CPU vulnerabilities exploited by Meltdown and Spectre

Meltdown and Spectre CPU Vulnerabilities: What You Need to Know

The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel's Core architecture used in PCs for many years, and also affecting ARM processors commonly used in tablets and smartphones.

The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel’s Core architecture used in PCs for many years, and also affecting ARM processors commonly used in tablets and smartphones.

Update (23 May – 8:40 CET): On May 18th, researchers from Eclypsium announced their research into System Management Mode Speculative Execution Attacks, which allow an attacker to access the contents of System Management Mode (SMM) memory, a highly-privileged section of memory to which the operating system typically does not have access.

On May 21st, a series of coordinated announcements were made about two new variations of Spectre, “Variant 3A: Rogue System Register Read” and “Variant 4: Speculative Store Bypass.” The CVE numbers assigned to the vulnerabilities are:

CERT issued “Vulnerability Note VU#180049: CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks” and US-CERT issued “Technical Alert TA18-141A: Side-Channel Vulnerability Variants 3a and 4.

AMD issued “‘Speculative Store Bypass’ Vulnerability Migitations for AMD Platforms” and a white paper titled “AMD64 Technology: Speculative Store Bypass Disable” [PDF].

ARM issued an update to its Speculative Processor Vulnerability information named “Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism” as well as a white paper titled “Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism” [PDF].

Google’s Project Zero issued speculative execution, variant 4: speculative store bypass.

Intel issued a security advisory, “INTEL-SA-00115: Q2 2018 Speculative Execution Side Channel Update” and a press release, “Addressing New Research for Side-Channel Attacks.”

Lenovo issued Lenovo Security Advisory “LEN-22133: Speculative Execution Side Channel Variants 4 and 3a.”

Microsoft issued “Security Advisory ADV180012: Microsoft Guidance for Speculative Store Bypass” and published “Analysis and mitigation of speculative store bypass (CVE-2018-3639) in their Security Research Defense blog.

Red Hat issued a blog post, “Speculative Store Bypass explained: what it is, how it works,” a companion video on YouTube, and Red Hat Security Advisories “RHSA-2018:1630,” “RHSA-2018:1647,” “RHSA-2018:1655,” “RHSA-2018:1660,”

Ubuntu published “ Variant4: Speculative Store Bypass (CVE-2018-3639 aka GPZ Variant 4)” in their wiki as well as “CVE-2018-3639” and “CVE-2018-3640.”

VMware issued VMware Security Advisory, “VMSA-2018-0012: VMware vSphere, Workstation and Fusion updates enable Hypervisor-Assisted Guest Mitigations for Speculative Store Bypass issue” as well as VMware Knowledgebase Article #54951, “VMware Response to Speculative Execution security issues, CVE-2018-3639 and CVE-2018-3640 (54951).”

Xen issued “Xen Security Advisory CVE-2018-3639 / XSA-263: Speculative Store Bypass.”

On May 22nd, Cisco issued “Cisco Security Advisory cisco-sa-20180521-cpusidechannel: CPU Side-Channel Information Disclosure Vulnerabilities: May 2018

Citrix issued “Security Bulletin CTX235225: Citrix XenServer Security Update for CVE-2018-3639.”

NetApp issued “NetApp Product Security Advisory ID NTAP-20180521-0001: Speculative Execution Side Channel Vulnerabilities in NetApp Products.”

Synology issued Synology Security Advisory Synology-SA-18:23 Speculative Store Bypass.”
UPDATE (4 May – 05:30 CET):  On April 3, Heise publication c’t reported that eight (8) additional Spectre flaws had been found in Intel’s CPUs, four of which are classified as “high risk,” and four of which  as “medium risk.”  c’t refers to these as Spectre-NG to distinguish from the Spectre vulnerabilities disclosed in January, 2018.

UPDATE (1 May – 12:00 CET): On April 25, Microsoft released updates to Windows with updated microcode from Intel to patch against Spectre variant 2 on computers containing Haswell (4th generation), Broadwell (5th generation), and Skylake (6th generation) processors. Further information about the updates and download links can be found in Microsoft Knowledgebase Article #4093836, Summary of Intel microcode updates.
On April 10, Microsoft released updates to Windows 10 with updated microcode from AMD as well as operating system updates to patch against Spectre variant 2 on computers containing AMD processors from 2011 onwards (Bulldozer core and newer).  Further information and download links can be found on AMD’s web site at AMD Processor Security Updates and in Microsoft Knowledgebase Article #4093112, April 10, 2018–KB4093112 (OS Build 16299.371) release notes.

UPDATE (14 March – 06:25 CET): On Tuesday, March 13th, Microsoft announced it is releasing Intel’s microcode updates through its Microsoft Update Catalog for Version 1709 of Windows 10 and Windows Server 2016.
On Monday, March 12th, Intel announced the availability of updated firmware for its Sandy Bridge (2nd generation) and Ivy Bridge (3rd generation) Intel Core and Xeon processors.
On Wednesday, February 28th, Intel announced the availability of updated firmware for its Broadwell (4th generation) and Haswell (5th generation) Intel Core and Xeon processors.
On Tuesday, February 20th, Intel announced the availability of updated firmware for its Skylake (6th generation), Kaby Lake (7th generation) and Coffee Lake (8th generation) Intel Core and Xeon processors.

UPDATE (29 January – 23:20 CET): On Monday, January 29, Microsoft issued a critical out-of-band security update to disable mitigation for one of the two Spectre CPU vulnerabilities, CVE-2017-5715: Branch Target Injection, for Windows 7, 8.1, 10, Server 2008 R2 and Server 2012 R2. More information, including download instructions, can be found on Microsoft’s web site at KB4078130: Update to disable mitigation against Spectre, Variant 2.  ESET’s software is not affected by this update, and recommends customers follow guidance from Microsoft and other operating system vendors in applying patches for the Meltdown and Spectre CPU vulnerabilities.

UPDATE (24 January – 08:02 CET): On Monday, January 22, Intel issued a statement confirming it had identified the root cause of reboot issues affecting its microcode updates to patch the Meltdown and Spectre vulnerabilities. Intel is asking customers to suspend applying them until new fixes are available which resolve the reboot issues. ESET’s software is not impacted by these microcode updates, and ESET recommends using the latest version of its consumer or enterprise software regardless of the state of CPU or operating system patches for Meltdown and Spectre. We also recommend checking with Intel for updated information on new patches, as well as other applicable vendors.

NOTE: Microsoft released Security Advisory 18002 on Wednesday, January 3, 2018 announcing mitigation for a major vulnerability to Windows in modern CPU architectures. ESET released Antivirus and Antispyware module 1533.3 with update 16680 the same day to all customers to ensure that use of our products would not affect compatibility with Microsoft’s patch.

Background

The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel’s Core architecture used in PCs for many years, as well as processors from AMD.  The scope of the vulnerability is wide-ranging, affecting everything from the ARM processors commonly used in tablets and smartphones to the IBM POWER processors used in supercomputers.  For information about the effects of these vulnerabilities on the Internet of Things, please see Righard Zwienenberg’s article, “MADIoT – The nightmare after XMAS (and Meltdown, and Spectre).”

When this article was initially written, not all details have been released, but reportedly the issue was that programs running in user-mode address space (the “normal” range of memory in which application software, games and the like run) on a computer can infer or “see ” some of the information stored in kernel-mode address space (the “protected” range of memory used to contain the operating system, its device drivers, and sensitive information such as passwords and cryptography certificates).

Fixes to prevent user-mode programs from “peering inside” kernel-mode memory are being introduced by operating system vendors, hypervisor vendors and even cloud computing companies, but it appears the initial round of patches will slow down operating systems to some extent.  The exact amount of slowdown is open to debate.  Intel has stated the performance penalty will “not be significant” for most users, but Linux enthusiast site Phoronix has benchmarked performance penalties from 5-30%, depending upon what the computer is doing.

History

A long Reddit thread titled Intel bug incoming has been tracking the vulnerability since information about it began to appear on January 2, 2018; Ars Technica and The Register have had excellent coverage, as well.

Processor manufacturer AMD announced that they are unaffected, according to reports on CNBC and a message to the Linux Kernel Mailing List by an AMD engineer, but reports from both Google‘s Project Zero and Microsoft state that AMD processors are affected.  Since then, AMD has released a statement for clarification.  Both AMD and Nvidia announced that their GPUs are not vulnerable, although the latter has issued software updates to its device drivers for operating systems affected by the vulnerabilities.  Qualcomm has confirmed to journalists that its CPUs are affected, but has issued no security advisories or bulletins at the time of this writing.

