Award-winning news, views, and insight from the ESET security community
Meltdown and Spectre CPU Vulnerabilities: What You Need to Know
The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel's Core architecture used in PCs for many years, and also affecting ARM processors commonly used in tablets and smartphones.
The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel’s Core architecture used in PCs for many years, and also affecting ARM processors commonly used in tablets and smartphones.
Update (12 Nov – 21:35 CET): On October 17th, a Microsoft engineer confirmed via Twitter that starting with 19H1, the Windows operating system’s kernel would be compiled using Google’s retpoline mitigations to improve performance of Spectre V2 mitigations in the kernel.
Update (23 May – 8:40 CET): On May 18th, researchers from Eclypsium announced their research into System Management Mode Speculative Execution Attacks, which allow an attacker to access the contents of System Management Mode (SMM) memory, a highly-privileged section of memory to which the operating system typically does not have access.
On May 21st, a series of coordinated announcements were made about two new variations of Spectre, “Variant 3A: Rogue System Register Read” and “Variant 4: Speculative Store Bypass.” The CVE numbers assigned to the vulnerabilities are:
Synology issued Synology Security Advisory Synology-SA-18:23 Speculative Store Bypass.” UPDATE (4 May – 05:30 CET): On April 3, Heise publication c’treported that eight (8) additional Spectre flaws had been found in Intel’s CPUs, four of which are classified as “high risk,” and four of which as “medium risk.” c’t refers to these as Spectre-NG to distinguish from the Spectre vulnerabilities disclosed in January, 2018.
UPDATE (1 May – 12:00 CET): On April 25, Microsoft released updates to Windows with updated microcode from Intel to patch against Spectre variant 2 on computers containing Haswell (4th generation), Broadwell (5th generation), and Skylake (6th generation) processors. Further information about the updates and download links can be found in Microsoft Knowledgebase Article #4093836, Summary of Intel microcode updates.
On April 10, Microsoft released updates to Windows 10 with updated microcode from AMD as well as operating system updates to patch against Spectre variant 2 on computers containing AMD processors from 2011 onwards (Bulldozer core and newer). Further information and download links can be found on AMD’s web site at AMD Processor Security Updates and in Microsoft Knowledgebase Article #4093112, April 10, 2018–KB4093112 (OS Build 16299.371) release notes.
UPDATE (14 March – 06:25 CET): On Tuesday, March 13th, Microsoft announced it is releasing Intel’s microcode updates through its Microsoft Update Catalog for Version 1709 of Windows 10 and Windows Server 2016. On Monday, March 12th, Intel announced the availability of updated firmware for its Sandy Bridge (2nd generation) and Ivy Bridge (3rd generation) Intel Core and Xeon processors.
On Wednesday, February 28th, Intel announced the availability of updated firmware for its Broadwell (4th generation) and Haswell (5th generation) Intel Core and Xeon processors.
On Tuesday, February 20th, Intel announced the availability of updated firmware for its Skylake (6th generation), Kaby Lake (7th generation) and Coffee Lake (8th generation) Intel Core and Xeon processors.
UPDATE (29 January – 23:20 CET): On Monday, January 29, Microsoft issued a critical out-of-band security update to disable mitigation for one of the two Spectre CPU vulnerabilities, CVE-2017-5715: Branch Target Injection, for Windows 7, 8.1, 10, Server 2008 R2 and Server 2012 R2. More information, including download instructions, can be found on Microsoft’s web site at KB4078130: Update to disable mitigation against Spectre, Variant 2. ESET’s software is not affected by this update, and recommends customers follow guidance from Microsoft and other operating system vendors in applying patches for the Meltdown and Spectre CPU vulnerabilities.
UPDATE (24 January – 08:02 CET): On Monday, January 22, Intel issued a statement confirming it had identified the root cause of reboot issues affecting its microcode updates to patch the Meltdown and Spectre vulnerabilities. Intel is asking customers to suspend applying them until new fixes are available which resolve the reboot issues. ESET’s software is not impacted by these microcode updates, and ESET recommends using the latest version of its consumer or enterprise software regardless of the state of CPU or operating system patches for Meltdown and Spectre. We also recommend checking with Intel for updated information on new patches, as well as other applicable vendors.
