Meltdown and Spectre CPU Vulnerabilities

Risk: High

CVE: CVE-2017-5754, CVE-2018-5753

 

Meltdown and Spectre are two CPU vulnerabilities that have recently been detected in Intel, AMD, ARM and Qualcomm processors. Currently there are no exploits available in the wild; however if successful, attackers can take advantage of three variants of the flaw and steal sensitive data, such as passwords and banking information.  Spectre is affected by two variants, while Meltdown only has one variant of the flaw.

Meltdown mainly affects Intel processors, as well as some ARM processors, allowing hackers to bypass security barriers between applications that is usually managed by hardware.

Spectre on the other hand, allows hackers to trick error-free applications into giving up secret information and affects all aforementioned processor vendors.

 

Impacted Devices:

  • All computer devices, including desktops, laptops, servers, tablets and smartphones (iOS and Android) that run on most Intel, AMD, ARM and Qualcomm processors manufactured in the last decade are affected; some affected processors go back more than 20 years.

 

What UBC IT is doing:

We are continuing to assess the risk of this threat as it evolves. While that analysis is underway, the following activities are being conducted:

  1. An inventory of affected systems is being built
  2. Patch availability is being analyzed, including released dates
  3. Released patches are being tested for production usage to identify any performance impacts
  4. Security vendors are being engaged to identify security controls that can protect against exploits, should they become available

 

Recommendations for Users:

  • Based on current industry information, the only solution to fully resolve the issue will be to replace the hardware; however, at this time no new hardware is available to address the issues; in the interim patches are available to mitigate against future attacks that can exploit the two vulnerabilities.
  • Take care to ensure any patches or updates are obtained from official vendor sites, as there have been reports of hackers distributing malware masquerading as patches.
  • Mitigations will include a combination of BIOS/firmware updates for hardware, in addition to operating system and application patches.  It is strongly recommended that non-technical users not attempt upgrading the BIOS themselves, especially if there’s a possibility that the computer is encrypted, as this would likely render the computer inoperable.
  • Please update your antivirus software.
  • Please update your operating system and download the latest patches.  Below is the status of updates of browsers and operating systems that we have put together regarding the patches.

 

Meltdown & Spectre Operating System Patches:

  • Windows Desktop: Microsoft released patches for Windows 10, 8.1 and 7 SP1 on Jan 3 for systems with compatible Anti-virus; Sophos, Trend Micro and Cisco AMP are compatible – see links below for details
  • Windows Server: Microsoft released patches for Windows 2008 R2, 2012 R2 and 2016 on January 3 for systems with compatible Anti-virus (as above)
  • macOS, iOS, tvOS: Apple released patches in December and January. Patched versions are: macOS 10.13.2 Supplemental Update, iOS 11.2.2, tvOS 11.2, macOS Sierra 10.12.6, and OS X EL Captain 10.11.16. Apple watch is unaffected
  • Android: Google pushed patches for both vulnerabilities to manufacturers in December 2017. Please check with your hardware manufacturer for when/if an update will be available for your device. Google supported devices that will receive the patch include Nexus 5X, Nexus 6P, Pixel C, Pixel/XL, and Pixel 2/XL.
  • Chrome OS 63: Introduced protections for both vulnerabilities in Dec 2017
  • Red Hat: released multiple updates – see the link at the bottom for patch availability
  • Ubuntu: to be released Jan 9 for 17.10, 16.04 LTS, 14.04 LTS, 12.04 ESM
  • VMware: has various patches for products – see the details in the link below
  • Amazon Web Services: They are patched, but customers must still patch the OS running in Amazon’s virtual machine
  • Azure is patched, customers need to reboot their virtual machines

 

Spectre Browser Patches:

  • Chrome: Partial protection will be introduced on January 23 in Chrome 64
  • Edge & Internet Explorer: Microsoft has already made updates to both browsers and more improvements are expected to be coming
  • Firefox: Mozilla has released partial mitigations on January 4 in 57.0.4 for desktop browsers on Windows macOS and Linux (no iOS or Android updates yet)
  • Safari: Apple has released an updated version of Safari in addition to updates for iOS and macOS

 

More information

General Information https://www.theregister.co.uk/2018/01/05/spectre_flaws_explained/

http://mashable.com/2018/01/04/spectre-meltdown-explained/#TpXewZZ1KmqN

https://www.pcworld.com/article/3245790/mobile/spectre-cpu-faq-phones-tablets-ios-android.html

https://www.theregister.co.uk/2018/01/06/qualcomm_processor_security_vulnerabilities/

http://www.securityweek.com/intel-tests-performance-impact-cpu-patches-data-centers

 

Windows Operating System

 

https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

https://www.bleepingcomputer.com/news/microsoft/microsoft-resumes-meltdown-and-spectre-updates-for-amd-devices/

 

Mac and iOS Devices

 

https://www.imore.com/meltdown-spectre-faq

https://support.apple.com/en-us/HT208394

https://support.apple.com/en-us/HT208331

https://support.apple.com/en-us/HT208465

 

Android Devices https://support.google.com/faqs/answer/7622138#android

https://www.androidcentral.com/meltdown-spectre

 

Linux https://access.redhat.com/security/vulnerabilities/speculativeexecution

https://www.suse.com/support/kb/doc/?id=7022512

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

 

Virtual Machines https:// www.vmware.com/security/advisories/VMSA-2018-0004.html

 

BIOS/Firmware http://www.securityweek.com/device-manufacturers-working-bios-updates-patch-cpu-flaws
Antivirus Vendors https://community.sophos.com/kb/en-us/128053

https://esupport.trendmicro.com/en-us/home/pages/technical-support/1118996.aspx

https://supportforums.cisco.com/t5/sourcefire-documents/cisco-amp-for-endpoints-compatibility-with-windows-security/ta-p/3306874

 

Antivirus Vendors Compatibility Status https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true