The Microsoft article goes on to note that this is not a Windows-specific issue, and that it affects Android, Chrome OS, iOS and macOS as well.  Red Hat‘s advisory includes IBM’s POWER architecture as being vulnerable, which IBM subsequently confirmed.  Hypervisor manufacturers VMware and Xen have issued their own advisories, as has Amazon Web Services.

Patching operating systems and processor microcode is a complex process, and not all of the updates have gone smoothly:  On January 9, Microsoft suspended the Windows update for some older AMD CPUs due to compatibility issues.  On January 13, Dell, Lenovo and VMware suspended their microcode updates for some Broadwell, Haswell, Kaby Lake and Xeon CPUs due to reports of issues after installation.

Affected Vendors

Here is a list of affected vendors and their respective advisories and/or patch announcements:

VendorAdvisory/Announcement
A10 NetworksSPECTRE/MELTDOWN - CVE-2017-5715/5753/5754
A56 InformatiqueInfrastructure VMWare et failles « Spectre » et « Meltdown »
AbacusNextAbacusNext Research and Statement on Meltdown / Spectre
ABBABB Doc Id 9AKK107045A8219: Cyber Security Notification - Meltdown & Spectre
AbbottCybersecurity Update on Meltdown and Spectre
AccentureAccenture Security Cyber Advisory Processor Chip Design Vulnerabilities
脆弱性「Meltdown」「Spectre」最新のサイバー攻撃事例と、企業・組織を守るための実践的なステップを紹介します。
AcerAnswer ID 53104: Meltdown and Spectre security vulnerabilities
AcronisKB 60847: Acronis Access Advanced: Spectre and Meltdown vulnerabilities
ADPInformation Regarding Meltdown and Spectre Vulnerabilities
AdtranADTRAN Spectre and Meltdown Attack Advisory (ADTSA-2018001) REV E
AerohiveProduct Security Announcement: Aerohive's response to Meltdown and Spectre
AgileBitsSame as it ever was: There’s no reason to melt down
AhnLab[Notice] Security Alert for Intel CPU Flaw
AivenAiven statement on Meltdown and Spectre vulnerabilities
AkamaiImpact of Meltdown and Spectre on Akamai
AlgoliaThe Meltdown and Spectre impact on Algolia infrastructure
Alibaba Cloud[Security Bulletin] Intel Processor Meltdown and Specter Security Vulnerability Bulletin
AltaroThe Actual Performance Impact of Spectre/Meltdown Hyper-V Updates
Amazon (AWS)AWS-2018-013: Processor Speculative Execution Research Disclosure
AMDAn Update on AMD Processor Security
Managing Speculation on AMD Processors
American MegatrendsAmerican Megatrends Statement in Response to “Meltdown” and “Spectre” Security Vulnerabilities
Android (Google) Android Security Bulletin—January 2018
ApacheProtecting Apache Ignite from 'Meltdown' and 'Spectre' vulnerabilities
APCUPDATED: 10-JAN-2018 | Security Notification: "Meltdown" (CVE-2017-5754) and "Spectre" (CVE-2017-5753 & CVE-2017-5715)​ - impact to APC products
Appalachia TechnologiesSpectre + Meltdown
Apple
HT208331: About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
HT208394: About speculative execution vulnerabilities in ARM-based and Intel CPUs
HT208403: About the security content of Safari 11.0.2
AptibleMeltdown and Spectre are Critical Vulnerabilities for Cloud Infrastructure. Here’s How the Aptible Security Team Responded
Arca Noae (OS/2)Policy statement concerning Spectre and Meltdown exploits
ArcabitSpectre i Meltdown - Arcabit i mks_vir kompatybilne z poprawkami Microsoft
ArchLinuxCVE-2017-5715
CVE-2017-5753
CVE-2017-5754
Arista NetworksSecurity Advisory 0031: Arista Products vulnerability report
ARMVulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
Cache Speculation Side-channels whitepaper
ARM Trusted Firmware Security Advisory TFV 6
Compiler support for mitigations
Arm64 KPTI Kernel Patches
Aruba NetworksARUBA-PSA-2018-001: Unauthorized Memory Disclosure through CPU Side-Channel Attacks ("Meltdown" and "Spectre")
AsperaSecurity Bulletin: Aspera Products and the Meltdown and Spectre vulnerabilities (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
ASRockASRock New Bios Update For Speculated System Vulnerability
New BIOS for Intel SA-00088 security update
FAQ ID 33: What is Meltdown and Spectre issue
ASRock Support: Latest BIOS Update
ASUSASUS Motherboards Microcode Update for Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
ASUS Update on Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
AsustorASUSTOR responds to Intel Meltdown and Spectre vulnerabilities
因應 Intel Meltdown 與 Spectre 安全漏洞,華芸釋出ADM 3.0.5 韌體與AS6302T / AS6404T的 BIOS更新
AtlassianUpdate on Meltdown and Spectre processor vulnerabilities
Hipchat Data Center release notes: Hipchat Data Center 3.1.3 - January 22nd 2018 - Production channel
Hipchat Server Release Notes: Hipchat Server 2.2.8 - January 15th, 2018
Auth0Meltdown & Spectre: What Auth0 Customers Need to Know
AutodeskAutodesk Vault and the "Meltdown" and "Spectre" vulnerabilities
Autodesk Vault und dem meltdown" und "spectre" Schwachstellen
Autodesk Vault et arborescence du "spectre meltdown vulnérabilités" et de"
Autodesk Vault e il "e" meltdown spectre" Vulnerabilities
Autodesk Vault 및 "Meltdown" 및 "Spectre" 보안
Autodesk Vault и "Meltdown" и "Spectre" уязвимости
AvastAvast Antivirus compatibility with Windows update for Meltdown and Spectre vulnerabilities
AvayaASA-2018-001: linux-firmware security update (RHSA-2018-0007)
ASA-2018-002: linux-firmware security update (RHSA-2018-0013)
ASA-2018-004: linux-firmware security update (RHSA-2018-0012)
ASA-2018-005: linux-firmware security update (RHSA-2018-0008)
ASA-2018-006: linux-firmware security update (RHSA-2018-0014)
ASA-2018-011: VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution. (VMSA-2018-0002)
AVGAVG Antivirus compatibility with Windows update for Meltdown and Spectre vulnerabilities
AviraDon’t be afraid of a ‘Meltdown’ with the new Microsoft update
Answer 71132: Is Avira Antivirus compatible with the new Microsoft patch for the Meltdown vulnerability?
AVMAktuelle Sicherheitshinweise: Meltdown und Spectre – keine Angriffsmöglichkeit bei AVM-Produkten
Azure (Microsoft)Securing Azure customers from CPU vulnerability
Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities
Guidance for mitigating speculative execution side-channel vulnerabilities in Azure
BarklyThe Meltdown and Spectre CPU Bugs, Explained
Barracuda NetworksBarracuda Networks Security Advisory
BDProduct Security
Product security bulletin for Meltdown and Spectre
Product security bulletin for Meltdown and Spectre Update 1
Beckman CoulterMeltdown/Spectre Processor Chip Vulnerability
BerganKDVSecurity Alert: Meltdown and Spectre Hardware Bugs Put Nearly All Devices at Risk
BitDefender2072: Understanding the impact of Meltdown and Spectre CPU exploits on Bitdefender GravityZone users
9033: Information for Bitdefender users on the Microsoft January 2018 Security Update
BitnamiSpectre and Meltdown: Privileged memory read vulnerability in several CPUs (Reading privileged memory with a side-channel)
BlackBerryArticle Number: 000047401 BlackBerry powered by Android Security Bulletin – January 2018 (see CVE-2017-13218)
BMCCPU Vulnerabilities - Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715)
Update: CPU Vulnerabilities - Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715)
BomgarBomgar and the latest CVEs
BoxThe Meltdown and Spectre CPU vulnerabilities: What you need to know as a Box customer
Update: The Meltdown and Spectre CPU vulnerabilities: What you need to know as a Box customer
BrightSignSecurity Statement: Meltdown and Spectre Vulnerabilities
brightsolidProcessor Vulnerability Advice
BroadcomEmulex Connectivity Division Security Advisory: Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method Vulnerabilities (Spectre, Meltdown)
BromiumImportant information relating to the Intel CPU design flaw
BuffaloCPU -Vulnerability(CVE-2017-5753,CVE-2017-5715,CVE-2017-5754
BullGuardIntel, ARM and AMD chip flaws - Advice
CA TechnologiesDOC-231179418: Meltdown / Spectre vulnerabilities - Workload Automation AE / DE / Agents Advisory
TEC1272616: Addressing the Spectre and Meltdown Vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) for the API Management Product Suite
Official announcement on Meldown/Spectre
CanonRegarding the CPU vulnerabilities Meltdown and Spectre
Capsule8Part One: Detecting Meltdown using Capsule8
Part Two: Detecting Meltdown and Spectre by Detecting Cache Side Channels
Carbon BlackCarbon Black Solutions Currently Compatible With Major OS Vendor Patches on Meltdown & Spectre
CatalystSpectre and Meltdown - security advisory
CentOSCESA-2018:0007 Important CentOS 7 kernel Security Update
CESA-2018:0008 Important CentOS 6 kernel Security Update
CESA-2018:0012 Important CentOS 7 microcode_ctl Security Update
CESA-2018:0013 Important CentOS 6 microcode_ctl Security Update
CESA-2018:0014 Important CentOS 7 linux-firmware Security Update
Check Pointsk122205: Check Point Response to Meltdown and Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
ChromiumActions Required to Mitigate Speculative Side-Channel Attack Techniques
Status of mitigations for CVE-2017-5754 (Meltdown) for each Chrome OS device
Ciscocisco-sa-20180104-cpusidechannel - CPU Side-Channel Information Disclosure Vulnerabilities
Alert ID 56354: CPU Side-Channel Information Disclosure Vulnerabilities
CitrixCTX231399: Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
ClearOSCVE-2017-5715
CVE-2017-5753
CVE-2017-5754
Cloud FoundryMeltdown and Spectre Attacks
CommvaultSecurity: Meltdown and Spectre Chip Vulnerability
ComodoMeltdown and Spectre – Serious Vulnerabilities Which Affect Nearly Every Computer and Device
ConnectWiseMeltdown and Spectre Sparks Fire for Immediate OS Patch
ContegixOur Response to Meltdown and Spectre
CoreOSContainer Linux patched to address Meltdown vulnerability
CouchbaseSpeculative Execution Processor Vulnerabilities – ‘Meltdown and Spectre’: What you need to know
cPanelMeltdown - CVE-2017-5753 CVE-2017-5715 CVE-2017-5754
CrestronAnswer ID 5471: The latest details from Crestron on security and safety on the Internet
Cumulus NetworksMeltdown and Spectre: Modern CPU Vulnerabilities
Cumulus Networks® Security Advisory 2018-January-4
CyberAdaptThe Spectre of a Meltdown:
CybereasonWhat are the Spectre and Meltdown CPU vulnerabilities
CylanceMeltdown and Spectre Vulnerabilities (account required)
Cylance Not Impacted by Meltdown or Spectre Vulnerabilities
CyrenIMPORTANT - Hotfix 2018-01 for F-PROT and CSAM
Dahua TechnologySecurity Notice 331 – information on critical vulnerabilities, Meltdown and Spectre, affecting CPU processors
DattoPartner Meltdown Security Update
DebianDebian Security Advisory DSA-4078-1 linux -- security update
Deep InstinctDeep Instinct Announces it is Not Impacted by Meltdown or Spectre Vulnerabilities
DellMeltdown and Spectre Vulnerabilities
SLN308587 - Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products
SLN308588 - Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)
SLN308615 - Microprocessor Side-Channel Vulnerabilities “Meltdown” and “Spectre” (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell Data Security Solutions
Dell EMCDOCU87480: Technical Documentation
Cloud for Microsoft Azure Stack 1712 Patch and Update Guide

