US-CERT- TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

Started by Netwörkheäd, January 06, 2018, 12:01:18 AM

Previous topic - Next topic

Netwörkheäd

TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

Original release date: January 04, 2018 | Last revised: January 05, 2018

Systems Affected


CPU hardware implementations


Overview


On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre— that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.


Description


CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. These attacks are described in detail by CERT/CC's Vulnerability Note VU#584653, the United Kingdom National Cyber Security Centre's guidance on Meltdown and Spectre, Google Project Zero, and the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz). The Linux kernel mitigations for this vulnerability are referred to as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.


Impact


Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.


Solution


NCCIC encourages users and administrators to refer to their OS vendors for the most recent information. However, the table provided below lists available advisories and patches. Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.

After patching, performance may be diminished by up to 30 percent. Administrators should ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect if possible.

Additionally, impacts to availability in some cloud service providers (CSPs) have been reported as a result of patches to host OSes. Users and administrators who rely on cloud infrastructure should work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.

The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.

Link to Vendor InformationDate Added
AmazonJanuary 4, 2018
AMDJanuary 4, 2018
AndroidJanuary 4, 2018
AppleJanuary 4, 2018
ARMJanuary 4, 2018
CentOSJanuary 4, 2018
ChromiumJanuary 4, 2018
CitrixJanuary 4, 2018
DebianJanuary 5, 2018
F5January 4, 2018
Fedora ProjectJanuary 5, 2018
FortinentJanuary 5, 2018
GoogleJanuary 4, 2018
HuaweiJanuary 4, 2018
IBMJanuary 5, 2018
IntelJanuary 4, 2018
LenovoJanuary 4, 2018
LinuxJanuary 4, 2018
Microsoft AzureJanuary 4, 2018
MicrosoftJanuary 4, 2018
MozillaJanuary 4, 2018
NVIDIAJanuary 4, 2018
OpenSuSEJanuary 4, 2018
Red HatJanuary 4, 2018
SuSEJanuary 4, 2018
Trend MicroJanuary 4, 2018
VMwareJanuary 4, 2018
XenJanuary 4, 2018

 


References




Revision History



  • January 4, 2018: Initial version

  • January 5, 2018: Updated vendor information links for Citrix, Mozilla, and IBM in the table and added links to Debian, Fedora Project, and Fortinet.




This product is provided subject to this Notification and this Privacy & Use policy.



Source: TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance
Let's not argue. Let's network!

deanwebb

If the OS itself is properly set up, access to the kernel is not possible through the OS and would require physical access to exploit this vulnerability.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.