US-CERT- TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

Started by Netwörkheäd, January 18, 2018, 06:19:33 PM

Previous topic - Next topic

Netwörkheäd

TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

Original release date: January 04, 2018 | Last revised: January 18, 2018

Systems Affected


CPU hardware implementations


Overview


On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre— that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.


Description


CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware. Meltdown affects desktops, laptops, and cloud computers.  Spectre is a flaw that an attacker can exploit to force a program to reveal its data. The name derives from speculative execution—an optimization method a computer system performs to check whether it will work to prevent a delay when actually executed. Spectre affects almost all devices including desktops, laptops, cloud servers, and smartphones. Many of these security issues are remediated through the Kernel Address Isolation to have Side-channels Efficiently Removed (KAISER) patch described in detail in an academic paper named "KASLR is Dead: Long Live KASLR." While this paper identifies a fix for Linux operating systems, the exploit concepts in the article can apply to other operating systems.

More details of these attacks are described in detail by

  • CERT/CC's Vulnerability Note VU#584653,
  •  the United Kingdom National Cyber Security Centre's guidance on Meltdown and Spectre,
  • Google Project Zero, and
  • the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz).

Impact


An attacker can gain access to the system by establishing command and control presence on a machine via malicious Javascript, malvertising, or phishing. Once successful, the attacker's next attempt will be to escalate privileges to run code on the machine. Running code will allow the attacker to exploit the Meltdown and Spectre vulnerabilities. Sensitive information could be revealed from a computer's kernel memory, which could contain keystrokes, passwords, encryption keys, and other valuable information.


Solution


NCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information. In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however, this vulnerability is more difficult to exploit. 

MICROSOFT

Microsoft has temporarily halted updates for AMD machines. More information can be found here: https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

For machines running Windows Server, a number of registry changes must be completed in addition to installation of the patches.  A list of registry changes can be found here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

ANTIVIRUS

Microsoft has recommended that third-party antivirus vendors add a change to the registry key of the machine that runs the antivirus software. Without it, that machine will not receive any of the following fixes from Microsoft:

  • Windows Update
  • Windows Server Update Services
  • System Center Configuration Manager 

More information can be found here: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software.

MITIGATION

Mitre has published Common Vulnerability and Exposure (CVE) notes for Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715).

The table provided below lists available advisories and patches. As patches and firmware updates continue to be released, it is important to check with your hardware and software vendors to verify that their corresponding patches can be applied, as some updates may result in unintended consequences. Note: Download any patches or microcode directly from your vendor's website.

NCCIC recommends using a test environment to verify each patch before implementing.

After patching, performance impacts may vary, depending on use cases. Administrators should ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect, if possible.

Additionally, users and administrators who rely on cloud infrastructure should work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.

The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.

Link to Vendor InformationDate Added
AmazonJanuary 4, 2018
AMDJanuary 4, 2018
AndroidJanuary 4, 2018
AppleJanuary 4, 2018
ARMJanuary 4, 2018
CentOSJanuary 4, 2018
ChromiumJanuary 4, 2018
CiscoJanuary 10, 2018
CitrixJanuary 4, 2018
DebianJanuary 5, 2018
DragonflyBSDJanuary 8, 2018
F5January 4, 2018
Fedora ProjectJanuary 5, 2018
FortinetJanuary 5, 2018
GoogleJanuary 4, 2018
HuaweiJanuary 4, 2018
IBMJanuary 5, 2018
IntelJanuary 4, 2018
JuniperJanuary 8, 2018
LenovoJanuary 4, 2018
LinuxJanuary 4, 2018
LLVM: variant #2January 8, 2018
LLVM: builtin_load_no_speculateJanuary 8, 2018
LLVM: llvm.nospeculatedloadJanuary 8, 2018
Microsoft AzureJanuary 4, 2018
MicrosoftJanuary 4, 2018
MozillaJanuary 4, 2018
NetAppJanuary 8, 2018
NutanixJanuary 10, 2018
NVIDIAJanuary 4, 2018
OpenSuSEJanuary 4, 2018
OracleJanuary 17, 2018
QubesJanuary 8, 2018
Red HatJanuary 4, 2018
SuSEJanuary 4, 2018
SynologyJanuary 8, 2018
Trend MicroJanuary 4, 2018
UbuntuJanuary 17, 2018
VMwareJanuary 4, 2018
XenJanuary 4, 2018

 


References




Revision History



  • January 4, 2018: Initial version

  • January 5, 2018: Updated vendor information links for Citrix, Mozilla, and IBM in the table and added links to Debian, Fedora Project, and Fortinet.

  • January 8, 2018: Added links to DragonflyBSD, Juniper, LLVM, NetApp, Qubes, and Synology.

  • January 9, 2018: Updated Solution Section

  • January 10, 2018: Added links to Cisco and Nutanix.

  • January 17, 2018: Added note to Mitigation section and links to Oracle and Ubuntu.

  • January 18, 2018: Updated Description, Impact, and Solution Sections, and added an additional link




This product is provided subject to this Notification and this Privacy & Use policy.



Source: TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance
Let's not argue. Let's network!

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.