DOCU85636: EMC Secure Remote Services 3.26.10.06 Common Vulnerabilities and Exposures (CVE) Identifiers List
DeloitteAnálisis Gestión de vulnerabilidad Meltdown & Spectre
Kurz und knapp: Spectre & Meltdown
DFIDFI Update of Intel Security Vulnerabilities Issue
DigiSpectre and Meltdown Vulnerabilities - (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754)
Digital OceanA Message About Intel Security Findings
How To Protect Your Server Against the Meltdown and Spectre Vulnerabilities
DocuSignUpdate 1/4/2018 – DocuSign Meltdown and Spectre Security Alert Status
Update 1/12/2018 – DocuSign Meltdown and Spectre Response Status
DraegerDräger Product Security Advisory 201801: Meltdown and Spectre Vulnerabilities
Dragonfly BSDIntel Meltdown bug mitigation in master
More Meltdown fixes
DrupalDrupal.org Updates - Mitigating the risks of Spectre and Meltdown
Addressing meltdown/spectre in Drupal
DruvaTroubleshooting Spectre and Meltdown
Duo SecurityArticle 4612: Is Duo affected by the recent Spectre or Meltdown vulnerabilities?
EdificomMeltdown and Spectre Vulnerabilities
EFITech Note 5558: Intel CPU Security Vulnerabilities: Spectre, Meltdown
ElasticElastic Cloud and Meltdown
Electro RentInformation regarding “Meltdown and Spectre” CPU vulnerabilities
EmersonMeltdown and Spectre Vulnerabilities (account required)
EmsisoftChip vulnerabilities and Emsisoft: What you need to know
EndgameEndgame Is Compatible with the Spectre/Meltdown Patches
EnsiloFrequently Asked Questions: Spectre & Meltdown
Epic GamesEpic Services & Stability Update
ESETESET Customer Advisory 2018-001: Spectre and Meltdown Vulnerabilities Discovered
ESET Knowledgebase Article 6662: Best practices against the Spectre and Meltdown vulnerabilities
ESET Support News 6657: ESET Endpoint Security and ESET Endpoint Antivirus version 6.6.2072.2 and 6.5.2118.2 have been released
ESET Support News 6658: ESET Cyber Security Pro and ESET Cyber Security version 6.5.600.2 have been released
ESET Newsroom: Meltdown & Spectre: How to protect yourself from these CPU security flaws
ESET We Live Security: MADIoT – The nightmare after XMAS (and Meltdown, and Spectre)
ESTsecurity인텔 CPU 취약점(Meltdown&Spectre) 분석 및 이스트시큐리티 대응상황
EVGAX299 BIOS Updates with Pre/Post Spectre updates
Z170 BIOS Update with Spectre updates
Z270 BIOS Update with Spectre updates
Z370 BIOS Updates with Pre/Post Spectre updates
ExtraHopSpectre and Meltdown attacks
Extreme NetworksMeltdown and Spectre (VN 2017-001 & VN 2017-002)
VN 2018-001 (CVE-2017-5715, CVE-2017-5753 - Spectre)
VN 2018-002 (CVE-2017-5754 - Meltdown)
F5 NetworksK91229003: Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754
FaronicsKB 435: Faronics Antivirus and Microsoft updates from January 3, 2018 (Spectre / Meltdown)
Fasthosts Answer ID 3136: Mitigating Meltdown and Spectre - Linux
FedoraProtect your Fedora system against Meltdown
Fifty Seven NetworkMeltdown, Spectre, and Smartsheet
FireEyeFireEye Endpoint Security Agent is Compatible with the Meltdown Windows Security Update
ForcepointForcepoint Updates on Spectre and Meltdown
KB000014933: Meltdown and Spectre Vulnerability CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
ForeScoutMeltdown and Spectre CPU Vulnerabilities
FortinetFortinet Advisory on New Spectre and Meltdown Vulnerabilities
Foundation ITMeltdown and Spectre Exploits
FreeBSDFreeBSD News Flash
Response to Meltdown and Spectre
FujitsuCPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Side-Channel Analysis Method: (Spectre & Meltdown) Security Review
G DATA"Meltdown" and "Spectre": researchers discover severe CPU bugs
GandiMeltdown and Spectre vulnerabilities
GemaltoMeltdown and Spectre microprocessor vulnerabilities
General ElectricID 000020832 (account required)
Gentoo LinuxBug 643340 (CVE-2017-5753) - [TRACKER] hw: cpu: speculative execution bounds-check bypass (CVE-2017-5753)
Bug 643342 (CVE-2017-5715) - [TRACKER] hw: cpu: speculative execution branch target injection (CVE-2017-5715)
Bug 643344 (CVE-2017-5754) - [TRACKER] hw: cpu: speculative execution permission faults handling (CVE-2017-5754)
GetacGetac’s Statement on Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
GFIGFI LanGuard - Security flaws "Meltdown" and "Spectre" affecting CPU
GigabyteBIOS update for Side Channel Analysis Security issue Mitigations
GoogleGoogle Project Zero: Reading Privileged Memory with a Side-Channel
Google’s Mitigations Against CPU Speculative Execution Attack Methods
HerokuMeltdown and Spectre Security Update
Hetzner OnlineSpectre and Meltdown
HikvisionSNNo: HSRC-201801-08 - Statement on the Meltdown and Spectre Vulnerabilities in the Intel CPU Architecture Design
HitachiHitachi Storage Solutions: Notice on "side channel attack to the CPUs with speculative execution function"
Hitachi Vantara: Support Information: CVE Security Notices (account required)
HoneywellMeltdown and Spectre Vulnerabilities
HPDocument ID: c05869091: HPSBHF03573 rev. 2 - Side-Channel Analysis Method
HPESide Channel Analysis Method allows information disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
HPESBHF03805 - Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure.
a00039267en_us: Bulletin: (Revision) HPE ProLiant, Moonshot and Synergy Servers - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
a00039784en_us: Advisory: (Revision) ProLiant Gen8, Gen9 and Gen10 Series Servers - CUSTOMER ACTION REQUIRED: Some System ROMs That Addressed the Side Channel Analysis Vulnerability Have Been Removed from the HPE Download Site
HuaweiSecurity Notice - Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design
iBASENotice - Meltdown and Spectre Security Vulnerabilities
IBMPotential CPU Security Issue
Potential Impact on Processors in the POWER Family
IBM Security Security Bulletin: IBM has released AIX and VIOS iFixes in response to the vulnerabilities known as Spectre and Meltdown.
Central Processor Unit (CPU) Architectural Design Flaws
Central Processor Unit (CPU) Architectural Design Flaws
Central Processor Unit (CPU) Architectural Design Flaws - additional guidance for Db2 customers
IBM MQ Advice Regarding Operating System Security Patches for Spectre and Meltdown
Action required for IBM MQ on AWS Quick Start for security vulnerabilities in Ubuntu.
QRadar Meltdown/Spectre CVEs support considerations
Security Bulletin 2012718: IBM StoredIQ is affected by the vulnerabilities known as Spectre and Meltdown.
Security Bulletin T1026811: This Power firmware update is being released to address Common Vulnerabilities and Exposures issue numbers CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 (known as Spectre and Meltdown)
Security Bulletin T1026831: IBM Cloud Manager is affected by the vulnerabilities known as Spectre and Meltdown
Security Bulletin T1026905: Potential CPU security issue with IBM System x, Flex and BladeCenter Systems
Security Bulletin T1026912: IBM has released AIX and VIOS iFixes in response to the vulnerabilities known as Spectre and Meltdown.
Security Bulletin N1022433: IBM has released PTFs in response to the vulnerabilities known as Spectre and Meltdown
IGELIGEL Furthers Product Security with Meltdown and Spectre Fix
Igloo SoftwareSecurity Alerts
IkarusTwo far-reaching vulnerabilities discovered in all modern CPUs. Some updates are available
