Spectre & Meltdown Vulnerabilities Summary

Last Updated January 18, 2018 at 07:06 CST

Updates to Intel and Ubuntu sections

Initial details of these vulnerabilities were released the first week of the new year before a planned annoucement on January 9, 2018. As the scheduled release was preempted and the extent of the vulnerabilities covers such a wide range of technologies, companies are issuing new updates almost daily in response. This summary will change over time as new information become available.

What are they?

Spectre and Meltdown are the user-friendly names given to two different vulnerabilities covered by three different CVEs (Spectre: CVE-2017-5715 & CVE-2017-5753, Meltdown: CVE-2017-5754). Spectre takes advantage of speculative execution technology in processors from Intel, AMD and ARM to gain access to system resources, and the vulnerability allows for processes to escape sandboxing. Meltdown is a breakdown of memory isolation that is likely only found in Intel chips (further testing might find AMD and ARM processors with the same fault, but it doesn’t seem likely at this time) that allows attackers to access items in system memory, which could allow for privilege escalation or malicious links between hypervisor environments. Spectre is of special concern because exploits can be triggered remotely through Javascript running in browsers.

https://meltdownattack.com

https://spectreattack.com

The impact is wide spread because the vulnerabilities are taking advantage of how processors have been designed for the past 20 years. OS and application vendors are/will be issuing patches, and it's likely that firmware updates will be needed. Desktops, servers, cloud services, mobile devices, routers, firewalls — all could have a compromised processor and will need remediation of some sort. It is also possible that these patches might result in performance slowdowns for some systems.

This article provides a deep dive into how these vulnerabilities work:

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

SANS had a webinar on January 4th covering both Spectre and Meltdown.

https://www.sans.org/webcasts/meltdown-spectre-understanding-mitigating-threats-106815

SANS Slides PDF Link: https://www.sans.org/webcasts/downloads/106815/slides

Illustrated article explaining how Meltdown and Spectre work

http://mailchi.mp/stratechery/meltdown-spectre-and-the-state-of-technology?e=a3c8ee045b

A Linux Kernel maintainer discusses the status of kernel changes

http://kroah.com/log/blog/2018/01/06/meltdown-status/

Explanation of how Spectre works relative to browsers/Webkit

https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/

OS Response

macOS & iOS

Apple has issued one parent response About speculative execution vulnerabilities in ARM-based and Intel CPUs (https://support.apple.com/en-us/HT208394) (last updated January 8th) that is supplemented by additional knowledge base articles. At this time Apple has only addressed Meltdown (CVE-2017-5754) in macOS 10.13.2, iOS 11.2 and tvOS 11.2. Previous versions of macOS and iOS have not been updated to guard against the Meltdown vulnerability. Apple does state, “We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, and tvOS,” so there is potential that macOS 10.11 and 10.12 could potentially be updated in the near future. Please note that for a brief time About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan (https://support.apple.com/en-us/HT208331) erroneously reported that Meltdown patches were included with these security updates released in December 2017. Apple pulled that information on Friday, January 5th.

On Monday, January 8th, Apple issued iOS 11.2.2, Safari 11.0.2 for 10.11 and 10.12 and macOS High Sierra 10.13.2 Supplemental Update to address the Spectre vulnerabilities (CVE-2017-5715 & CVE-2017-5753)

https://support.apple.com/en-us/HT208401

https://support.apple.com/en-us/HT208403

https://support.apple.com/en-us/HT208397

Safari 11.0.2 was originally released in December 2017. The January 8th update maintains the same version number (11.0.2) but increments the build number. The build number for 10.11.6 is 11604.4.7.1.6, and the build number for 10.12.6 is 12604.4.7.1.6. The supplemental update requires 10.13.2 and is not applicable to 10.13.0 or 10.13.1. The supplemental update changes the OS build number to 17C205 and Safari's build number to either 13604.4.7.1.6 or 13604.4.7.10.6.

Be advised that most Macs released in circulation will likely not have performance impacted by potential fixes. Macs with processors that include Process-context identifiers (PCID) should handle the fix better than those that don't. This is a working list of which Macs have processors that have PCID: https://docs.google.com/spreadsheets/d/1E_FDTmRKb6cXsCzIlYoApqbEiaHeBksFf41wWpZUY-8/edit#gid=0

You can also query a Mac to confirm PCID status with this command: sysctl machdep.cpu.features | grep -o PCID

Measuring OS X Meltdown Patches Performance in 10.13.2

https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/

watchOS is not affected by either Meltdown or Spectre.

Chrome OS/Chromebooks

Meltdown/Spectre vulnerability status for Chrome OS devices

https://www.chromium.org/a/chromium.org/dev/chrome-os-devices-and-kernel-versions

Check this list for which hardware series has been updated or not for Meltdown. Chrome OS is not susceptible to one of the Spectre variants and should not be vulnerable to the other Spectre variant, though the OS might introduced additional safeguards in Chrome OS v65.

