CPU Meltdown and Spectre Updates

  • Saturday, 20th January, 2018
  • 13:04pm

Since the announcement of the CPU Meltdown and Spectre vulnerabilities we have been ensuring all servers are patched with the latest updates released by suppliers. Below are details and links to technical papers, these outline affected systems and fixes that have currently been put in place.

Meltdown (CVE-2017-5754)

  • Can be exploited to: Read the contents of private kernel memory from an unprivileged user process.

  • Processors affected: All out-of-order Intel processors released since 1995 with the exception of Itanium and pre-2013 Atoms. A list of vulnerable ARM processors and mitigations is listed here. No AMD processors are affected by Meltdown.

  • Fixes: Workaround patches have been released for Windows and Linux (in the latter case with KAISER/KPTI, which results in a "non-negligible" hit to performance). Apple's macOS has been patched since version 10.13.2, and iOS since version 11.2. According to Intel, Meltdown can be mitigated by OS updates with no additional firmware updates necessary.

    Note: Windows Server admins must enable the kernel-user space splitting feature once the update is installed. Amazon has issued updates to its AWS Linux guest kernels and Microsoft is rolling out fixes to Azure, as well. A good list of vendor advisories and updates is available here. 

    For more details on Meltdown, see the technical whitepaper.

Spectre (CVE-2017-5753, CVE-2017-5715)

  • Can be exploited to: Extract information from other running processes (ex: stealing login cookies from browsers).

  • Processors affected: Intel, ARM, and AMD processors are all reportedly affected to some degree. See this post for more specifics. 

  • Fixes: Experts have universally described Spectre as being tougher to patch than Meltdown, though thankfully it is more difficult to practically exploit, too. According to researchers, the most likely exploitation of Spectre would be using JavaScript (say in a malicious ad) to leak information, session keys, etc. cached in the browser. Mozilla, Google, and Microsoft have all issued browser updates to make that scenario exponentially more difficult, though not impossible. Experts also recommend turning on site isolation in Chrome and Firefox as extra precautions.

    Apple has issued Spectre mitigations in iOS 11.2.2, and the macOS High Sierra 10.13.2 supplemental update.

    Processor makers, themselves, have said they will be issuing microcode updates to address Spectre.  Intel has released new Linux Processor microcode data files that can be used to add mitigations without having to perform a BIOS update, though some issues have been reported with Broadwell and Haswell CPUs. A microcode update from AMD addressing CVE-2017-5715 is also available now, and the company says it will be introducing additional fixes starting with Ryzen and EPYC processors. 

    It's also worth noting Google has announced a new technique for mitigating Spectre it's calling Retpoline. 

    For more details on Spectre, see the technical whitepaper. 

If you have any questions about these issues please contact a member of the team.

*Information is taken from the Barkly blog which you can read in full here.

« Back