Zwei weitreichende Sicherheitslücken in allen modernen CPUs entdeckt. Einige Updates sind bereits verfügbar.
Update zum Thema Meltdown & Spectre
ImpervaImperva Security Response to “Meltdown” and “Spectre” Exploits (Side-Channel Attacks to CPU privileged memory)
InforA message to our customers about the Meltdown and Spectre vulnerabilities
Inmotion HostingUPDATE (Jan 12, 2018): Spectre and Meltdown
IntegoMeltdown and Spectre: What Apple Users Need to Know
IntelSide-Channel Attacks - Vulneratiliby Analysis< News, and Updates
INTEL-SA-00088 Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
INTEL-SA-00088 for Intel NUC, Intel Compute Stick, and Intel Compute Card
INTEL-SA-00088 for Intel Server Boards, Intel Server Systems, and Intel Server Accessories
INTEL-OSS-10002: Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method
INTEL-OSS-10003: Speculative Execution Data Cache and Indirect Branch Prediction Method Side Channel Analysis
DOC 336996-001: Speculative Execution Side Channel Mitigations
Intel Analysis of Speculative Execution Side Channels
Microcode Revision Guidance
Security Exploits and Intel Products
Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners
Security Issue Update: Progress Continues on Firmware Updates
IvantiDOC-65669: Ivanti Device and Application Control (formerly HEAT Endpoint Security) compatibility with Microsoft patches for Meltdown/Spectre
Jiangmin江民科技发布:CPU漏洞分析报告及解决方案
Johnson & JohnsonJanuary 12, 2017 - Product Security Notification for Meltdown and Spectre
Johnson ControlsMeltdown and Spectre Vulnerabilities
Joyent(UPDATED 22-Jan-2018) Security Advisory: Intel Security Findings: "Meltdown" and "Spectre"
JuniperJSA10842: 2018-01 Out of Cycle Security Bulletin: Meltdown & Spectre: CPU Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
K7 ComputingK7 Products are Compatible with Meltdown & Spectre Patches!
KaseyaMeltdown and Spectre FAQs
Kaspersky LabKaspersky Lab Daily January 4, 2018: Two severe vulnerabilities found in Intel’s hardware
ID: 14042: Compatibility of Kaspersky Lab solutions with the Microsoft Security update of January 3, 2018
KEMP TechnologiesMeltdown and Spectre (CVE-2017-5754 & CVE-2017-5753)
KNOPPIXSicherheitslücke in allen aktuellen Prozessoren Meltdown und Spectre
Konica MinoltaSpectre and Meltdown CPU Vulnerabilities and Konica Minolta MFPs
KyoceraKyocera Document Solutions Europe Update - Spectre meltdown Whitepaper
LANCOM SystemsAllgemeine Sicherheitshinweise: Spectre und Meltdown: LANCOM Geräte sind nicht betroffen
LansweeperWindows Meltdown-Spectre patches: Preliminary report
Discover devices vulnerable to the Meltdown CPU flaw
Meltdown and Spectre
LenovoLenovo Security Advisory LEN-18282: Reading Privileged Memory with a Side Channel
Lime TechnologyunRAID Server OS 6.4.0 Released
LinodeCPU Vulnerabilities: Meltdown & Spectre
Linux MintSecurity notice: Meltdown and Spectre
Liquid WebHere Is What You Need to Know About Meltdown and Spectre
LittlefishMeltdown & Spectre Security Vulnerabilities
LLVMD41723: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities
D41760: Introduce __builtin_load_no_speculate
D41761: Introduce llvm.nospeculateload intrinsic
Mageia LinuxCVE-2017-5715
CVE-2017-5753
CVE-2017-5754
MalwarebytesDOC-2297: Meltdown and Spectre Vulnerabilities - what you should do to protect your computer
ManageEngineMeltdown and Spectre: Battling the bugs in Intel, AMD, and ARM processors
MS18-JAN5: Prerequisite Handler for Meltdown and Spectre
McAfeeTS102769: Microsoft Security Update January 2018 (Meltdown and Spectre) and McAfee consumer products
KB90167: Meltdown and Spectre – McAfee Business and Enterprise Product Compatibility Update
MedtronicSecurity Updates: Spectre/Meltdown (Jan. 19, 2018)
Micro FocusKB7022526: Advanced Authentication and Meltdown and Spectre Vulnerabilities
KB7022558: iPrint Appliance and Meltdown / Spectre vulnerabilities (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
KB7022571: Spectre and Meltdown Vulnerabilities on Service Desk Appliance
KB7022572: Spectre and Meltdown Vulnerabilities on ZENworks and ZENworks Reporting Appliances
KB7022578: Meltdown and Spectre CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715
KB7022589: Recommendations for Meltdown and Spectre Vulnerability for PlateSpin products.
MicroleaseInformation regarding “Meltdown and Spectre” CPU vulnerabilities
MicrosoftSecurity Advisory 180002: Guidance to mitigate speculative execution side-channel vulnerabilities
KB4056890: Windows 10 Update (OS Build 14393.2007)
KB4072698: Windows Server guidance to protect against speculative execution side-channel vulnerabilities
KB4072699: Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software
KB4073065: Surface Guidance to protect against speculative execution side-channel vulnerabilities
KB4073119: Windows Client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
KB4073225: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
KB4073757: Protect your Windows devices against Spectre and Meltdown
KB4090007: Intel microcode updates
KB4093836: Summary of Intel microcode pdates
Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer
Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems
Protecting guest virtual machines from CVE-2017-5715 (branch target injection)
SpeculationControl module provides the ability to query the speculation control settings for the system.
Update on Spectre and Meltdown security updates for Windows devices
MicroWorld Technologies Meltdown and Spectre – CPU Vulnerabilities
MitelMitel Product Security Advisory 18-0001: Side-Channel Analysis Vulnerabilities
MozillaMozilla Foundation Security Advisory 2018-01: Speculative execution side-channel attack ("Spectre")
MSIMSI pushes out motherboard BIOS updates to tackle recent security vulnerabilities
myAirWatchSecurity Vulnerability: CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown)
NANO SecurityСовместимость с обновлением безопасности, закрывающим уязвимости Spectre и Meltdown
NetAppNTAP-20180104-0001: Processor Speculated Execution Vulnerabilities in NetApp Products
NetgateAn update on Meltdown and Spectre
NetgearPSV-2018-0005: Security Advisory for Speculative Code Execution (Spectre and Meltdown) on Some ReadyNAS and ReadyDATA Storage Systems
NeverwareMeltdown, Spectre, and CloudReady
UPDATE: CloudReady v61.3 released on all channels of the Home Edition
NexsanMicroprocessor Side-Channel Vulnerabilities Meltdown and Spectre
NexusguardWhat are Meltdown and Spectre and How Do They Impact Nexusguard?
NGINXNGINX Response to the Meltdown and Spectre Vulnerabilities
NutanixAdvisory ID nutanix-sa-007-specexvul: Side-Channel Speculative Execution Vulnerabilities January 2018
nVidiaID 4609: Speculative Side Channels
ID 4610: NVIDIA GeForce Experience Security Updates for CPU Speculative Side Channel Vulnerabilities
ID 4611: NVIDIA GPU Display Driver Security Updates for Speculative Side Channels
ID 1612: NVIDIA DGX Systems - Response to speculative side channels CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754
ID 4613: NVIDIA Shield TV Security Updates for Speculative Side Channels
ID 4614: NVIDIA Shield Tablet Security Updates for Speculative Side Channels
ID 4616: ID: NVIDIA Tegra Jetson TX1 L4T and Jetson TK1 L4T Security Updates for Speculative Side Channels
