Meltdown and Spectre CPU Vulnerabilities: What You Need to Know

Update (12 Nov - 21:35 CET): On October 17th, a Microsoft engineer confirmed via Twitter that starting with 19H1, the Windows operating system's kernel would be compiled using Google's retpoline mitigations to improve performance of Spectre V2 mitigations in the kernel.

Update (23 May - 8:40 CET): On May 18th, researchers from Eclypsium announced their research into System Management Mode Speculative Execution Attacks, which allow an attacker to access the contents of System Management Mode (SMM) memory, a highly-privileged section of memory to which the operating system typically does not have access.

On May 21st, a series of coordinated announcements were made about two new variations of Spectre, "Variant 3A: Rogue System Register Read" and "Variant 4: Speculative Store Bypass." The CVE numbers assigned to the vulnerabilities are:

• CVE-2018-3639 – Variant 4: Speculative Store Bypass (SSB)
• CVE-2018-3640 – Variant 3a: Rogue System Register Read (RSRR)

CERT issued "Vulnerability Note VU#180049: CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks" and US-CERT issued "Technical Alert TA18-141A: Side-Channel Vulnerability Variants 3a and 4.

AMD issued "'Speculative Store Bypass' Vulnerability Migitations for AMD Platforms" and a white paper titled "AMD64 Technology: Speculative Store Bypass Disable" [PDF].

ARM issued an update to its Speculative Processor Vulnerability information named "Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism" as well as a white paper titled "Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism" [PDF].

Google's Project Zero issued speculative execution, variant 4: speculative store bypass.

Intel issued a security advisory, "INTEL-SA-00115: Q2 2018 Speculative Execution Side Channel Update" and a press release, "Addressing New Research for Side-Channel Attacks."

Lenovo issued Lenovo Security Advisory "LEN-22133: Speculative Execution Side Channel Variants 4 and 3a."

Microsoft issued "Security Advisory ADV180012: Microsoft Guidance for Speculative Store Bypass" and published "Analysis and mitigation of speculative store bypass (CVE-2018-3639) in their Security Research Defense blog.

Red Hat issued a blog post, "Speculative Store Bypass explained: what it is, how it works," a companion video on YouTube, and Red Hat Security Advisories "RHSA-2018:1630," "RHSA-2018:1647," "RHSA-2018:1655," "RHSA-2018:1660,"

Ubuntu published " Variant4: Speculative Store Bypass (CVE-2018-3639 aka GPZ Variant 4)" in their wiki as well as "CVE-2018-3639" and "CVE-2018-3640."

VMware issued VMware Security Advisory, "VMSA-2018-0012: VMware vSphere, Workstation and Fusion updates enable Hypervisor-Assisted Guest Mitigations for Speculative Store Bypass issue" as well as VMware Knowledgebase Article #54951, "VMware Response to Speculative Execution security issues, CVE-2018-3639 and CVE-2018-3640 (54951)."

Xen issued "Xen Security Advisory CVE-2018-3639 / XSA-263: Speculative Store Bypass."

On May 22nd, Cisco issued "Cisco Security Advisory cisco-sa-20180521-cpusidechannel: CPU Side-Channel Information Disclosure Vulnerabilities: May 2018

Citrix issued "Security Bulletin CTX235225: Citrix XenServer Security Update for CVE-2018-3639."

NetApp issued "NetApp Product Security Advisory ID NTAP-20180521-0001: Speculative Execution Side Channel Vulnerabilities in NetApp Products."

Synology issued Synology Security Advisory Synology-SA-18:23 Speculative Store Bypass."
UPDATE (4 May - 05:30 CET):  On April 3, Heise publication c't reported that eight (8) additional Spectre flaws had been found in Intel's CPUs, four of which are classified as "high risk," and four of which  as "medium risk."  c't refers to these as Spectre-NG to distinguish from the Spectre vulnerabilities disclosed in January, 2018.