NOTE:Microsoft released Security Advisory 18002 on Wednesday, January 3, 2018 announcing mitigation for a major vulnerability to Windows in modern CPU architectures. ESET released Antivirus and Antispyware module 1533.3 with update 16680 the same day to all customers to ensure that use of our products would not affect compatibility with Microsoft’s patch.
Background
The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel’s Core architecture used in PCs for many years, as well as processors from AMD. The scope of the vulnerability is wide-ranging, affecting everything from the ARM processors commonly used in tablets and smartphones to the IBM POWER processors used in supercomputers. For information about the effects of these vulnerabilities on the Internet of Things, please see Righard Zwienenberg’s article, “MADIoT – The nightmare after XMAS (and Meltdown, and Spectre).”
When this article was initially written, not all details have been released, but reportedly the issue was that programs running in user-mode address space (the “normal” range of memory in which application software, games and the like run) on a computer can infer or “see ” some of the information stored in kernel-mode address space (the “protected” range of memory used to contain the operating system, its device drivers, and sensitive information such as passwords and cryptography certificates).
Fixes to prevent user-mode programs from “peering inside” kernel-mode memory are being introduced by operating system vendors, hypervisor vendors and even cloud computing companies, but it appears the initial round of patches will slow down operating systems to some extent. The exact amount of slowdown is open to debate. Intel has stated the performance penalty will “not be significant” for most users, but Linux enthusiast site Phoronix has benchmarked performance penalties from 5-30%, depending upon what the computer is doing.
History
A long Reddit thread titled Intel bug incoming has been tracking the vulnerability since information about it began to appear on January 2, 2018; Ars Technica and The Register have had excellent coverage, as well.
Processor manufacturer AMD announced that they are unaffected, according to reports on CNBC and a message to the Linux Kernel Mailing List by an AMD engineer, but reports from both Google‘s Project Zero and Microsoft state that AMD processors are affected. Since then, AMD has released a statement for clarification. Both AMD and Nvidia announced that their GPUs are not vulnerable, although the latter has issued software updates to its device drivers for operating systems affected by the vulnerabilities. Qualcomm has confirmed to journalists that its CPUs are affected, but has issued no security advisories or bulletins at the time of this writing.
The Microsoft article goes on to note that this is not a Windows-specific issue, and that it affects Android, Chrome OS, iOS and macOS as well. Red Hat‘s advisory includes IBM’s POWER architecture as being vulnerable, which IBM subsequently confirmed. Hypervisor manufacturers VMware and Xen have issued their own advisories, as has Amazon Web Services.
Patching operating systems and processor microcode is a complex process, and not all of the updates have gone smoothly: On January 9, Microsoft suspended the Windows update for some older AMD CPUs due to compatibility issues. On January 13, Dell, Lenovo and VMware suspended their microcode updates for some Broadwell, Haswell, Kaby Lake and Xeon CPUs due to reports of issues after installation.
Affected Vendors
Here is a list of affected vendors and their respective advisories and/or patch announcements:
Kevin Beaumont of DoublePulsar Security, announced on Twitter that he is tracking the compatibility of anti-malware software with Microsoft’s patches in a Google Docs spreadsheet.
Technical Details
The confusion over brands of affected CPUs may be due to the fact that this is not one vulnerability, but two similar vulnerabilities, dubbed Meltdown and Spectre by their respective discoverers. The Meltdown vulnerability is limited to Intel’s processors, while Spectre affects AMD, ARM, IBM, Intel and possibly other processors as well. These vulnerabilities have three CVE numbers (a quasi-government standard for tracking computer security vulnerabilities and exposures) assigned to them:
For many years, processor manufacturers – such as Intel – have been able to fix flaws in processor architecture through microcode updates, which write an update to the processor itself to fix a bug. When this article was originally published, ESET wrote that the vulnerabilities might not be fixable with a microcode update to Intel processors, however, it now appears that it may be possible to mitigate the Spectre vulnerability in Intel CPUs via microcode update, as well as provide additional protection against the Meltdown vulnerability.
As mentioned at the beginning of the article, ESET released Antivirus and Antispyware module update 1533.3 on Wednesday, January 3, 2018, to all customers to ensure compatibility with Microsoft’s updates to the Windows operating systems. ESET is working alongside hardware and software vendors to mitigate the risk posed by the vulnerabilities.
Please periodically check these articles and revisit this blog post for updates as additional information becomes available.