ID 4617: NVIDIA Jetson TX2 L4T Security Updates for CPU Speculative Side Channel Vulnerabilities
NyotronNyotron’s PARANOID is Compatible with Microsoft Patch for Meltdown and Spectre
OktaSecurity Bulletin: Meltdown and Spectre vulnerabilities
OnAppMeltdown and Spectre CPU Issues
One IdentityKB237253: Is Safeguard affected by the Spectre vulnerability (CVE-2017-5753 & CVE-2017-5754) or Meltdown (CVE-2017-5715)? (237253)
Open TelekomOpen Telekom Cloud Security Advisory about Processor Speculation Leaks (Meltdown/Spectre)
OpenBSDMeltdown
OpenGearCVE-2017-5754, CVE-2017-5715, CVE-2017-5753 - Meltdown and Spectre CPU Vulnerabilities
OpenStackOpenStack, Spectre and Meltdown: What you need to know
OpenSUSE[Security-Announce] Meltdown and Spectre Attacks
Optiv SecurityRegarding Spectre and Meltdown
OracleOracle Critical Patch Update Advisory - January 2018
Doc ID 2347948.1: Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown (account required)
Doc ID 2338411.1: January 2018 Critical Patch Update: Executive Summary and Analysis (account required)
Oracle LinuxOracle Linux CVE repository: CVE-2017-5715
Oracle Linux CVE repository: CVE-2017-5753
Oracle Linux CVE repository: CVE-2017-5754
OSIsoftAL00333 - Meltdown and Spectre: What PI System users need to know about these vulnerabilities
Outpost24Meltdown and Spectre Vulnerabilities for CPUs
OVHInformation about Meltdown and Spectre vulnerability fixes
Find your patch for Meltdown and Spectre
ownCloudAfter Spectre and Meltdown: Why “Private” means “Performance”
PacketGuide to Meltdown / Spectre CPU Vulnerabilities
Palo Alto NetworksInformation about Meltdown and Spectre findings (PAN-SA-2018-0001
PanasonicG18-001: Security information of vulnerability by Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
Panda Security100059: Important information regarding Meltdown/Spectre and Microsoft Security Advisor ADV180002
Parrotmeltdown/spectre security patches
Parrot 3.11 release notes
PatchmanImpending urgent security updates
Pepperl+FuchsTDOCT-6012_ENG: Security Advisory for Meltdown and Spectre Attacks in HMI Devices
PhilipsSecurity Advisory & Archive: Customer information on Meltdown & Spectre Global Security Issue
Phoenix Contact300402819: Security Advisory addressing Meltdown and Spectre vulnerabilities [CVE-2017-5754, CVE-2017-5715, CVE-2017-5753]
Platform.shSpectre/Meltdown Security Update Notice
PleskCVE-2017-5715 Spectre vulnerability variant 2
CVE-2017-5753 Spectre vulnerability variant 1
CVE-2017-5754 Meltdown vulnerability
PolycommSECURITY ADVISORY – Processor based “Speculative Execution” Vulnerabilities AKA "Spectre" and "Meltdown"
PostgreSQLheads up: Fix for intel hardware bug will lead to performance regressions
Prgmr.comSpeculative information disclosure
Updates on speculative information disclosure - Thu, 04 Jan 2018
Updates on speculative information disclosure - Tue, 09 Jan 2018
ProtivitiSecurity Advisory - New Class of Vulnerabilities Introduced to Enterprise Systems: Meltdown and Spectre
ProxmoxMeltdown and Spectre Linux Kernel fixes
Puget Custom ComputersMeltdown and Spectre
Intel CPU flaw kernel patch effects - GPU compute Tensorflow Caffe and LMDB database creation
Pulse SecureKB43597 - Impact of CVE-2017-5753 (Bounds Check bypass, AKA Spectre), CVE-2017-5715 (Branch Target Injection, AKA Spectre) and CVE-2017-5754 (Meltdown) on Pulse Secure Products
KB43600 - After installing January 3, 2018 Microsoft Patches, Pulse client connections fail when Host Checker is applied
PuppetVerify Spectre / Meltdown protections remotely with Puppet Bolt on Windows
A Puppet module for detecting and remediating Meltdown / Spectre
Detect and remediate Meltdown / Spectre vulnerability
Purism Meltdown, Spectre and the Future of Secure Hardware
Purism patches Meltdown and Spectre variant 2, both included in all new Librem laptops
PWCMeltdown y Spectre Una amenaza latente en su organización
QEMUQEMU and the Spectre and Meltdown attacks
Qihu 360Meltdown与Spectre:近期CPU特性漏洞安全公告
360:处理器Meltdown与Spectre漏洞修复简要指南
QNAPNAS-201801-08: Security Advisory for Speculative Execution Vulnerabilities in Processors
QualysProcessor Vulnerabilities – Meltdown and Spectre
HOW-TO 000002746: Qualys Response to Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715)
QuantaIntel Security Advisory update
Qubes OSAnnouncement regarding XSA-254 (Meltdown and Spectre attacks)
QuboleQubole Security Update Notice
QuestKB237413: Meltdown (CVE-2017-5715) and Spectre (CVE-2017-5753 & CVE-2017-5754) CPU Vulnerability (237413)
Quick HealQuick Heal is compatible with Microsoft’s Jan 3 update for Meltdown and Spectre
Seqrite is compatible with Microsoft’s Jan 3 update for Meltdown and Spectre
RackspaceRackspace mitigations against CPU speculative execution vulnerabilities
Rapid7Meltdown and Spectre: What you need to know (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Raspberry PiWhy Raspberry Pi isn’t vulnerable to Spectre or Meltdown
Red HatKernel Side-Channel Attacks – CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
RHSA-2018:0008 - Security Advisory
RHSA-2018:0012 - Security Advisory
RHSA-2018:0013 - Security Advisory
RHSA-2018:0014 - Security Advisory
Rendition InfosecMeltdown and Spectre – enterprise action plan
ResolverSecurity Vulnerability: Meltdown and Spectre
RISC-V FoundationBuilding a More Secure World with the RISC-V ISA
RisingCPU漏洞到底该怎么破? 瑞星发布解决方案
Riverbed TechnologyJan 05, 2018: Update on Meltdown and Spectre
Support KB ID S31752 (account required)
Rockwell AutomationAnswer ID: 1070884: Rockwell Automation Briefing on "Meltdown" and "Spectre" vulnerabilities. (account required)
Answer ID: 1071234: Microsoft Windows Security Updates for Meltdown/Spectre Vulnerabilities Impact (account required)
RSA000035890 - Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on RSA products
Ruckus NetworksArticle Number 000007583: Is there any imact of Meltdown and Spectre vulnerabilities on Ruckus Products?
ID 20180105 FAQ: Spectre and Meltdown Vulnerabilities – CVE-2017-5753 CVE-2017-5715
& CVE-2017-5754
SalesforceKnowledge Article Number 000269171: Salesforce addresses 'Spectre' and 'Meltdown' vulnerabilities
Knowledge Article Number 000269190: Salesforce response to 'Spectre' and 'Meltdown' Vulnerabilities
SamsungAbout speculative execution vulnerabilities in ARM-based CPUs
Android Security Updates: January 2018
SanDataProzessor-Schwachstellen Meltdown und Spectre
SAP2585891: Meltdown and Spectre execution vulnerabilities on Linux (login required)
2586312: Linux: How to protect against speculative execution vulnerabilities (login required)
SASSAS Statement Regarding Meltdown/Spectre Vulnerabilities
ScalewaySpectre and Meltdown Vulnerabilities Status Page
Scan ComputersI have a concern about Spectre & Meltdown Security exploits
Schneider ElectricSEVD-2018-005-01: Security Notification – Spectre and Meltdown
FAQ #336892: UPDATED: 10-JAN-2018 | Security Notification: "Meltdown" (CVE-2017-5754) and "Spectre" (CVE-2017-5753 & CVE-2017-5715)​ - impact to APC products
Scientific LinuxCVE-2017-5715
CVE-2017-5753
CVE-2017-5754
ScyllaDBThe Cost of Avoiding a Meltdown
SecurityCoverageThreat Alert: Meltdown and Spectre Vulnerabilities
Sentinel OneMeltdown/Spectre – A tale of two vendors
