|
By now, you've heard about the processor vulnerabilities affecting almost every processor in common use today; those vulnerabilities are called Meltdown and Spectre. Below are advisories of most of the relevant companies. The patches should be considered preliminary to protect against the most obvious paths to this vulnerability, but future patches are likely planned to deal with the potential significant performance hits from these patches and for better mitigation coverage. Spectre, in particular, will require follow-on patching. Due to the nature of these patches, reboots will be required. So in the short term, patch and reboot everything.
The good news is patches are out for almost everything (Microsoft has moved up their monthly patching up a week to today, more on that in a different post). The bad news is, Spectre, in particular can't be completely mitigated by patching as it seems it will require a hardware fix. The good news is that Spectre is harder to exploit. Firefox's initial testing has shown it is possible to trigger these flaws remotely via web content, so devices that browse the web or execute external content are particularly vulnerable (in particular, malware sandboxes are of a concern to me here which by design are unpatched operating systems). Otherwise, you have to find some way to execute code on the victim machine. The bad news is, the fixes can slow down your devices with some initial (disputed) reporting of an up to 30% performance hit to the CPU. IoT devices are, again, of particular weakness. They run these same processors but as we know, most consumers never use whatever limited interface to update the devices even when it is necessary, and in this case, more than one update cycle may be required. So while the advice is "patch now", the problem we will be grappling with is the performance hits (this will be brutal for cloud vendors especially if it's on the scale of 30%) and the follow-on disruptive patching this will require in the coming months. No known exploitation for this is occuring in the wild, but that will change in the next few days. This dairy will be updated as the situation warrants. UPDATE 1536 UTC (Bambenek) - Microsoft is actually filtering systems that have not certified compatability with the updates, that means if you are running an anti-virus / endpoint product Microsoft have listed as "safe" you will not get the update. This is designed to prevent BSOD issues. Working on trying to find a good listing of which products are "safe" or not. UPDATE 1625 UTC (Bambenek) - Microsoft is only releasing the update for these vulnerabilities early, and then only for a partial subset of Windows Operating Systems. UPDATE 2017-01-05 1700 UTC (Bambenek) - Added Apple advisory, iPhone/iPad devices are affected via Safari/web-browsers. -- |
John 262 Posts ISC Handler Jan 5th 2018 |
||||||||||||||||||||||||
| Thread locked Subscribe |
Jan 5th 2018 4 years ago |
||||||||||||||||||||||||
|
IoT devices go on a dedicated VLAN in my home network, and don't get permission to talk to strangers.
The IP cameras I use can't even talk to the Internet, they can only respond to RSTP requests to my NVR. None of them are permitted on my internal network, even if I allow them full access out. |
JasonTracy 4 Posts |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
Let the plows take care of them LOL. Best line of the day.
|
Alan 57 Posts |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
Can you update this to include VMware?
https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html |
0x2A 2 Posts |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
[removed - no longer relevant]
|
Anonymous |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
Microsoft is apparently only releasing this update early (not everything for the January window), and only for Windows 10/Windows Server 2016.
|
Anonymous |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
I thought that "Meltdown" only affected Intel and some ARM processors, and AMD was not affected by it? Only "Spectre" was completely cross-platform? Or has that changed?
|
Darron Wyke 19 Posts |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
See this for information in "safe" AV engines
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0 The link was found in this article https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw |
rstrom 7 Posts |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
The filtering that Microsoft is doing is for AV products.
@gossithedog has started compiling a list of AV status here > https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0 Also, I read this article to say that just patching servers won't be enough. You'll also need to enable the protection. https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s |
Anonymous |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
A great source of AV product statuses can be found here, thanks to Kevin Beaumont (@GossiTheDog):
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true |
Jeremiah 2 Posts |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
Any word on when Microsoft will be releasing new chips with hardware fixes?
|
Anonymous |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
At least for Symantec AV, they recommend to update to ERASER Engine 117.3.0.358 (or greater), after that, KB patch applies without problem.
If you don't. you will see "Product Error requires attention" and the SEP system tray icon to report "There are multiple problems (2)". https://www.symantec.com/connect/forums/latest-win10-update-corrupts-sep14 |
Anonymous |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
..and just to add that affects all Windows OS servers and SQL Servers, some patches are still not released...
Read more here: https://answers.microsoft.com/en-us/windows/forum/windows_10-security/meltdown-and-spectre-vulnerabilities-intel-chip/ead3f25e-6c55-4359-9cd9-5be87cbe7b4f |
Anonymous |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
Even after updating the ERASER engine, the tray icon problem still exists...
"After updating the ERASER engine to 117.3.0 and applying Microsoft Update KB4056892, the Symantec Endpoint Protection (SEP) system tray icon reports there are multiple problems. No errors are reported if the SEP client UI is opened." https://support.symantec.com/en_US/article.TECH248552.html |
K-Dee 68 Posts |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
Just great.
"The best mitigation may be to put these devices in the snow in the street in front of your house and let the plows take care of them" is starting to look possible. Anyway, at least the "Meltdown and Spectre" Vulnerability names are soooooo cool. |
Anonymous |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
.. if you still haven't got enough, more vendors are addressing this issue:
Amazon AMD Android ARM CentOS Chromium Citrix F5 Huawei IBM Intel Lenovo Linux Microsoft Azure Microsoft Windows NVIDIA OpenSuSE Red Hat SuSE Trend Micro VMware Xen Link to Vendor Patch Information from the National Cyber Awareness System: https://www.us-cert.gov/ncas/alerts/TA18-004A |
Anonymous |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
McAfee released the following list of products being confirmed as compatible.
Data Loss Prevention 9.4 and later Endpoint Security 10.2 and later Drive Encryption 7.0 and later Host IPS 8.0 Patch 9 and later McAfee Agent 4.8.3 and later McAfee Application Control 8.0 and later McAfee Active Response 1.1 and later McAfee Client Proxy 1.2 and later System Information Reporter (SIR) 1.0.1 VirusScan Enterprise 8.8 Patch 9 and later |
Anonymous |
||||||||||||||||||||||||
| Quote |
Jan 4th 2018 4 years ago |
||||||||||||||||||||||||
|
I found this spreadsheet that's being updated with supported anti-virus applications. Thought of sharing since this will be helpful.
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0 |
IsuruSam 1 Posts |
||||||||||||||||||||||||
| Quote |
Jan 5th 2018 4 years ago |
||||||||||||||||||||||||
|
All Mac systems and iOS devices are affected.
https://support.apple.com/en-us/HT208394 |
Anonymous |
||||||||||||||||||||||||
| Quote |
Jan 5th 2018 4 years ago |
||||||||||||||||||||||||
|
Am I reading the MS guidance on servers correctly. Doesnt it say that even after applying patches the server is not protected unless you also "switch it on" by setting registry keys?
in the "Recommended actions" section of article: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution it says: 1.Apply the Windows operating system update 2. Make necessary configuration changes to enable protection. 3. Apply an applicable firmware update from the OEM device manufacturer. This is very confusing. Do I need to set the keys in the registry or not?? |
Paul 13 Posts |
||||||||||||||||||||||||
| Quote |
Jan 5th 2018 4 years ago |
||||||||||||||||||||||||
|
That KB confuses me as well. I think I understand that you need both the patch and the registry keys, but the "FeatureSettingsOverrideMask" is listed with a value of "3" for both enabled & disabled in the examples.. I wonder if that is a typo or factual?
-Joel |
Joel B 8 Posts |
||||||||||||||||||||||||
| Quote |
Jan 5th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
