Meltdown and Spectre Product Vulnerability and Update List

meltdown-spectre-kernel-vulnerability.png

Summary

In our January 4, 2018 bulletin we reported on two attack methods, Meltdown and Spectre, that can be used to exploit three different vulnerabilities (CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715). These vulnerabilities impact CPUs of a number of different devices including computers, phones, and servers. Meltdown and Spectre exploit a CPU optimization technique dubbed “speculative execution”, which allows the processors to preemptively perform computations and prepare the results in the event that data is needed at a future time. A successful attack utilizing Meltdown or Spectre could result in a threat actor gaining access to sensitive information stored within personal devices.

Impacted Systems

Nearly all CPUs released since 1995 are impacted, including Intel, AMD, and ARM processors.

Risk

Meltdown and Spectre attacks allow an unauthorized user to gain access to sensitive data contained in the memory of a process including passwords stored in a web browser or password manager and encryption keys.

Mitigation

The NJCCIC strongly recommends users and administrators of affected products apply the appropriate updates as soon as they are released and regularly refer back to this NJCCIC resource page for an updated listing of vendor patches and mitigation strategies. The following is a list of vendors with published information on patches and advisories related to these attacks:

Vendor List                                        


Users and administrators of systems running Windows OS, please see Microsoft's advisory here regarding update compatibility issues with some antivirus software products.

UPDATE 1/8/2018: Microsoft has paused the rollout of Windows desktop and server operating system (OS) security updates to defend against Meltdown and Spectre for all customer devices containing AMD chipsets. The decision comes after several users reported Blue Screen of Death (BSOD) and other boot errors after applying the update. Microsoft's statement regarding this issue, including a list of paused updates, is available here.

UPDATE 1/10/2018: According to Bleeping Computer, Ubuntu Xenial 16.04 users who updated their OS to receive the Meltdown and Spectre patches have been reporting that the patches are preventing their systems from booting and forcing users to roll back to an earlier Linux kernel image.

UPDATES 1/11/2018:

  • Intel releases Linux CPU microcode data files that can be used to mitigate the Spectre and and Meltdown vulnerabilities in Intel CPUs.
  • Intel releases a security issue update regarding the reboot issues some customers are having after applying their patch.
  • The Wall Street Journal reports that Intel is advising some customers to refrain from installing patches.
  • ICS-CERT releases ICS-ALERT-18-011-01 on Meltdown and Spectre.

For additional information on how you can protect your devices against Meltdown and Spectre attacks, refer to Bleeping Computer’s article, here.