediation of some sort. It is also possible that these patches might result in performance slowdowns for some systems.

This article provides a deep dive into how these vulnerabilities work:

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

SANS had a webinar on January 4th covering both Spectre and Meltdown.

https://www.sans.org/webcasts/meltdown-spectre-understanding-mitigating-threats-106815

SANS Slides PDF Link: https://www.sans.org/webcasts/downloads/106815/slides

Illustrated article explaining how Meltdown and Spectre work

http://mailchi.mp/stratechery/meltdown-spectre-and-the-state-of-technology?e=a3c8ee045b

A Linux Kernel maintainer discusses the status of kernel changes

http://kroah.com/log/blog/2018/01/06/meltdown-status/

Explanation of how Spectre works relative to browsers/Webkit

https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/

OS Response

macOS & iOS

Apple's initial response, About speculative execution vulnerabilities in ARM-based and Intel CPUs (https://support.apple.com/en-us/HT208394) [last updated January 9th] outlines how Spectre and Meltdown could affect Apple devices and details Apple's initial OS response. In this document, Apple states that iOS 11.2, macOS 10.13.2, and tvOS 11.2 are patched against Meltdown.

On Monday, January 8th, Apple issued iOS 11.2.2, Safari 11.0.2 for 10.11 and 10.12 and macOS High Sierra 10.13.2 Supplemental Update to address the Spectre vulnerabilities (CVE-2017-5715 & CVE-2017-5753) in iOS and macOS

https://support.apple.com/en-us/HT208401

https://support.apple.com/en-us/HT208403

https://support.apple.com/en-us/HT208397

Safari 11.0.2 was originally released in December 2017. The January 8th update maintains the same version number (11.0.2) but increments the build number. The build number for 10.11.6 is 11604.4.7.1.6, and the build number for 10.12.6 is 12604.4.7.1.6. The supplemental update requires 10.13.2 and is not applicable to 10.13.0 or 10.13.1. The supplemental update changes the OS build number to 17C205 and Safari's build number to either 13604.4.7.1.6 or 13604.4.7.10.6.

Apple released Safari 11.0.3 for macOS 10.11.6, 10.12.6 and 10.13.3 is now available as of January 23rd.

On Tuesday, January 23, 2018 Apple released Security Update 2018-001 El Capitan and Security Update 2018-001 Sierra. These updates patch 10.11.6 and 10.12.6 against the Meltdown vulnerability. https://support.apple.com/en-us/HT208465

To have mitigation for the Meltdown and Spectre vulnerabilities, the following criteria must be met:

  • macOS 10.11.6 El Capitan must be patched with Security Update 2018-001, which will update the OS build number to 15G19009
  • macOS 10.12.6 Sierra must be patched with Security Update 2018-001, which will update the OS build number to 16G1212
  • macOS 10.13 High Sierra should be patched to mac OS 10.13.3, which contains the fixes included in both 10.13.2 and the 10.13.2 supplemental update. 10.13.3 has two OS build numbers: 17D47 and 17D2047. 17D2047 is specific to the iMac Pro.
  • Safari 11.0.3, which encompasses changes in all versions of Safari 11.0.2, should be installed on 10.11, 10.12 and 10.13 devices.

tvOS received mitigation for Meltdown in tvOS 11.2. As of January 23, 2018, Apple has not clarified whether or not tvOS is still vulnerable to the Spectre vulnerabilites.

watchOS is not affected by either Meltdown or Spectre.

Potential Performance Issues

Be advised that most Macs released in circulation will likely not have performance impacted by potential fixes. Macs with processors that include Process-context identifiers (PCID) should handle the fix better than those that don't. This is a working list of which Macs have processors that have PCID: https://docs.google.com/spreadsheets/d/1E_FDTmRKb6cXsCzIlYoApqbEiaHeBksFf41wWpZUY-8/edit#gid=0

You can also query a Mac to confirm PCID status with this command: sysctl machdep.cpu.features | grep -o PCID

Measuring OS X Meltdown Patches Performance in 10.13.2

https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/

Chrome OS/Chromebooks

Meltdown/Spectre vulnerability status for Chrome OS devices

https://www.chromium.org/a/chromium.org/dev/chrome-os-devices-and-kernel-versions

Check this list for which hardware series has been updated or not for Meltdown. Chrome OS is not susceptible to one of the Spectre variants and should not be vulnerable to the other Spectre variant, though the OS might introduced additional safeguards in Chrome OS v65.

Ubuntu

Meltdown and Spectre Status Update

https://insights.ubuntu.com/2018/01/12/meltdown-and-spectre-status-update

Updated kernels:

  • 12.04 ESM Precise (kernel v3.2)
  • 14.04 LTS Trusty (kernel v3.13)
  • 16.04 LTS Xenial (kernel v4.4)
  • 17.10 Artful (kernel v4.13)

Some 16.04 systems had boot issues with the initial kernel update (4.4.0-108). Kernel 4.4.0-109 should resolve these issues.

