Since the announcement of the CPU Meltdown and Spectre vulnerabilities we have been ensuring all servers are patched with the latest updates released by suppliers. Below are details and links to technical papers, these outline affected systems and fixes that have currently been put in place.
- Can be exploited to: Read the contents of private kernel memory from an unprivileged user process.
- Processors affected: All out-of-order Intel processors released since 1995 with the exception of Itanium and pre-2013 Atoms. A list of vulnerable ARM processors and mitigations is listed here. No AMD processors are affected by Meltdown.
- Fixes: Workaround patches have been released for Windows and Linux (in the latter case with KAISER/KPTI, which results in a "non-negligible" hit to performance). Apple's macOS has been patched since version 10.13.2, and iOS since version 11.2. According to Intel, Meltdown can be mitigated by OS updates with no additional firmware updates necessary.
Note: Windows Server admins must enable the kernel-user space splitting feature once the update is installed. Amazon has issued updates to its AWS Linux guest kernels and Microsoft is rolling out fixes to Azure, as well. A good list of vendor advisories and updates is available here.
For more details on Meltdown, see the technical whitepaper.
Spectre (CVE-2017-5753, CVE-2017-5715)
- Can be exploited to: Extract information from other running processes (ex: stealing login cookies from browsers).
- Processors affected: Intel, ARM, and AMD processors are all reportedly affected to some degree. See this post for more specifics.
Apple has issued Spectre mitigations in iOS 11.2.2, and the macOS High Sierra 10.13.2 supplemental update.
Processor makers, themselves, have said they will be issuing microcode updates to address Spectre. Intel has released new Linux Processor microcode data files that can be used to add mitigations without having to perform a BIOS update, though some issues have been reported with Broadwell and Haswell CPUs. A microcode update from AMD addressing CVE-2017-5715 is also available now, and the company says it will be introducing additional fixes starting with Ryzen and EPYC processors.
It's also worth noting Google has announced a new technique for mitigating Spectre it's calling Retpoline.
For more details on Spectre, see the technical whitepaper.
If you have any questions about these issues please contact a member of the team.
*Information is taken from the Barkly blog which you can read in full here.
Saturday, January 20, 2018