WEI is aware of the new vulnerabilities related to Intel and other CPUs which could potentially allow an attacker to gather privileged information from CPU cache and system memory, putting enterprise security at risk. The vulnerabilities are code named “Meltdown” and “Spectre." The “Meltdown” issue is reported to only affect Intel CPUs while “Spectre” is reported to affect Intel, AMD, and ARM. The impact of these vulnerabilities could extend back to CPUs from as early as 1995 (in the case of Intel).
The fix for Meltdown (so far) are patches (OS and potentially, firmware) which will prevent or limit Speculative Execution. At a very high level, Speculative Execution is the CPU's function of guessing what code it will need next and running it in anticipation of a request. In some cases, when the CPU guesses wrong, it doesn’t always put back the code it thought it would need—in other words, it doesn’t clean up after itself. That code, which could be passwords, can then be requested by another process because it's kind of just sitting there, waiting to be picked up.
For more information on the exploits, WEI recommends visiting the following links:
Fixes & Patches
Most fixes will come in the form of OS patches. Microsoft has already released patches for Windows, IE, Edge, and SQL. The Linux kernel was updated to eliminate the Meltdown vulnerability in November. (Linux Distros are responsible for releasing their own patches.) Apple released a MacOS update in December to address the conditions presented in Meltdown.
That said, it’s very likely hardware manufacturers will release firmware updates as well. As many appliances, controllers, switches, SANs, and other devices run Linux variants and/or Intel and AMD processors, customers should be aware that OEMs may soon be releasing updates for these devices as they assess their product vulnerabilities. WEI has been notified of some firmware updates related to these vulnerabilities (see the HPE link below), and will pass along information to our customers as we receive new notifications. However, we advise all of our customers to work with their OEMs as well, for the latest information on their products.
For more info on recent patches, see some of the links below. Please note this list is not exhaustive and new updates are being released constantly.
- CERT (contains evolving list of known patches & updates):
|Operating System Version||Update KB|
|Windows 10 version 1709||4056892|
|Windows Server 2016, Windows 10 version 1607||4056890|
|Windows Server 2012 R2 Standard, Windows 8.1||4056898|
|Windows Server 2008 R2, Win 7 SP1||4056897|
*Other updates including application specific updates could be available
- RedHat: https://access.redhat.com/security/vulnerabilities/speculativeexecution
- Suse: https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/
- CentOS: https://lists.centos.org/pipermail/centos-announce/2018-January/date.html
- Ubuntu: https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/
- VMware: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
- Firefox: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
Performance issues related to patches
At this time performance issues related to patches have been estimated to potentially cause between 5% to 30% performance impact. As the nature of some patches will be to prevent or eliminate speculative execution (which had increased performance over native execution processes), it's not unreasonable to expect some performance issues. If a particular compute environment is currently running at very high utilization rates for the platform, or if a heavily consolidated or virtualized environment with sharp peak loads experiences a burst, it is possible performance degradation could be noticed.
Unfortunately, the level of performance degradation will be heavily dependent on the OS type, patch solution / strategy, and other updates such as firmware or application specific patches. At this time, WEI can’t speculate on the specific impact to any particular environment.
Important to Note...
WEI is not aware of any clients who have been exploited by these vulnerabilities. It should be noted too that OEMs have stated that to exploit these vulnerabilities, access to the OS kernel would be required, or malware run via java script in a browser. There may be other ways to exploit these vulnerabilities. Therefore, it is recommended that all available patches for OS and web browsers are tested and implemented as soon as possible. For example, a FAQ on Intel’s website regarding Speculative Execution and “side-channel” cache access, asks:
Q: Can these new exploits be enabled remotely?
A: No. Any malware using this side channel analysis method must be running locally on the machine. Following good security practices that protect against malware in general will also help to protect against possible exploitation until updates can be applied.
It should also be noted that most patches appear to be addressing “Meltdown” and some of “Spectre” (Spectre has two specific vulnerabilities identified). The prevailing thought about Spectre is that to resolve some of this particular vulnerability may require new hardware development and changes.
Even if no patches are available for a particular environment at this time, WEI recommends maintaining good security policies and programs to protect against attacks, intrusions, and exploits, including these potential vulnerabilities.
As a trusted IT provider, WEI will stay engaged on this topic and help ensure optimal enterprise security for each of our clients.
Please reach out to WEI with any questions or concerns about these exploits, patches, and any fixes or other concerns you may have. The WEI team stands ready and committed to help in any way we can.