Meltdown and Spectre
Product Vulnerability and Update List

meltdown-spectre-kernel-vulnerability.png

Summary

In our January 4, 2018 bulletin we reported on two attack methods, Meltdown and Spectre, that can be used to exploit three different vulnerabilities (CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715). These vulnerabilities impact CPUs of a number of different devices including computers, phones, and servers. Meltdown and Spectre exploit a CPU optimization technique dubbed “speculative execution”, which allows the processors to preemptively perform computations and prepare the results in the event that data is needed at a future time. A successful attack utilizing Meltdown or Spectre could result in a threat actor gaining access to sensitive information stored within personal devices.

Impacted Systems

Nearly all CPUs released since 1995 are impacted, including Intel, AMD, and ARM processors.

Risk

Meltdown and Spectre attacks allow an unauthorized user to gain access to sensitive data contained in the memory of a process including passwords stored in a web browser or password manager and encryption keys.

Mitigation

The NJCCIC strongly recommends users and administrators of affected products apply the appropriate updates as soon as they are released and regularly refer back to this NJCCIC resource page for an updated listing of vendor patches and mitigation strategies. The following is a list of vendors with published information on patches and advisories related to these attacks:

Vendor List                                        


Users and administrators of systems running Windows OS, please see Microsoft's advisory here regarding update compatibility issues with some antivirus software products.

UPDATE 1/8/2018: Microsoft has paused the rollout of Windows desktop and server operating system (OS) security updates to defend against Meltdown and Spectre for all customer devices containing AMD chipsets. The decision comes after several users reported Blue Screen of Death (BSOD) and other boot errors after applying the update. Microsoft's statement regarding this issue, including a list of paused updates, is available here.

UPDATE 1/10/2018: According to Bleeping Computer, Ubuntu Xenial 16.04 users who updated their OS to receive the Meltdown and Spectre patches have been reporting that the patches are preventing their systems from booting and forcing users to roll back to an earlier Linux kernel image.

UPDATES 1/11/2018:

  • Intel releases Linux CPU microcode data files that can be used to mitigate the Spectre and and Meltdown vulnerabilities in Intel CPUs.

  • Intel releases a security issue update regarding the reboot issues some customers are having after applying their patch.

  • The Wall Street Journal reports that Intel is advising some customers to refrain from installing patches.

  • ICS-CERT releases ICS-ALERT-18-011-01 on Meltdown and Spectre.

UPDATE 1/17/2018: ICS-CERT releases updated ICS-ALERT-18-011-01B on Meltdown and Spectre.

UPDATES 1/22/2018:

  • Intel publishes recommendations for customers and partners regarding the issue of systems rebooting after patch deployment.

  • Red Hat reverts Spectre security updates due to boot issues.

UPDATE 1/23/2018: Dell publishes patch guidance for customers and partners regarding the issue of unpredictable system behavior including reboot issues. 

UPDATE 1/28/2018: Microsoft issues emergency out-of-band Windows update that disables patches for the Spectre Variant 2 bug (CVE-2017-5715).

UPDATE 1/30/2018: ICS-CERT releases updated ICS-ALERT-18-011-01C on Meltdown and Spectre.

UPDATE 1/30/2018: Security researchers at AV-TEST detected over 100 new samples of malware related to the Spectre and Meltdown vulnerabilities. According to Fortinet, the majority of these samples are based on published proof-of-concept (PoC) code. At the time of writing, these samples do not appear to be actively infecting users.

UPDATE 2/8/2018: Intel issues a new microcode update for Skylake processors. This new microcode is being distributed to hardware companies to include in upcoming firmware updates and is not currently available to the public. More information is available on the Intel advisory.

UPDATE 2/10/2018: IBM releases firmware patches for POWER7, POWER7+, POWER8, AND POWER9 platforms via Fix Central. Also available are IBM i operating system patches, AIX patches, and Linux OS patches available via their distribution partners Red Hat, SUSE, and Canonical. More information can be found on the IBM PSIRT Blog.

UPDATES 2/20/2018:

  • ICS-CERT releases updated ICS-ALERT-18-011-01D on Meltdown and Spectre.

  • Intel publishes Microcode Revision Guidance and releases Spectre firmware patches for use in production for Anniedale/Moorefield, Apollo Lake, Avoton/Rangeley, Broxton, Cherry View, Coffee Lake, Cougar Mountain, Denverton, Gemini Lake, Kaby Lake, Knights Landing, Knights Mill, Skylake, SoFIA, Tangier, Valleyview/Bay Trail, and XGold.

UPDATE 2/21/2018: ICS-CERT releases updated ICS-ALERT-18-011-01E on Meltdown and Spectre.

UPDATE 2/28/2018: Intel releases updates for a number array of its older processors, including the Broadwell Xeon E3, Broadwell U/Y, Haswell H,S and Haswell Xeon E3 platforms, according to Threatpost.

UPDATE 3/1/2018: ICS-CERT releases updated ICS-ALERT-18-011-01F on Meltdown and Spectre.

UPDATE 3/1/2018: Microsoft Partners with Intel to Deliver CPU Microcode Fixes via Windows Updates (Bleeping Computer)

UPDATE 4/26/2018: ICS-CERT releases updated ICS-ALERT-18-011-01G on Meltdown and Spectre. 

UPDATE 7/10/2018: ICS-CERT releases updated ICS-ALERT-18-011-01H on Meltdown and Spectre.

UPDATE 7/11/2018: Researchers discovered two additional vulnerabilities, Spectre 1.1 and Spectre 1.2, that affect Intel, ARM, and possibly AMD CPUs. (Bleeping Computer)

For additional information on how you can protect your devices against Meltdown and Spectre attacks, refer to Bleeping Computer’s articles, here and here.

UPDATE 7/23/2018: Academics from the University of California released details of a new Spectre-class attack dubbed SpectreRSB. This attack recovers data from the speculative execution process by attacking the Return Stack Buffer (RSB), a CPU component involved in the speculative execution routine. More information is available on Bleeping Computer.

UPDATE 7/27/2018: Scientists have discovered a new Spectre-class CPU attack dubbed NetSpectre. This new attack can be carried out via network connection where an attacker can bombard a computers network ports and exfiltrate data stored in the CPU’s cache. More information on NetSpectre is available on Bleeping Computer.

UPDATE 8/14/2018: Academics and private sector researchers have discovered three new Spectre-class CPU attacks dubbed Foreshadow. These attacks target data processed during speculative execution that is stored inside a processors cache. More information on Foreshadow is available here.

UPDATE 9/11/2018: ICS-CERT releases updated ICS-ALERT-18-011-01I on Meltdown and Spectre.