UPDATE (1 May - 12:00 CET): On April 25, Microsoft released updates to Windows with updated microcode from Intel to patch against Spectre variant 2 on computers containing Haswell (4th generation), Broadwell (5th generation), and Skylake (6th generation) processors. Further information about the updates and download links can be found in Microsoft Knowledgebase Article #4093836, Summary of Intel microcode updates.
On April 10, Microsoft released updates to Windows 10 with updated microcode from AMD as well as operating system updates to patch against Spectre variant 2 on computers containing AMD processors from 2011 onwards (Bulldozer core and newer).  Further information and download links can be found on AMD's web site at AMD Processor Security Updates and in Microsoft Knowledgebase Article #4093112, April 10, 2018--KB4093112 (OS Build 16299.371) release notes.

UPDATE (14 March - 06:25 CET): On Tuesday, March 13th, Microsoft announced it is releasing Intel's microcode updates through its Microsoft Update Catalog for Version 1709 of Windows 10 and Windows Server 2016.
On Monday, March 12th, Intel announced the availability of updated firmware for its Sandy Bridge (2nd generation) and Ivy Bridge (3rd generation) Intel Core and Xeon processors.
On Wednesday, February 28th, Intel announced the availability of updated firmware for its Broadwell (4th generation) and Haswell (5th generation) Intel Core and Xeon processors.
On Tuesday, February 20th, Intel announced the availability of updated firmware for its Skylake (6th generation), Kaby Lake (7th generation) and Coffee Lake (8th generation) Intel Core and Xeon processors.

UPDATE (29 January - 23:20 CET): On Monday, January 29, Microsoft issued a critical out-of-band security update to disable mitigation for one of the two Spectre CPU vulnerabilities, CVE-2017-5715: Branch Target Injection, for Windows 7, 8.1, 10, Server 2008 R2 and Server 2012 R2. More information, including download instructions, can be found on Microsoft's web site at KB4078130: Update to disable mitigation against Spectre, Variant 2.  ESET's software is not affected by this update, and recommends customers follow guidance from Microsoft and other operating system vendors in applying patches for the Meltdown and Spectre CPU vulnerabilities.

UPDATE (24 January - 08:02 CET): On Monday, January 22, Intel issued a statement confirming it had identified the root cause of reboot issues affecting its microcode updates to patch the Meltdown and Spectre vulnerabilities. Intel is asking customers to suspend applying them until new fixes are available which resolve the reboot issues. ESET’s software is not impacted by these microcode updates, and ESET recommends using the latest version of its consumer or enterprise software regardless of the state of CPU or operating system patches for Meltdown and Spectre. We also recommend checking with Intel for updated information on new patches, as well as other applicable vendors.

NOTE: Microsoft released Security Advisory 18002 on Wednesday, January 3, 2018 announcing mitigation for a major vulnerability to Windows in modern CPU architectures. ESET released Antivirus and Antispyware module 1533.3 with update 16680 the same day to all customers to ensure that use of our products would not affect compatibility with Microsoft's patch.

Background

The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel's Core architecture used in PCs for many years, as well as processors from AMD.  The scope of the vulnerability is wide-ranging, affecting everything from the ARM processors commonly used in tablets and smartphones to the IBM POWER processors used in supercomputers.  For information about the effects of these vulnerabilities on the Internet of Things, please see Righard Zwienenberg's article, "MADIoT – The nightmare after XMAS (and Meltdown, and Spectre)."

When this article was initially written, not all details have been released, but reportedly the issue was that programs running in user-mode address space (the "normal" range of memory in which application software, games and the like run) on a computer can infer or "see " some of the information stored in kernel-mode address space (the "protected" range of memory used to contain the operating system, its device drivers, and sensitive information such as passwords and cryptography certificates).

Fixes to prevent user-mode programs from "peering inside" kernel-mode memory are being introduced by operating system vendors, hypervisor vendors and even cloud computing companies, but it appears the initial round of patches will slow down operating systems to some extent.  The exact amount of slowdown is open to debate.  Intel has stated the performance penalty will "not be significant" for most users, but Linux enthusiast site Phoronix has benchmarked performance penalties from 5-30%, depending upon what the computer is doing.