Security Notice for Meltdown

https://usn.ubuntu.com/usn/usn-3522-3/

https://usn.ubuntu.com/usn/usn-3522-4/

Security Notice for Spectre

https://usn.ubuntu.com/usn/usn-3531-1/

Once patches are available, you should be able to use the following to confirm the patch has been applied:

debsecan | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

Redhat

Plans to release updates to their OSes soon.

https://access.redhat.com/security/cve/cve-2017-5715

https://access.redhat.com/security/cve/cve-2017-5753

https://access.redhat.com/security/cve/cve-2017-5754

Once patches are available, you should be able to use the following to confirm the patch has been applied:

rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

Windows

Summary from Microsoft about protecting Windows systems

https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown

Microsoft released emergency updates the week of January 1st (20180103)

https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s

These links also contain information on how to verify patches have been applied to client and server systems and additional instructions.

On January 9th, Microsoft pulled the patch for Windows systems running on systems with AMD processors due to boot failures. https://www.theverge.com/2018/1/9/16867068/microsoft-meltdown-spectre-security-updates-amd-pcs-issues

https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892?ranMID=24542&ranEAID=nOD%2FrLJHOac&ranSiteID=nOD_rLJHOac-Zw3lyXOB.Sl6OvgdYzhiZA&tduid=(6c832fdf1b382d94f31e2f6ad8b89a55)(256380)(2459594)(nOD_rLJHOac-Zw3lyXOB.Sl6OvgdYzhiZA)()

On January 29th, Microsoft has issued a second out-of-band update (KB4078130) that “…specifically disables only the mitigation against CVE-2017-5715 – ‘Branch target injection vulnerability.’” without also installing Intel's microcode updates, which, at this time, are still causing boot issues for certain systems.

https://support.microsoft.com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2

Be aware these updates might conflicts with some anti-virus software.

https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

Additionally, some anti-virus software developers might not make the required Registry changes, which could conflict with Windows Updates in the future https://twitter.com/GossiTheDog/status/950325474022092800

This document is tracking Windows AV software compatibility:

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

Article outlining performance impact on various versions of Windows

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/?ranMID=24542&ranEAID=nOD/rLJHOac&ranSiteID=nOD_rLJHOac-apF2Cg8T0LWYN0PfJIPw9Q&tduid=(6c832fdf1b382d94f31e2f6ad8b89a55)(256380)(2459594)(nOD_rLJHOac-apF2Cg8T0LWYN0PfJIPw9Q)()

Hardware Vendor Response

AMD

Microcode (firmware) updates coming to close Spectre holes

http://www.amd.com/en/corporate/speculative-execution

Intel

As of April 2nd, Intel has published Microcode Revision Guidance which provides details of availability of microcode updates. https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

The January 22nd press release provides an overview of the microcode issues

https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/

This Security Notice has ongoing updates with the latest microcode update news from Intel

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

Performance metrics from Intel

Inital metrics

https://newsroom.intel.com/editorials/intel-security-issue-update-initial-performance-data-results-client-systems/

January 17th updates

https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/

Application & Service Vendor Response

US-CERT is maintaining a list of links to responses and updates from all affected vendors https://www.us-cert.gov/ncas/alerts/TA18-004A

Browsers

It is possible for the Spectre vulnerabilities to be triggered via browser attacks. Properly patched versions of the major browsers are:

  • Firefox 57.0.4
  • Google Chrome 64.0.3282.119
  • Safari 11.0.3

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/

https://support.google.com/chrome/answer/7623121?hl=en-GB

https://support.google.com/faqs/answer/7622138

Virtualization Software

Virtualization products, both desktop and server products, will need updates. VMware outlines ESX, Fusion and Workstation patch levels here https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

Further details on VMware's response are detailed here https://kb.vmware.com/s/article/52245

Fusion 8.5.10 Release Notes

https://docs.vmware.com/en/VMware-Fusion/8.0/rn/fusion-8510-release-notes.html

Fusion 10.1.1 Release Notes

https://docs.vmware.com/en/VMware-Fusion/10/rn/fusion-1011-release-notes.html

Intel Sightings in ESXi Bundled Microcode Patches for VMSA-2018-0004 (52345)

[Notes on Intel microcode updates and ESXi hosts]

https://kb.vmware.com/s/article/52345

VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52337)

Kbase will be updated in the future with performance impact of patches to VMware products

https://kb.vmware.com/s/article/52337

VM Host Services

Amazon Web Services will need to undergo host and guest OS patching and restarts. At this time it is unclear how this will impact S3 and Cloudfront services. https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

Digital Ocean has published How To Protect Your Server Against the Meltdown and Spectre Vulnerabilities

https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-meltdown-and-spectre-vulnerabilities

As of January 10, 2018, Linode has started the mitigation plan. VMs will be restarted at least once and likely twice as hosts are updated. If your Linode VM is set to us the latest Linode kernel, you should not need to apply additional kernel updates. As of January 14th, Linode kernel 4.14.12 is the patched kernel.

CPU Vulnerabilities: Meltdown & Spectre

Kbase updates are ongoing as Linode makes changes and updates.

https://blog.linode.com/2018/01/03/cpu-vulnerabilities-meltdown-spectre/

What You Need to Do to Mitigate Meltdown and Spectre (FAQ)

https://www.linode.com/docs/platform/meltdown_statement/