SentinelOne is Compatible with “Meltdown” and “Spectre” Fixes
ServiceNowKB0661896: Spectre/Meltdown CPU Vulnerabilities - 01/04/18
SiemensSSB-068644: General Customer Information for Spectre and Meltdown
SSB-168644: Spectre and Meltdown Vulnerabilities in Industrial Products
Silver PeakCPU Side-Channel Attacks - Spectre Attacks: Exploiting Speculative Execution - Meltdown: Rogue Data Cache Load
SIOSCPU由来の脆弱性情報(Meltdown and Spectre Vulnerability : CVE-2017-5753, CVE-2017-5754, CVE-2017-5715)
Slackware[slackware-security] kernel (SSA:2018-016-01)
SmartsheetMeltdown, Spectre and Smartsheet
Smiths MedicalCyber Security Engineering Products Security Bulletin 2018 JAN 12.1
SOC PrimeMeltdown and Spectre attacks exploit vulnerabilities in CPU to steal data
SolarWindsUpdate: AV: January 5, 2018: Notice of Vulnerability CVE-2017-5733, CVE-2017-5715 (Spectre) and CVE-2017-5754 (Meltdown)
SonicWallMeltdown and Spectre Vulnerabilities: A SonicWall Alert
Sophos128053: Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre)
SpectracomSpectre and Meltdown Vulnerabilities (CVE-2016-5715, CVE-2017-5753, CVE-2017-5754)
SplunkSecurity Update: Meltdown and Spectre vulnerabilities
SpotinstSpotinst Update Concerning: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
StrykerSecurity advisories notification for Meltdown and Spectre vulnerabilities
SuperMicroSecurity Vulnerabilities Regarding Side Channel Speculative Execution and Indirect Branch Prediction Information Disclosure (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
SUSESUSE Addresses Meltdown and Spectre Vulnerabilities
SUSE Linux security updates CVE-2017-5715
SUSE Linux security updates CVE-2017-5753
SUSE Linux security updates CVE-2017-5754
KB7022512: Security Vulnerability: "Meltdown" and "Spectre" side channel attacks against CPUs with speculative execution.
KB7022514: Security Vulnerability: "Meltdown" and "Spectre" - Hypervisor Information.
SymantecINFO4793: Meltdown and Spectre: Are Symantec Products Affected?
SA161: Local Information Disclosure Due to Meltdown and Spectre Attacks
SynologySynology-SA-18:01 Meltdown and Spectre Attacks
Tableau[Informational] INF-2018-001: CPU Speculative Execution Vulnerabilities
TaniumSpectre and Meltdown FAQ
TenableThe First Major Security Logos of 2018: Spectre and Meltdown Vulnerabilities
Tencent影响全球的CPU漏洞深度解读:熔断与幽灵
TenFourFoxIs PowerPC susceptible to Spectre? Yep.
More about Spectre and the PowerPC (or why you may want to dust that G3 off)
Actual field testing of Spectre on various Power Macs (spoiler alert: G3 and 7400 survive!)
ThecusAnnouncement: Thecus is aware of the recently discovered security vulnerabilities known as Meltdown and Spectre. We are working on solutions for our products. Updates for our NAS and ThecusOS will be released very soon<./a>
Thecus updates ThecusOS 7.0 for Spectre & Meltdown
Thomas KrennSicherheitshinweise zu Meltdown und Spectre
TIBCO2018-JAN-05: Meltdown and Spectre Vulnerability Update
2018-JAN-12: Meltdown and Spectre Vulnerability Update
ToshibaID 4015952: Intel, AMD & Microsoft Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method Security Vulnerabilities
Trend MicroSolution ID: 1118996: Important Information for Trend Micro Solutions and Microsoft January 2018 Security Updates
Solution ID: 1119183: Important Information for Trend Micro Solutions and Microsoft January 2018 Security Updates (Meltdown and Spectre)
TyanTyan BIOS updates for Intel Microprocessor vulnerabilities
UbuntuUbuntu Updates for the Meltdown / Spectre Vulnerabilities
UnitrendsArticle 000005935: CVE-2017-5753 kernel: speculative execution bounds-check bypass (meltdown/spectre)
UpCloudInformation regarding the Intel CPU vulnerability (Meltdown)
VAIOSide Channel Analysis に関する脆弱性対応について
VeeamKB ID 2427: Meltdown and Spectre vulnerabilities
VeritasArticle ID 100041496: Veritas Appliance Statement on Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715)
VertivVertiv Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
VIPRE1000258536: Critical Alert - 1/3/2018 Windows Security Update
Virtuozzo Virtuozzo Addresses Intel Bug Questions
Important kernel security update: Fixes for Meltdown and Spectre exploits; new kernel 3.10.0-693.11.6.vz7.40.4, Virtuozzo 7.0 Update 6 Hotfix 3 (7.0.6-710)
Important kernel security update: Fixes for Meltdown and Spectre exploits; new kernel 2.6.32-042stab127.2, Virtuozzo 6.0 Update 12 Hotfix 20 (6.0.12-3690)
Important kernel security update: Fixes for Meltdown and Spectre exploits; new kernel 2.6.32-042stab127.2 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0
VirusBlockAdaШифрование чатов, уязвимость в Intel AMT и новый протокол Wi-Fi WPA3 - дайджест минувшей недели
VMRayOur Statement on Spectre and Meltdown
VMwareVMSA-2018-0002 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution
VMSA-2018-0004 VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue
VMSA-2018-0007 VMware Virtual Appliance updates address side-channel analysis due to speculative execution
KB52085: Hypervisor-Assisted Guest Mitigation for branch target injection (52085)
KB52245: VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52245)
KB52264: VMware Virtual Appliances and CVE-2017-5753, CVE-2017-5715 (Spectre), CVE-2017-5754 (Meltdown) (52264)
KB52292: VMware NSX Guest Introspection compatibility for Microsoft Windows patches released for "Spectre" and "Meltdown" (52292)
KB52337: VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52337)
KB52345: Intel Sightings in ESXi Bundled Microcode Patches for VMSA-2018-0004 (52345)
KB52367: VMware 仮想アプライアンスと CVE-2017-5753、CVE-2017-5715 (Spectre)、CVE-2017-5754 (Meltdown) (52367)
KB52368: VMware 虚拟设备和 CVE-2017-5753、CVE-2017-5715 (Spectre)、CVE-2017-5754 (Meltdown) (52264) (52368)>/a>
VultrIntel CPU Vulnerability Alert
WatchGuardArticle ID 000011204: Meltdown and Spectre Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
WebkitWhat Spectre and Meltdown Mean For WebKit
WebKitGTK+ Security Advisory WSA-2018-0001
WebrootSolution 2837: This solution allows users to enable their devices to receive the latest Microsoft January 2018 Security Patch
Wind RiverSpectre and Meltdown – How to Respond in the Embedded World
Security Vulnerability Response Information: Meltdown and Spectre: CVE-2017-5753, CVE-2017-5715, CVE-2017-5754
Spectre and Meltdown FAQ
Wind River Security Vulnerability Notice: Linux Kernel Meltdown and Spectre Break (Side-Channel Attacks) - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
Updated Intel Microcode 20180108
Wonderware PacWestImportant! Tech Alert 287
XenAdvisory XSA-254: Information leak via side effects of speculative execution
Xen Project Spectre / Meltdown FAQ (Jan 22 Update)
XKCDMeltdown and Spectre (user education)
YokogawaSecurity Information: CPU Vulnerability Meltdown / Spectre
ZebraReference No 01-0118-01: Spectre and Meltdown Security Vulnerability Updates
ZertoKB Number 000001474: Meltdown and Spectre Vulnerability (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) Update
ZscalerMeltdown and Spectre vulnerabilities: What you need to know
Meltdown and Spectre vulnerabilities: Protecting Zscaler Cloud
Meltdown and Spectre Vulnerabilities - initial assessment
ZyxelZyxel security advisory for Meltdown and Spectre attacks