History

A long Reddit thread titled Intel bug incoming has been tracking the vulnerability since information about it began to appear on January 2, 2018; Ars Technica and The Register have had excellent coverage, as well.

Processor manufacturer AMD announced that they are unaffected, according to reports on CNBC and a message to the Linux Kernel Mailing List by an AMD engineer, but reports from both Google's Project Zero and Microsoft state that AMD processors are affected.  Since then, AMD has released a statement for clarification.  Both AMD and Nvidia announced that their GPUs are not vulnerable, although the latter has issued software updates to its device drivers for operating systems affected by the vulnerabilities.  Qualcomm has confirmed to journalists that its CPUs are affected, but has issued no security advisories or bulletins at the time of this writing.

The Microsoft article goes on to note that this is not a Windows-specific issue, and that it affects Android, Chrome OS, iOS and macOS as well.  Red Hat's advisory includes IBM's POWER architecture as being vulnerable, which IBM subsequently confirmed.  Hypervisor manufacturers VMware and Xen have issued their own advisories, as has Amazon Web Services.

Patching operating systems and processor microcode is a complex process, and not all of the updates have gone smoothly:  On January 9, Microsoft suspended the Windows update for some older AMD CPUs due to compatibility issues.  On January 13, Dell, Lenovo and VMware suspended their microcode updates for some Broadwell, Haswell, Kaby Lake and Xeon CPUs due to reports of issues after installation.

Affected Vendors

Here is a list of affected vendors and their respective advisories and/or patch announcements:

Kevin Beaumont of DoublePulsar Security, announced on Twitter that he is tracking the compatibility of anti-malware software with Microsoft's patches in a Google Docs spreadsheet.

Technical Details

The confusion over brands of affected CPUs may be due to the fact that this is not one vulnerability, but two similar vulnerabilities, dubbed Meltdown and Spectre by their respective discoverers.  The Meltdown vulnerability is limited to Intel's processors, while Spectre affects AMD, ARM, IBM, Intel  and possibly other processors as well.   These vulnerabilities have three CVE numbers (a quasi-government standard for tracking computer security vulnerabilities and exposures) assigned to them:

For many years, processor manufacturers – such as Intel – have been able to fix flaws in processor architecture through microcode updates, which write an update to the processor itself to fix a bug.  When this article was originally published, ESET wrote that the vulnerabilities might not be fixable with a microcode update to Intel processors, however, it now appears that it may be possible to mitigate the Spectre vulnerability in Intel CPUs via microcode update, as well as provide additional protection against the Meltdown vulnerability.

Intel's security advisory, INTEL-SA-00088 Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method, lists forty-four (44) affected families of processors, each of which can contain dozens of models.  ARM Limited has released an advisory titled Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism that currently lists ten (10) affected models of processor.

Computer emergency, incident , and security response teams from around the world have issued advisories to their respective countries.

ESET's Response

As mentioned at the beginning of the article, ESET released Antivirus and Antispyware module update 1533.3 on Wednesday, January 3, 2018, to all customers to ensure compatibility with Microsoft's updates to the Windows operating systems.  ESET is working alongside hardware and software vendors to mitigate the risk posed by the vulnerabilities.

For additional information see:

• ESET Customer Advisory 2018-001: Spectre and Meltdown Vulnerabilities Discovered
• ESET Knowledgebase Article 6662: Best practices against the Spectre and Meltdown vulnerabilities
• ESET Newsroom: Meltdown & Spectre: How to protect yourself from these CPU security flaws
• ESET Support News 6657: ESET Endpoint Security and ESET Endpoint Antivirus version 6.6.2072.2 and 6.5.2118.2 have been released
• ESET Support News 6658: ESET Cyber Security Pro and ESET Cyber Security version 6.5.600.2 have been released

Please periodically check these articles and revisit this blog post for updates as additional information becomes available.

