Alert

Meltdown and Spectre Side-Channel Vulnerability Guidance

Last Revised
Alert Code
TA18-004A

Systems Affected

CPU hardware implementations

Overview

On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern computer processors. These vulnerabilities can be exploited to steal sensitive data present in a computer systems' memory.

CPU hardware implementations are vulnerable to side-channel attacks, referred to as Meltdown and Spectre. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw an attacker can exploit to force a program to reveal its data. The name derives from "speculative execution"—an optimization method a computer system performs to check whether it will work to prevent a delay when actually executed. Spectre affects almost all devices including desktops, laptops, cloud servers, and smartphones.

More details of these attacks can be found here:

Impact

An attacker can gain access to the system by establishing command and control presence on a machine via malicious Javascript, malvertising, or phishing. Once successful, the attacker could escalate privileges to exploit Meltdown and Spectre vulnerabilities, revealing sensitive information from a computer’s kernel memory, including keystrokes, passwords, encryption keys, and other valuable information.

Solution

Mitigation

NCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information. In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however, this vulnerability is more difficult to exploit. 

After patching, performance impacts may vary, depending on use cases. NCCIC recommends administrators ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect, if possible.

Additionally, NCCIC recommends users and administrators who rely on cloud infrastructure work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.

For machines running Windows Server, a number of registry changes must be completed in addition to installation of the patches.  NCCIC recommends verifying your Windows Server version before downloading applicable patches and performing registry edits.  A list of registry changes can be found at https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution.

Microsoft has released guidance and an update that helps to mitigate against CVE-2017-5715 – the branch target injection vulnerability commonly known as Spectre Variant 2.  As always, NCCIC recommends testing patches before implemenation. More information can be found at https://support.microsoft.com/en-sg/help/4078407/update-to-enable-mitigation-against-spectre-variant-2.

Antivirus

Typical antivirus programs are built on a signature management system, and may not be able to detect the vulnerabilities. NCCIC recommends checking with your antivirus vendor to confirm compatibility with Meltdown and Spectre patches. Microsoft recommends third-party antivirus vendors add a change to the registry key of the machine running the antivirus software. Without it, that machine will not receive any of the following fixes from Microsoft:

  • Windows Update
  • Windows Server Update Services
  • System Center Configuration Manager 

More information can be found at https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software.

"Total Meltdown"

Users running Windows 7 64-bit or Windows Server 2008 R2 64-bit operating systems on Intel processors who have installed Microsoft’s fix for Meltdown and Spectre in January or February of 2018 should install the latest patch immediately. According to researcher Ulf Frisk, the previous Microsoft patches for Meltdown and Spectre contain a vulnerability that could allow users and apps to read and write kernel memory, thereby gaining full control over a system.

Another researcher has posted code that takes advantage of this vulnerability, allowing a normal user to initiate an administrator-level command line session within the affected system.

Microsoft recommends users install the latest updates to mitigate this vulnerability.

The following resources provide additional information:

Windows Kernel Elevation of Privilege: CVE-2018-1038 (Total Meltdown)

Ulf Frisk’s research

Microsoft’s April 2018 Monthly Rollup

CERT/CC’s Vulnerability Note VU#277400

Vendor Links

The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.

Note: NCCIC strongly recommends:

  • downloading any patches or microcode directly from your vendor's website
  • using a test environment to verify each patch before implementing
Link to Vendor Information Date Added
Amazon January 4, 2018
AMD January 4, 2018
Android January 4, 2018
Apple January 4, 2018
ARM January 4, 2018
CentOS January 4, 2018
Chromium January 4, 2018
Cisco January 10, 2018
Citrix January 4, 2018
Debian January 5, 2018
DragonflyBSD January 8, 2018
F5 January 4, 2018
Fedora Project January 5, 2018
Fortinet January 5, 2018
HP January 19, 2018
Google January 4, 2018
Huawei January 4, 2018
IBM January 5, 2018
Intel January 4, 2018
Juniper January 8, 2018
Lenovo January 4, 2018
Linux January 4, 2018
LLVM: variant #2 January 8, 2018
LLVM: builtin_load_no_speculate January 8, 2018
LLVM: llvm.nospeculatedload January 8, 2018
Microsoft Azure January 4, 2018
Microsoft January 4, 2018
Mozilla January 4, 2018
NetApp January 8, 2018
Nutanix January 10, 2018
NVIDIA January 4, 2018
OpenSuSE January 4, 2018
Oracle January 17, 2018
Qubes January 8, 2018
Red Hat January 4, 2018
SuSE January 4, 2018
Synology January 8, 2018
Trend Micro January 4, 2018
Ubuntu January 17, 2018
VMware January 10, 2018
Xen January 4, 2018

 

References

Revisions

January 4, 2018: Initial version|January 5, 2018: Updated vendor information links for Citrix, Mozilla, and IBM in the table and added links to Debian, Fedora Project, and Fortinet|January 8, 2018: Added links to DragonflyBSD, Juniper, LLVM, NetApp, Qubes, and Synology|January 9, 2018: Updated Solution Section|January 10, 2018: Added links to Cisco and Nutanix|January 17, 2018: Added note to Mitigation section and links to Oracle and Ubuntu|January 18, 2018: Updated Description, Impact, and Solution Sections, and added an additional link|January 19, 2018: Added link to HP|January 31, 2018: Provided additional links and updated Description and Mitigation sections|April 27, 2018: Added information and links regarding "Total Meltdown"|May 1, 2018: Added information and link regarding Spectre Variant 2

This product is provided subject to this Notification and this Privacy & Use policy.