TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

Original release date: January 04, 2018 | Last revised: February 10, 2018Systems Affected
CPU hardware implementations
Overview
On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern computer processors. These vulnerabilities can be exploited to steal sensitive data present in a computer systems’ memory.
Description
CPU hardware implementations are vulnerable to side-channel attacks, referred to as Meltdown and Spectre. Meltdown is a bug that “melts” the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw an attacker can exploit to force a program to reveal its data. The name derives from “speculative execution”—an optimization method a computer system performs to check whether it will work to prevent a delay when actually executed. Spectre affects almost all devices including desktops, laptops, cloud servers, and smartphones.More details of these attacks can be found here:Common Vulnerability and Exposure (CVE):Rogue Data Cache Load: CVE-2017-5754 (Meltdown) https://nvd.nist.gov/vuln/detail/CVE-2017-5754Bounds Check Bypass: CVE-2017-5753 (Spectre) https://nvd.nist.gov/vuln/detail/CVE-2017-5753Branch Target Injection: CVE-2017-5715 (Spectre) https://nvd.nist.gov/vuln/detail/CVE-2017-5715CERT/CC’s Vulnerability Note VU#584653Impact
An attacker can gain access to the system by establishing command and control presence on a machine via malicious Javascript, malvertising, or phishing. Once successful, the attacker could escalate privileges to exploit Meltdown and Spectre vulnerabilities, revealing sensitive information from a computer’s kernel memory, including keystrokes, passwords, encryption keys, and other valuable information.
Solution
MitigationNCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information. In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however, this vulnerability is more difficult to exploit. After patching, performance impacts may vary, depending on use cases. NCCIC recommends administrators ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect, if possible.Additionally, NCCIC recommends users and administrators who rely on cloud infrastructure work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.For machines running Windows Server, a number of registry changes must be completed in addition to installation of the patches.  NCCIC recommends verifying your Windows Server version before downloading applicable patches and performing registry edits.  A list of registry changes can be found here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-executionAntivirusTypical antivirus programs are built on a signature management system, and may not be able to detect the vulnerabilities. NCCIC recommends checking with your antivirus vendor to confirm compatibility with Meltdown and Spectre patches. Microsoft recommends third-party antivirus vendors add a change to the registry key of the machine running the antivirus software. Without it, that machine will not receive any of the following fixes from Microsoft:Windows UpdateWindows Server Update ServicesSystem Center Configuration Manager More information can be found here: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software.Vendor LinksThe following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.Note: NCCIC strongly recommends:downloading any patches or microcode directly from your vendor’s websiteusing a test environment to verify each patch before implmentingLink to Vendor InformationDate AddedAmazonJanuary 4, 2018AMDJanuary 4, 2018AndroidJanuary 4, 2018AppleJanuary 4, 2018ARMJanuary 4, 2018CentOSJanuary 4, 2018ChromiumJanuary 4, 2018CiscoJanuary 10, 2018CitrixJanuary 4, 2018DebianJanuary 5, 2018DragonflyBSDJanuary 8, 2018F5January 4, 2018Fedora ProjectJanuary 5, 2018FortinetJanuary 5, 2018HPJanuary 19, 2018GoogleJanuary 4, 2018HuaweiJanuary 4, 2018IBMJanuary 5, 2018IntelJanuary 4, 2018JuniperJanuary 8, 2018LenovoJanuary 4, 2018LinuxJanuary 4, 2018LLVM: variant #2January 8, 2018LLVM: builtin_load_no_speculateJanuary 8, 2018LLVM: llvm.nospeculatedloadJanuary 8, 2018Microsoft AzureJanuary 4, 2018MicrosoftJanuary 4, 2018MozillaJanuary 4, 2018NetAppJanuary 8, 2018NutanixJanuary 10, 2018NVIDIAJanuary 4, 2018OpenSuSEJanuary 4, 2018OracleJanuary 17, 2018QubesJanuary 8, 2018Red HatJanuary 4, 2018SuSEJanuary 4, 2018SynologyJanuary 8, 2018Trend MicroJanuary 4, 2018UbuntuJanuary 17, 2018VMwareJanuary 10, 2018XenJanuary 4, 2018
References
Graz University of Technology Meltdown website
Graz University of Technology Spectre website
Rogue Data Cache Load: CVE-2017-5754
Bounds Check Bypass: CVE-2017-5753
Branch Target Injection: CVE-2017-5715
CERT/CC’s Vulnerability Note VU#584653
Revision History
January 4, 2018: Initial version
January 5, 2018: Updated vendor information links for Citrix, Mozilla, and IBM in the table and added links to Debian, Fedora Project, and Fortinet
January 8, 2018: Added links to DragonflyBSD, Juniper, LLVM, NetApp, Qubes, and Synology
January 9, 2018: Updated Solution Section
January 10, 2018: Added links to Cisco and Nutanix
January 17, 2018: Added note to Mitigation section and links to Oracle and Ubuntu
January 18, 2018: Updated Description, Impact, and Solution Sections, and added an additional link
January 19, 2018: Added link to HP
January 31, 2018: Provided additional links and updated Description and Mitigation sections
This product is provided subject to this Notification and this Privacy & Use policy.

Powered by WPeMatico

Latest Blogs

TA18-201A: Emotet Malware

Original release date: July 20, 2018 Systems Affected Network Systems Overview Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. […]


Bip Dharma Ransomware Variant Released into the Wild

Today, Michael Gillespie noticed what appeared to be a new variant of the Crysis/Dharma Ransomware uploaded to his ID-Ransomware site. Jakub Kroustek then discovered some samples to confirm that it was indeed a new Dharma […]


TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

Original release date: May 29, 2018 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and […]


TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices Worldwide

Original release date: May 25, 2018 Systems Affected Small office/home office (SOHO) routers Networked devices Network-attached storage (NAS) devices Overview Cybersecurity researchers have identified that foreign cyber actors have compromised […]


common spam words terms and phrases

So recently we have an customer having issues with there emails going into spam filters and or not being delivered. So here is a common list of terms that potentially […]


About Humanit

humanit is an IT support company focused on providing the very best IT support for small to medium sized businesses in Chon Buri Thailand. Our customers range from award winning estate agents right through to factories in Amata city. Our passion is our customers. That’s right. It’s not the technologies, but we get a love helping out our customers issues and providing them with the technology to enable their company to grow. What makes our customers happy do I hear you ask? Take a look at our testimonials page and see for yourself.