Original release date: January 04, 2018 | Last revised: January 10, 2018
Systems Affected
CPU hardware implementations
Overview
On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre— that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.
Description
CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. These attacks are described in detail by CERT/CC’s Vulnerability Note VU#584653, the United Kingdom National Cyber Security Centre’s guidance on Meltdown and Spectre, Google Project Zero, and the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz). The Linux kernel mitigations for this vulnerability are referred to as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.
Impact
Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.
Solution
NCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information. In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however, this vulnerability is more difficult to exploit.
MICROSOFT
Microsoft has temporarily halted updates for AMD machines. More information can be found here: https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices
For machines running Windows Server, a number of registry changes must be completed in addition to installation of the patches. A list of registry changes can be found here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
ANTIVIRUS
Microsoft has recommended that third-party antivirus vendors add a change to the registry key of the machine that runs the antivirus software. Without it, that machine will not receive any of the following fixes from Microsoft:
- Windows Update
- Windows Server Update Services
- System Center Configuration Manager
More information can be found here: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software.
MITIGATION
The table provided below lists available advisories and patches. As patches and firmware updates continue to be released, it is important to check with your hardware and software vendors to verify that their corresponding patches can be applied, as some updates may result in unintended consequences.
NCCIC recommends using a test environment to verify each patch before implementing.
After patching, performance impacts may vary, depending on use cases. Administrators should ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect, if possible.
Additionally, users and administrators who rely on cloud infrastructure should work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.
The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.
| Link to Vendor Information | Date Added |
|---|---|
| Amazon | January 4, 2018 |
| AMD | January 4, 2018 |
| Android | January 4, 2018 |
| Apple | January 4, 2018 |
| ARM | January 4, 2018 |
| CentOS | January 4, 2018 |
| Chromium | January 4, 2018 |
| Cisco | January 10, 2018 |
| Citrix | January 4, 2018 |
| Debian | January 5, 2018 |
| DragonflyBSD | January 8, 2018 |
| F5 | January 4, 2018 |
| Fedora Project | January 5, 2018 |
| Fortinet | January 5, 2018 |
| January 4, 2018 | |
| Huawei | January 4, 2018 |
| IBM | January 5, 2018 |
| Intel | January 4, 2018 |
| Juniper | January 8, 2018 |
| Lenovo | January 4, 2018 |
| Linux | January 4, 2018 |
| LLVM: variant #2 | January 8, 2018 |
| LLVM: builtin_load_no_speculate | January 8, 2018 |
| LLVM: llvm.nospeculatedload | January 8, 2018 |
| Microsoft Azure | January 4, 2018 |
| Microsoft | January 4, 2018 |
| Mozilla | January 4, 2018 |
| NetApp | January 8, 2018 |
| Nutanix | January 10, 2018 |
| NVIDIA | January 4, 2018 |
| OpenSuSE | January 4, 2018 |
| Qubes | January 8, 2018 |
| Red Hat | January 4, 2018 |
| SuSE | January 4, 2018 |
| Synology | January 8, 2018 |
| Trend Micro | January 4, 2018 |
| VMware | January 4, 2018 |
| Xen | January 4, 2018 |
References
- Graz University of Technology Meltdown website
- Graz University of Technology Spectre website
- CERT/CC’s Vulnerability Note VU#584653
- United Kingdom National Cyber Security Centre’s guidance on Meltdown and Spectre
- Google Project Zero blog
Revision History
- January 4, 2018: Initial version
- January 5, 2018: Updated vendor information links for Citrix, Mozilla, and IBM in the table and added links to Debian, Fedora Project, and Fortinet.
- January 8, 2018: Added links to DragonflyBSD, Juniper, LLVM, NetApp, Qubes, and Synology.
- January 9, 2018: Updated Solution Section
- January 10, 2018: Added links to Cisco and Nutanix.
This product is provided subject to this Notification and this Privacy & Use policy.