Ubuntu

Meltdown and Spectre Status Update

https://insights.ubuntu.com/2018/01/12/meltdown-and-spectre-status-update

Updated kernels:

  • 12.04 ESM Precise (kernel v3.2)
  • 14.04 LTS Trusty (kernel v3.13)
  • 16.04 LTS Xenial (kernel v4.4)
  • 17.10 Artful (kernel v4.13)

Some 16.04 systems had boot issues with the initial kernel update (4.4.0-108). Kernel 4.4.0-109 should resolve these issues.

Security Notice for Meltdown

https://usn.ubuntu.com/usn/usn-3522-3/

https://usn.ubuntu.com/usn/usn-3522-4/

Security Notice for Spectre

https://usn.ubuntu.com/usn/usn-3531-1/

Once patches are available, you should be able to use the following to confirm the patch has been applied:

debsecan | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

Redhat

Plans to release updates to their OSes soon.

https://access.redhat.com/security/cve/cve-2017-5715

https://access.redhat.com/security/cve/cve-2017-5753

https://access.redhat.com/security/cve/cve-2017-5754

Once patches are available, you should be able to use the following to confirm the patch has been applied:

rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

Windows

Summary from Microsoft about protecting Windows systems

https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown

Microsoft released emergency updates the week of January 1st (20180103)

https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s

These links also contain information on how to verify patches have been applied to client and server systems and additional instructions.

On January 9th, Microsoft pulled the patch for Windows systems running on systems with AMD processors due to boot failures. https://www.theverge.com/2018/1/9/16867068/microsoft-meltdown-spectre-security-updates-amd-pcs-issues

https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892?ranMID=24542&ranEAID=nOD%2FrLJHOac&ranSiteID=nOD_rLJHOac-Zw3lyXOB.Sl6OvgdYzhiZA&tduid=(6c832fdf1b382d94f31e2f6ad8b89a55)(256380)(2459594)(nOD_rLJHOac-Zw3lyXOB.Sl6OvgdYzhiZA)()

Be aware these updates might conflicts with some anti-virus software.

https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

Additionally, some anti-virus software developers might not make the required Registry changes, which could conflict with Windows Updates in the future https://twitter.com/GossiTheDog/status/950325474022092800

This document is tracking Windows AV software compatibility:

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

Article outlining performance impact on various versions of Windows

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/?ranMID=24542&ranEAID=nOD/rLJHOac&ranSiteID=nOD_rLJHOac-apF2Cg8T0LWYN0PfJIPw9Q&tduid=(6c832fdf1b382d94f31e2f6ad8b89a55)(256380)(2459594)(nOD_rLJHOac-apF2Cg8T0LWYN0PfJIPw9Q)()

Hardware Vendor Response

AMD

Microcode (firmware) updates coming to close Spectre holes

http://www.amd.com/en/corporate/speculative-execution

Intel

As of January 12th, Intel is aware that initial microcode/firmware updates released the week of January 4th might cause unexpected restarts in machines with older Intel processors. Revisions to those updates are forthcoming.

Intel's Security Notice with ongoing updates

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

Performance metrics from Intel

Inital metrics

https://newsroom.intel.com/editorials/intel-security-issue-update-initial-performance-data-results-client-systems/

January 17th updates

https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/

Application & Service Vendor Response

US-CERT is maintaining a list of links to responses and updates from all affected vendors https://www.us-cert.gov/ncas/alerts/TA18-004A

Browsers

It is possible for the Spectre vulnerabilities to be triggered via browser attacks. Firefox 57.0.4 is the patched version of Firedox. Chrome 64, which should include a patch, is due January 23rd. The issue can be mitigated in Chrome 63 by configuring the site isolation setting. Per Apple, updates to Safari are forthcoming.

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/

https://support.google.com/chrome/answer/7623121?hl=en-GB

https://support.google.com/faqs/answer/7622138

https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw

Virtualization Software

Virtualization products, both desktop and server products, will need updates. VMware outlines ESX, Fusion and Workstation patch levels here https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

Further details on VMware's response are detailed here https://kb.vmware.com/s/article/52245

Fusion 8.5.10 Release Notes

https://docs.vmware.com/en/VMware-Fusion/8.0/rn/fusion-8510-release-notes.html

Fusion 10.1.1 Release Notes

https://docs.vmware.com/en/VMware-Fusion/10/rn/fusion-1011-release-notes.html

VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52337)

Kbase will be updated in the future with performance impact of patches to VMware products

https://kb.vmware.com/s/article/52337

VM Host Services

Amazon Web Services will need to undergo host and guest OS patching and restarts. At this time it is unclear how this will impact S3 and Cloudfront services. https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

Digital Ocean has published How To Protect Your Server Against the Meltdown and Spectre Vulnerabilities

https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-meltdown-and-spectre-vulnerabilities

As of January 10, 2018, Linode has started the mitigation plan. VMs will be restarted at least once and likely twice as hosts are updated. If your Linode VM is set to us the latest Linode kernel, you should not need to apply additional kernel updates. As of January 14th, Linode kernel 4.14.12 is the patched kernel.

CPU Vulnerabilities: Meltdown & Spectre

Kbase updates are ongoing as Linode makes changes and updates.

https://blog.linode.com/2018/01/03/cpu-vulnerabilities-meltdown-spectre/

What You Need to Do to Mitigate Meltdown and Spectre (FAQ)

https://www.linode.com/docs/platform/meltdown_statement/