Special thanks to my ESET colleagues Tony Anscombe, Richard Baranyi, Shane B., Bruce P. Burrell, Shane Curtis, Nick FitzGerald, David Harley, Elod K., James R., Peter Stancik, Marek Z., and Righard Zwienenberg for their assistance in preparing this article. I would also like to recognize Artem Baranov, Ken Bechtel, Richard Ford and Andy Hayter for their feedback.

Revision History

2018-01-05: Initial Release.
2018-01-06: Added information for AMD, Android (Google), Chromium Project, Cisco, Citrix, Debian, Dell, F5 Networks, Huawei, NetApp, nVidia, Raspberry Pi, SUSE, Synology, and Ubuntu to Vendors. Revised existing links as needed.
2018-01-07: Revised Background. Added links to CERT and US-CERT to Responders. Added information for FreeBSD to Vendors. Revised existing entries as needed.
2018-01-08: Revised Background. Added information for ASUS, Dragonfly BSD, HPE, Juniper and Qubes OS to Vendors.
2018-01-09: Added information for A10 Networks, Arista Networks, Aruba Networks, Avaya, Centos, CoreOS, Digital Ocean, Duo Security, Extreme Networks, Fedora, Kemp Technologies, Linode, Liquid Web, LLVM, Mitel, Netgear, OpenBSD, OpenSUSE, Open Telekom, OVH, Palo Alto Networks, Pulse Secure, QEMU, QNAP, RISC-V, Riverbed Technology, SonicWall, Sophos and SuperMicro to Vendors. Revised existing entries as needed.
2018-01-10: Revised Affected Vendors. Added information for AbacusNext, Aerohive, Akamai, Alibaba Cloud, ArchLinux, Avast, AVM, Barracuda Networks, BerganKDV, BitDefender, CA Technologies, Check Point, Comodo, Crestron, Cylance, Cyren, Cumulus Networks, Elastic, Emsisoft, ESET, ForcePoint, Fujitsu, G DATA, Gandi, Gentoo, Heroku, Hetzner Online, HP, Ikarus, Kaspersky, LANCOM Systems, Linux Mint, Malwarebytes, McAfee, MicroWorld Technologies, Netgate, Nutanix, OpenGear, Okta, Oracle, OSISoft, Panda Security, Polycomm, Proxmox, Qualys, Quanta, Rackspace, RSA, SalesForce, Scaleway, Silver Peak, Symantec, Thomas Krenn, Trend Micro, UpCloud, Veritas, VIPRE, Virtuozzo, Vultur, WatchGuard, Webkit, Webroot, XKCD and Zscalar to Vendors.
2018-01-11: Revised Technical Details. Added information for Acronis, AhnLab, Apache, AVG, AVira, Box, BrightSign, Bromium, Carbon Black, Cloud Foundry, Commvault, ConnectWise, Contegix, Couchbase, Endgame, FireEye, Lansweeper, NGINX, OnApp, OpenStack, ScyllaDB and Veeam to Vendors.
2018-01-12: Added information for Acer, ADP, Appalachia Technologies, APC, Aptible, Aspera, ASRock, BMC, ClearOS, cPanel, Digi, DocuSign, GFI, Gemalto, Gigabyte, Imperva, Littlefish, MSI, Outpost24, Parrot, Patchman, Plesk, Protiviti, Rapid7, Resolver, Ruckus Networks, Samsung, SAS, Schneider Electric, Scientific Linux, Siemens, SIOS, Solar Winds, Spectracom, Spotinst, Tableau, Tibco, Vertiv, Wind Driver, Zebra, and Zerto to Vendors. Revised existing entries as needed.
2018-01-12: Revised History. Added information for Bomgar, Ivanti, Lime Technology and ServiceNow to Vendors. Revised existing entries as needed
2018-01-15: Added information for AgileBits, Capsule8, IGEL, myAirWatch, Neverware, Nyotron, Panasonic, PostgreSQL, Qihu 360, Quick Heal, Sentinel One, Tenable, Toshiba and VAIO to Vendors. Added DE (BSI) to Responders.
2018-01-16: Added information for ABB, Abbott, American Megatrends, Auth0, BD, Fifty Seven Network, Johnson & Johnson, Oracle, Philips, Qubole, Rockwell Automation, Siemens, Smartsheet, Smiths Medical and Wonderware PacWest to Vendors. Added US (NH-ISAC) to Responders. Revised existing entries as needed.