Kevin Beaumont of DoublePulsar Security, announced on Twitter that he is tracking the compatibility of anti-malware software with Microsoft’s patches in a Google Docs spreadsheet.

Technical Details

The confusion over brands of affected CPUs may be due to the fact that this is not one vulnerability, but two similar vulnerabilities, dubbed Meltdown and Spectre by their respective discoverers.  The Meltdown vulnerability is limited to Intel’s processors, while Spectre affects AMD, ARM, IBM, Intel  and possibly other processors as well.   These vulnerabilities have three CVE numbers (a quasi-government standard for tracking computer security vulnerabilities and exposures) assigned to them:

CVE NumberDescription
CVE-2017-5715Branch Target Injection, exploited by Spectre
CVE-2017-5753Bounds Check Bypass, exploited by Spectre
CVE-2017-5754Rogue Data Cache Load, exploited by Meltdown

For many years, processor manufacturers – such as Intel – have been able to fix flaws in processor architecture through microcode updates, which write an update to the processor itself to fix a bug.  When this article was originally published, ESET wrote that the vulnerabilities might not be fixable with a microcode update to Intel processors, however, it now appears that it may be possible to mitigate the Spectre vulnerability in Intel CPUs via microcode update, as well as provide additional protection against the Meltdown vulnerability.

Intel’s security advisory, INTEL-SA-00088 Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method, lists forty-four (44) affected families of processors, each of which can contain dozens of models.  ARM Limited has released an advisory titled Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism that currently lists ten (10) affected models of processor.

Computer emergency, incident , and security response teams from around the world have issued advisories to their respective countries.

ResponderAdvisory
(CERT)CERT Vulnerability Note VU#584653, CPU hardware vulnerable to side-channel attacks
(ICANN)ICANN Response to Meltdown and Spectre Vulnerabilities
AT (CERT.at)Meltdown & Spectre - don't panic
AU (ACSC)ACSC Statement on Reports of Speculative Execution Flaws in Processors
Update on processor vulnerabilities (Spectre/Meltdown)
AU (AusCERT)ASB-2018.0002.4 - UPDATED ALERT [Win][UNIX/Linux] CPU Microcode: Access privileged data - Existing account
BE (CERT.be)CERT.be Advisory #2018-001: Central Processor Unit (CPU) Architectural Design Flaws_update 9/1
CA (CCIRC)AL18-001: Meltdown and Spectre Side-Channel Vulnerabilities
CN (CNCERT/CC)国家信息安全漏洞共享平台(CNVD) 信息安全漏洞周报 2018 年 1 月 1 日-2018 年 1 月 7 日
CZ (CSIRT.CZ)Nový útok namířený na procesory umožňuje vyčíst obsah operační paměti
DE (BSI)Sicherheitslücken in Prozessoren – BSI rät zu Updates
Spectre/Meltdown – Antivirensoftware kann Windows-Update blockieren
DE (VDE CERT)Cyberangriffe auf superskalare Prozessorarchitekturen-eine Ursachenforschung
EE (CERT-EE)CERT-EE hoiatab: tuvastati turvanõrkused nii Inteli, AMD kui ka ARM protsessorites
ES (CCN-CERT)Vulnerabilidades en los procesadores de varios fabricantes
ES (CERTSI)Vulnerabilidades críticas en múltiples CPUs. Meltdown y Spectre
EU (CERT-EU)CERT-EU Security Advisory 2018-001: Meltdown and Spectre Critical Vulnerabilities
EU (ENISA)Meltdown and Spectre: Critical processor vulnerabilities
FI (Viestintävirasto)Meltdown- ja Spectre-hyökkäykset prosessorien kiusana - Kotikoneen suojana päivitetyt käyttöjärjestelmät ja ohjelmistot
Haavoittuvuus 001/2018: Meltdown- ja Spectre -hyökkäykset hyödyntävät prosessorien ongelmia
FR (CERT-FR)CERTFR-2018-ALE-001: Multiples vulnérabilités de fuite d’informations dans des processeurs
HK (HKCERT.HK)CPU Multiple Vulnerabilities (aka Meltdown and Spectre)
HR (Nacionalni CERT)Odgođena objava sigurnosnih nadogradnji za AMD procesore pogođene ranjivostima Meltdown i Spectre
HU (GovCERT-Hungary)Processzorok sérülékenységei
IN (CERT-In)CERT-In Advisory CIAD-2018-002: CPU Side-Channel Vulnerabilities (Meltdown & Spectre)
JP (JPCERT/CC)JVNDB-2018-001001: 投機的実行機能を持つ CPU に対するサイドチャネル攻撃
JVNVU#93823979: CPU に対するサイドチャネル攻撃
KR (KrCERT)CPU 칩셋 취약점 보안 업데이트 권고
LV (CERT.LV)Meltdown un Spectre, ievainojamības procesoru darbībā
MY (MyCERT)MA-691.012018: MyCERT Alert - CPU Hardware Side-Channel Attacks Vulnerability
NL (NCSC)Meltdown en Spectre: Kwetsbaarheden in processoren [afsluitend bericht]
NCSC-2018-0009 [1.08]: Kwetsbaarheden in processoren ontdekt (Spectre)
NCSC-2018-0010 [1.08]: Kwetsbaarheid ontdekt in Intel-processoren (Meltdown)
NCSC-2018-0036 [1.00]: Kwetsbaarheden verholpen in Ubuntu kernel
NZ (CERTNZ)Meltdown and Spectre CPU vulnerabilities
PT (CNCS)Falhas de segurança em processadores
RO (CERT.RO)UPDATE: Spectre și Meltdown - Vulnerabilități CPU
SE (CERT-SE)Kernel side-channel-attack
SG (SingCERT)[SingCERT] Alert on Security Flaws Found in Central Processing Units (CPUs)
SK (CSIRT.SK)Kritické zraniteľnosti procesorov na hardvérovej úrovni
TH (ThaiCERT)ระวังภัย ช่องโหว่ Meltdown, Spectre อาจถูกขโมยข้อมูลในเครื่องได้ผ่านซีพียู กระทบระบบปฏิบัติการ Windows, Linux, Mac
TW (TWCERT/CC)全球CPU面臨Spectre與Meltdown旁道分析式漏洞威脅(更新技服中心資訊:解決方法、影響產品)
UA (CERT-UA)Опубліковано інформацію про вразливості, які присутні у майже всіх сучасних процесорах
UK (NCSC)NCSC response to reports about flaws in processors
'Meltdown' and 'Spectre' guidance
Home user guidance to manage processor vulnerabilities ‘Meltdown’ and ‘Spectre’
US (NH-ISAC)NH-ISAC TIC Chip Vulnerability Update 1-5-18
US (NIST)CVE-2017-5715 Detail
CVE-2017-5753 Detail
CVE-2017-5754 Detail
US (US-CERT)US-CERT Alert (TA18-000FA): Meltdown and Spectre Side-Channel Vulnerability Guidance
ICS-CERT Alert (ICS-ALERT-18-011-01): Meltdown and Spectre Vulnerabilities
ICS-CERT Alert (ICS-ALERT-18-011-01A): Meltdown and Spectre Vulnerabilities (Update C)
VN (MIC)Số: 01/BC-CATTT Tình hình an toàn thông tin đáng chú ý trong tuần 01/2018

ESET’s Response

As mentioned at the beginning of the article, ESET released Antivirus and Antispyware module update 1533.3 on Wednesday, January 3, 2018, to all customers to ensure compatibility with Microsoft’s updates to the Windows operating systems.  ESET is working alongside hardware and software vendors to mitigate the risk posed by the vulnerabilities.

For additional information see:

Please periodically check these articles and revisit this blog post for updates as additional information becomes available.