Special thanks to my ESET colleagues Tony Anscombe, Richard Baranyi, Shane B., Bruce P. Burrell, Shane Curtis, Nick FitzGerald, David Harley, Elod K., James R., Peter Stancik, Marek Z., and Righard Zwienenberg for their assistance in preparing this article. I would also like to recognize Artem Baranov, Ken Bechtel, Richard Ford and Andy Hayter for their feedback.
Revision History
2018-01-05: Initial Release.
2018-01-06: Added information for AMD, Android (Google), Chromium Project, Cisco, Citrix, Debian, Dell, F5 Networks, Huawei, NetApp, nVidia, Raspberry Pi, SUSE, Synology, and Ubuntu to Vendors. Revised existing links as needed.
2018-01-07: Revised Background. Added links to CERT and US-CERT to Responders. Added information for FreeBSD to Vendors. Revised existing entries as needed.
2018-01-08: Revised Background. Added information for ASUS, Dragonfly BSD, HPE, Juniper and Qubes OS to Vendors.
2018-01-09: Added information for A10 Networks, Arista Networks, Aruba Networks, Avaya, Centos, CoreOS, Digital Ocean, Duo Security, Extreme Networks, Fedora, Kemp Technologies, Linode, Liquid Web, LLVM, Mitel, Netgear, OpenBSD, OpenSUSE, Open Telekom, OVH, Palo Alto Networks, Pulse Secure, QEMU, QNAP, RISC-V, Riverbed Technology, SonicWall, Sophos and SuperMicro to Vendors. Revised existing entries as needed.
2018-01-10: Revised Affected Vendors. Added information for AbacusNext, Aerohive, Akamai, Alibaba Cloud, ArchLinux, Avast, AVM, Barracuda Networks, BerganKDV, BitDefender, CA Technologies, Check Point, Comodo, Crestron, Cylance, Cyren, Cumulus Networks, Elastic, Emsisoft, ESET, ForcePoint, Fujitsu, G DATA, Gandi, Gentoo, Heroku, Hetzner Online, HP, Ikarus, Kaspersky, LANCOM Systems, Linux Mint, Malwarebytes, McAfee, MicroWorld Technologies, Netgate, Nutanix, OpenGear, Okta, Oracle, OSISoft, Panda Security, Polycomm, Proxmox, Qualys, Quanta, Rackspace, RSA, SalesForce, Scaleway, Silver Peak, Symantec, Thomas Krenn, Trend Micro, UpCloud, Veritas, VIPRE, Virtuozzo, Vultur, WatchGuard, Webkit, Webroot, XKCD and Zscalar to Vendors.
2018-01-11: Revised Technical Details. Added information for Acronis, AhnLab, Apache, AVG, AVira, Box, BrightSign, Bromium, Carbon Black, Cloud Foundry, Commvault, ConnectWise, Contegix, Couchbase, Endgame, FireEye, Lansweeper, NGINX, OnApp, OpenStack, ScyllaDB and Veeam to Vendors.
2018-01-12: Added information for Acer, ADP, Appalachia Technologies, APC, Aptible, Aspera, ASRock, BMC, ClearOS, cPanel, Digi, DocuSign, GFI, Gemalto, Gigabyte, Imperva, Littlefish, MSI, Outpost24, Parrot, Patchman, Plesk, Protiviti, Rapid7, Resolver, Ruckus Networks, Samsung, SAS, Schneider Electric, Scientific Linux, Siemens, SIOS, Solar Winds, Spectracom, Spotinst, Tableau, Tibco, Vertiv, Wind Driver, Zebra, and Zerto to Vendors. Revised existing entries as needed.
2018-01-12: Revised History. Added information for Bomgar, Ivanti, Lime Technology and ServiceNow to Vendors. Revised existing entries as needed
2018-01-15: Added information for AgileBits, Capsule8, IGEL, myAirWatch, Neverware, Nyotron, Panasonic, PostgreSQL, Qihu 360, Quick Heal, Sentinel One, Tenable, Toshiba and VAIO to Vendors. Added DE (BSI) to Responders.
2018-01-16: Added information for ABB, Abbott, American Megatrends, Auth0, BD, Fifty Seven Network, Johnson & Johnson, Oracle, Philips, Qubole, Rockwell Automation, Siemens, Smartsheet, Smiths Medical and Wonderware PacWest to Vendors. Added US (NH-ISAC) to Responders. Revised existing entries as needed.