2018-01-16: Added information for A56 Informatique, Algolia, Bitnami, Epic Games, Fasthosts, Foundation IT, Johnson Controls, K7 Computing, One Identity, Packet, Prgmr.com, Purism, SOC Prime and Tanium to Vendors. Added BE (CERT.be) to Responders. Revised existing entries as needed.
2018-01-17: Added information for Aiven, brightsolid, Faronics, Hitachi and Mageia Linux to Vendors. Revised existing entries as needed.
2018-01-18: Added information for CyberAdatpt, Barkly, Deep Instinct, Ensilo, Getac and Intego to Vendors. Revised existing entries as needed.
2018-01-20: Added information for Arcabit, BullGuard, ESTsecurity, Jiangmin, NANO Security, Rising, SecurityCoverage and VirusBlokAda to Vendors. Revised existing entries as needed.
2018-01-21: Added information for Infor, Quest and SAP to Vendors. Revised existing entries as needed.
2018-01-22: Added information for Konica Minolta to Vendors. Revised existing entries as needed.
2018-01-23: Added UPDATE. Revised exiting entries as needed.
2018-01-25: Added information for Buffalo, Cybereason, Puget Computer Systems, Tencent, Thecus and Zyxel to Vendors. Revised existing entries as needed.
2018-01-26: Added information for Atlassian, ForeScout and Splunk to Vendors. Revised existing entries as needed.
2018-01-29: Added UPDATE. Added Joyen and Rendition Infosec to Vendors. Revised existing entries as needed.
2018-02-03: Added Altaro, Datto, Dell EMC, TenFourFox and Unitrends to Vendors. Revised existing entries as needed.
2018-02-05: Added Autodesk, Broadcom, Dahua, Drupal, Hivision, ManageEngine, Medtronic, Micro Focus, Puppet and TIBCO to Vendors. Revised existing entries as needed.
2018-02-07: Added Nexsan and Wind River to Vendors.
2018-02-08: Revised ESET’s Response. Added Catalyst, Inmotion Hosting and Platform.sh to Vendors. Revised existing entries as needed.
2018-02-09: Added Adtran and Edficom to Vendors. Revised existing entries as needed.
2018-02-10: Added CN (CNCERT/CC) and VN (MIC) to Responders. Revised existing entries as needed.
2018-02-12: Added Electro Rent, ExtraHop, Microlease, Knoppix and Slackware to Vendors. Revised existing entries as needed.
2018-02-14: Added Accenture, Deloitte, EVGA, Igloo Software, PWC and VMRay to Vendors. Revised existing entries as needed.
2018-02-15: Added BlackBerry to Vendors. Revised existing entries as needed.
2018-02-17: Added Kaseya and SanData to Vendors.
2018-02-20: Added Arca Noae, EFI, General Electric, Honeywell and Kyocera to Vendors. Revised existing entries as needed.
2018-02-22: Added Beckman Coulter, Canon and Stryker to Vendors.
2018-03-01: Added Draeger, Pepperl+Fuchs and Yokogawa to Vendors. Revised existing entries as needed.
2018-03-14: Added UPDATE. Revised existing entries as needed.
2018-03-21: Added DFI and iBASE to Vendors.
2018-04-03: Added Scan Computers to Vendors.
2018-04-16: Added Tyan to Vendors.
2018-04-20: Added Asustor to Vendors.
2018-05-01: Added UPDATE.  Added Emerson and Phoenix Contact to Vendors.  Added DE (VDE CERT) to Responders.
2018-05-04: Added UPDATE.  Added TH (ThaiCERT) to Responders.
2018-05-05: Added NexusGard, Optiv Security and ownCloud to Vendors.
2018-11-08: Added Zotac to Vendors.

Is your security advisory, bulletin or customer notification not listed? Please let us know so that it can be added. Thank you.