Special thanks to my ESET colleagues Tony Anscombe, Richard Baranyi, Shane B., Bruce P. Burrell, Shane Curtis, Nick FitzGerald, David Harley, Elod K., James R., Peter Stancik, Marek Z., and Righard Zwienenberg for their assistance in preparing this article. I would also like to recognize Artem Baranov, Ken Bechtel, Richard Ford and Andy Hayter for their feedback.


Revision History

2018-01-05: Initial Release.
2018-01-06: Added information for AMD, Android (Google), Chromium Project, Cisco, Citrix, Debian, Dell, F5 Networks, Huawei, NetApp, nVidia, Raspberry Pi, SUSE, Synology, and Ubuntu to Vendors. Revised existing links as needed.
2018-01-07: Revised Background. Added links to CERT and US-CERT to Responders. Added information for FreeBSD to Vendors. Revised existing entries as needed.
2018-01-08: Revised Background. Added information for ASUS, Dragonfly BSD, HPE, Juniper and Qubes OS to Vendors.
2018-01-09: Added information for A10 Networks, Arista Networks, Aruba Networks, Avaya, Centos, CoreOS, Digital Ocean, Duo Security, Extreme Networks, Fedora, Kemp Technologies, Linode, Liquid Web, LLVM, Mitel, Netgear, OpenBSD, OpenSUSE, Open Telekom, OVH, Palo Alto Networks, Pulse Secure, QEMU, QNAP, RISC-V, Riverbed Technology, SonicWall, Sophos and SuperMicro to Vendors. Revised existing entries as needed.
2018-01-10: Revised Affected Vendors. Added information for AbacusNext, Aerohive, Akamai, Alibaba Cloud, ArchLinux, Avast, AVM, Barracuda Networks, BerganKDV, BitDefender, CA Technologies, Check Point, Comodo, Crestron, Cylance, Cyren, Cumulus Networks, Elastic, Emsisoft, ESET, ForcePoint, Fujitsu, G DATA, Gandi, Gentoo, Heroku, Hetzner Online, HP, Ikarus, Kaspersky, LANCOM Systems, Linux Mint, Malwarebytes, McAfee, MicroWorld Technologies, Netgate, Nutanix, OpenGear, Okta, Oracle, OSISoft, Panda Security, Polycomm, Proxmox, Qualys, Quanta, Rackspace, RSA, SalesForce, Scaleway, Silver Peak, Symantec, Thomas Krenn, Trend Micro, UpCloud, Veritas, VIPRE, Virtuozzo, Vultur, WatchGuard, Webkit, Webroot, XKCD and Zscalar to Vendors.
2018-01-11: Revised Technical Details. Added information for Acronis, AhnLab, Apache, AVG, AVira, Box, BrightSign, Bromium, Carbon Black, Cloud Foundry, Commvault, ConnectWise, Contegix, Couchbase, Endgame, FireEye, Lansweeper, NGINX, OnApp, OpenStack, ScyllaDB and Veeam to Vendors.
2018-01-12: Added information for Acer, ADP, Appalachia Technologies, APC, Aptible, Aspera, ASRock, BMC, ClearOS, cPanel, Digi, DocuSign, GFI, Gemalto, Gigabyte, Imperva, Littlefish, MSI, Outpost24, Parrot, Patchman, Plesk, Protiviti, Rapid7, Resolver, Ruckus Networks, Samsung, SAS, Schneider Electric, Scientific Linux, Siemens, SIOS, Solar Winds, Spectracom, Spotinst, Tableau, Tibco, Vertiv, Wind Driver, Zebra, and Zerto to Vendors. Revised existing entries as needed.
2018-01-12: Revised History. Added information for Bomgar, Ivanti, Lime Technology and ServiceNow to Vendors. Revised existing entries as needed
2018-01-15: Added information for AgileBits, Capsule8, IGEL, myAirWatch, Neverware, Nyotron, Panasonic, PostgreSQL, Qihu 360, Quick Heal, Sentinel One, Tenable, Toshiba and VAIO to Vendors. Added DE (BSI) to Responders.
2018-01-16: Added information for ABB, Abbott, American Megatrends, Auth0, BD, Fifty Seven Network, Johnson & Johnson, Oracle, Philips, Qubole, Rockwell Automation, Siemens, Smartsheet, Smiths Medical and Wonderware PacWest to Vendors. Added US (NH-ISAC) to Responders. Revised existing entries as needed.
2018-01-16: Added information for A56 Informatique, Algolia, Bitnami, Epic Games, Fasthosts, Foundation IT, Johnson Controls, K7 Computing, One Identity, Packet, Prgmr.com, Purism, SOC Prime and Tanium to Vendors. Added BE (CERT.be) to Responders. Revised existing entries as needed.
2018-01-17: Added information for Aiven, brightsolid, Faronics, Hitachi and Mageia Linux to Vendors. Revised existing entries as needed.
2018-01-18: Added information for CyberAdatpt, Barkly, Deep Instinct, Ensilo, Getac and Intego to Vendors. Revised existing entries as needed.
2018-01-20: Added information for Arcabit, BullGuard, ESTsecurity, Jiangmin, NANO Security, Rising, SecurityCoverage and VirusBlokAda to Vendors. Revised existing entries as needed.
2018-01-21: Added information for Infor, Quest and SAP to Vendors. Revised existing entries as needed.
2018-01-22: Added information for Konica Minolta to Vendors. Revised existing entries as needed.
2018-01-23: Added UPDATE. Revised exiting entries as needed.
2018-01-25: Added information for Buffalo, Cybereason, Puget Computer Systems, Tencent, Thecus and Zyxel to Vendors. Revised existing entries as needed.
2018-01-26: Added information for Atlassian, ForeScout and Splunk to Vendors. Revised existing entries as needed.
2018-01-29: Added UPDATE. Added Joyen and Rendition Infosec to Vendors. Revised existing entries as needed.
2018-02-03: Added Altaro, Datto, Dell EMC, TenFourFox and Unitrends to Vendors. Revised existing entries as needed.
2018-02-05: Added Autodesk, Broadcom, Dahua, Drupal, Hivision, ManageEngine, Medtronic, Micro Focus, Puppet and TIBCO to Vendors. Revised existing entries as needed.
2018-02-07: Added Nexsan and Wind River to Vendors.
2018-02-08: Revised ESET’s Response. Added Catalyst, Inmotion Hosting and Platform.sh to Vendors. Revised existing entries as needed.
2018-02-09: Added Adtran and Edficom to Vendors. Revised existing entries as needed.
2018-02-10: Added CN (CNCERT/CC) and VN (MIC) to Responders. Revised existing entries as needed.
2018-02-12: Added Electro Rent, ExtraHop, Microlease, Knoppix and Slackware to Vendors. Revised existing entries as needed.
2018-02-14: Added Accenture, Deloitte, EVGA, Igloo Software, PWC and VMRay to Vendors. Revised existing entries as needed.
2018-02-15: Added BlackBerry to Vendors. Revised existing entries as needed.
2018-02-17: Added Kaseya and SanData to Vendors.
2018-02-20: Added Arca Noae, EFI, General Electric, Honeywell and Kyocera to Vendors. Revised existing entries as needed.
2018-02-22: Added Beckman Coulter, Canon and Stryker to Vendors.
2018-03-01: Added Draeger, Pepperl+Fuchs and Yokogawa to Vendors. Revised existing entries as needed.
2018-03-14: Added UPDATE. Revised existing entries as needed.
2018-03-21: Added DFI and iBASE to Vendors.
2018-04-03: Added Scan Computers to Vendors.
2018-04-16: Added Tyan to Vendors.
2018-04-20: Added Asustor to Vendors.
2018-05-01: Added UPDATE.  Added Emerson and Phoenix Contact to Vendors.  Added DE (VDE CERT) to Responders.
2018-05-04: Added UPDATE.  Added TH (ThaiCERT) to Responders.
2018-05-05:  Added NexusGard, Optiv Security and ownCloud to Vendors.

Is your security advisory, bulletin or customer notification not listed? Please let us know so that it can be added. Thank you.

Discussion

4 responses to “Meltdown and Spectre CPU Vulnerabilities: What You Need to Know”

  1. DeathGhosts says:

    so this is old news.. from 2017

    2017-01-05: Initial Release.
    2017-01-06: Added information for AMD, Android (Google), Chromium Project, Cisco, Citrix, Debian, Dell, F5 Networks, Huawei, NetApp, nVidia, Raspberry Pi, SUSE, Synology, and Ubuntu. Revised existing links as needed.
    2017-01-07: Revised Background. Added links to CERT and US-CERT. Added information for FreeBSD. Revised existing links as needed.

  2. Akshat Verma says:

    Good work from eset to release the updates so quickly.