2018-01-16: Added information for A56 Informatique, Algolia, Bitnami, Epic Games, Fasthosts, Foundation IT, Johnson Controls, K7 Computing, One Identity, Packet, Prgmr.com, Purism, SOC Prime and Tanium to Vendors. Added BE (CERT.be) to Responders. Revised existing entries as needed.
2018-01-17: Added information for Aiven, brightsolid, Faronics, Hitachi and Mageia Linux to Vendors. Revised existing entries as needed.
2018-01-18: Added information for CyberAdatpt, Barkly, Deep Instinct, Ensilo, Getac and Intego to Vendors. Revised existing entries as needed.
2018-01-20: Added information for Arcabit, BullGuard, ESTsecurity, Jiangmin, NANO Security, Rising, SecurityCoverage and VirusBlokAda to Vendors. Revised existing entries as needed.
2018-01-21: Added information for Infor, Quest and SAP to Vendors. Revised existing entries as needed.
2018-01-22: Added information for Konica Minolta to Vendors. Revised existing entries as needed.
2018-01-23: Added UPDATE. Revised exiting entries as needed.
2018-01-25: Added information for Buffalo, Cybereason, Puget Computer Systems, Tencent, Thecus and Zyxel to Vendors. Revised existing entries as needed.
2018-01-26: Added information for Atlassian, ForeScout and Splunk to Vendors. Revised existing entries as needed.
2018-01-29: Added UPDATE. Added Joyen and Rendition Infosec to Vendors. Revised existing entries as needed.
2018-02-03: Added Altaro, Datto, Dell EMC, TenFourFox and Unitrends to Vendors. Revised existing entries as needed.
2018-02-05: Added Autodesk, Broadcom, Dahua, Drupal, Hivision, ManageEngine, Medtronic, Micro Focus, Puppet and TIBCO to Vendors. Revised existing entries as needed.
2018-02-07: Added Nexsan and Wind River to Vendors.
2018-02-08: Revised ESET’s Response. Added Catalyst, Inmotion Hosting and Platform.sh to Vendors. Revised existing entries as needed.
2018-02-09: Added Adtran and Edficom to Vendors. Revised existing entries as needed.
2018-02-10: Added CN (CNCERT/CC) and VN (MIC) to Responders. Revised existing entries as needed.
2018-02-12: Added Electro Rent, ExtraHop, Microlease, Knoppix and Slackware to Vendors. Revised existing entries as needed.
2018-02-14: Added Accenture, Deloitte, EVGA, Igloo Software, PWC and VMRay to Vendors. Revised existing entries as needed.
2018-02-15: Added BlackBerry to Vendors. Revised existing entries as needed.
2018-02-17: Added Kaseya and SanData to Vendors.
2018-02-20: Added Arca Noae, EFI, General Electric, Honeywell and Kyocera to Vendors. Revised existing entries as needed.
2018-02-22: Added Beckman Coulter, Canon and Stryker to Vendors.
2018-03-01: Added Draeger, Pepperl+Fuchs and Yokogawa to Vendors. Revised existing entries as needed.
2018-03-14: Added UPDATE. Revised existing entries as needed.
2018-03-21: Added DFI and iBASE to Vendors.
2018-04-03: Added Scan Computers to Vendors.
2018-04-16: Added Tyan to Vendors.
2018-04-20: Added Asustor to Vendors.
2018-05-01: Added UPDATE. Added Emerson and Phoenix Contact to Vendors. Added DE (VDE CERT) to Responders.
2018-05-04: Added UPDATE. Added TH (ThaiCERT) to Responders.
2018-05-05: Added NexusGard, Optiv Security and ownCloud to Vendors.
2018-11-08: Added Zotac to Vendors.
Is your security advisory, bulletin or customer notification not listed? Please let us know so that it can be added. Thank you.
so this is old news.. from 2017
2017-01-05: Initial Release.
2017-01-06: Added information for AMD, Android (Google), Chromium Project, Cisco, Citrix, Debian, Dell, F5 Networks, Huawei, NetApp, nVidia, Raspberry Pi, SUSE, Synology, and Ubuntu. Revised existing links as needed.
2017-01-07: Revised Background. Added links to CERT and US-CERT. Added information for FreeBSD. Revised existing links as needed.
Hello,
No, it is from 2018.
Regards,
Aryeh Goretsky
Good work from eset to release the updates so quickly.
https://support.hp.com/gb-en/document/c05869091 – HP’s response