SANS ISC: Spectre and Meltdown: What You Need to Know Right Now - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

By now, you've heard about the processor vulnerabilities affecting almost every processor in common use today; those vulnerabilities are called Meltdown and Spectre. The only common platform that seems unaffected as of the current moment are iPhone/iPads (Removed per recent advisory).This bug is probably worth its name and logo considering the pervasive nature of the vulnerability. At its core, both involve kernel issues that can lead to leaking running memory outside the current process which can involve compromises of system confidentiality (think encryption keys, passwords, PII/NPI in memory, etc). Contrary to some initial reporting, this is NOT just an Intel bug, it affects AMD and ARM processors as well. These could even be used in cloud / virtualized environments to leak memory outside the running virtual machine. It involves a flaw in "speculative execution" common in these processors where, in the right conditions, code can trick the processor in leaking data returned from other applications.

Below are advisories of most of the relevant companies. The patches should be considered preliminary to protect against the most obvious paths to this vulnerability, but future patches are likely planned to deal with the potential significant performance hits from these patches and for better mitigation coverage. Spectre, in particular, will require follow-on patching. Due to the nature of these patches, reboots will be required. So in the short term, patch and reboot everything.

	Link
Intel	Security Advisory    /      Newsroom
Microsoft	Security Guidance
Amazon	Security Bulletin
ARM	Security Update
Google	Project Zero Blog
MITRE	CVE-2017-5715   /     CVE-2017-5753    /     CVE-2017-5754
Red Hat	Vulnerability Response
SUSE	Vulnerability Response
CERT	Vulnerability Note
VMWare	Vulnerability Advisory
Apple	Security Advisory

The good news is patches are out for almost everything (Microsoft has moved up their monthly patching up a week to today, more on that in a different post). The bad news is, Spectre, in particular can't be completely mitigated by patching as it seems it will require a hardware fix. The good news is that Spectre is harder to exploit.

Firefox's initial testing has shown it is possible to trigger these flaws remotely via web content, so devices that browse the web or execute external content are particularly vulnerable (in particular, malware sandboxes are of a concern to me here which by design are unpatched operating systems). Otherwise, you have to find some way to execute code on the victim machine. The bad news is, the fixes can slow down your devices with some initial (disputed) reporting of an up to 30% performance hit to the CPU.

IoT devices are, again, of particular weakness. They run these same processors but as we know, most consumers never use whatever limited interface to update the devices even when it is necessary, and in this case, more than one update cycle may be required. The best mitigation may be to put these devices in the snow in the street in front of your house and let the plows take care of them. For most IoT devices, getting code running on the device that exploit these flaws will be non-intuitive but that will vary by device. My biggest concern is that someone uses this vulnerability in a controlled environment to find flaws in specific IoT devices (or even default passwords), to create the next Mirai.

So while the advice is "patch now", the problem we will be grappling with is the performance hits (this will be brutal for cloud vendors especially if it's on the scale of 30%) and the follow-on disruptive patching this will require in the coming months.

No known exploitation for this is occuring in the wild, but that will change in the next few days. This dairy will be updated as the situation warrants.

UPDATE 1536 UTC (Bambenek) - Microsoft is actually filtering systems that have not certified compatability with the updates, that means if you are running an anti-virus / endpoint product Microsoft have listed as "safe" you will not get the update. This is designed to prevent BSOD issues. Working on trying to find a good listing of which products are "safe" or not.

UPDATE 1625 UTC (Bambenek) - Microsoft is only releasing the update for these vulnerabilities early, and then only for a partial subset of Windows Operating Systems.

UPDATE 2017-01-05 1700 UTC (Bambenek) - Added Apple advisory, iPhone/iPad devices are affected via Safari/web-browsers.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

IoT devices go on a dedicated VLAN in my home network, and don't get permission to talk to strangers.

The IP cameras I use can't even talk to the Internet, they can only respond to RSTP requests to my NVR.

None of them are permitted on my internal network, even if I allow them full access out.

Let the plows take care of them LOL. Best line of the day.

Can you update this to include VMware?

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

[removed - no longer relevant]

Microsoft is apparently only releasing this update early (not everything for the January window), and only for Windows 10/Windows Server 2016.

I thought that "Meltdown" only affected Intel and some ARM processors, and AMD was not affected by it? Only "Spectre" was completely cross-platform? Or has that changed?

See this for information in "safe" AV engines

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

The link was found in this article

https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw

The filtering that Microsoft is doing is for AV products.
@gossithedog has started compiling a list of AV status here > https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

Also, I read this article to say that just patching servers won't be enough. You'll also need to enable the protection.
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s

A great source of AV product statuses can be found here, thanks to Kevin Beaumont (@GossiTheDog):

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

Any word on when Microsoft will be releasing new chips with hardware fixes?

At least for Symantec AV, they recommend to update to ERASER Engine 117.3.0.358 (or greater), after that, KB patch applies without problem.
If you don't. you will see "Product Error requires attention" and the SEP system tray icon to report "There are multiple problems (2)".
https://www.symantec.com/connect/forums/latest-win10-update-corrupts-sep14

..and just to add that affects all Windows OS servers and SQL Servers, some patches are still not released...

Read more here:
https://answers.microsoft.com/en-us/windows/forum/windows_10-security/meltdown-and-spectre-vulnerabilities-intel-chip/ead3f25e-6c55-4359-9cd9-5be87cbe7b4f

Even after updating the ERASER engine, the tray icon problem still exists...

"After updating the ERASER engine to 117.3.0 and applying Microsoft Update KB4056892, the Symantec Endpoint Protection (SEP) system tray icon reports there are multiple problems. No errors are reported if the SEP client UI is opened."

https://support.symantec.com/en_US/article.TECH248552.html

Just great.

"The best mitigation may be to put these devices in the snow in the street in front of your house and let the plows take care of them" is starting to look possible.

Anyway, at least the "Meltdown and Spectre" Vulnerability names are soooooo cool.

.. if you still haven't got enough, more vendors are addressing this issue:

Amazon
AMD
Android
ARM
CentOS
Chromium
Citrix
F5
Google
Huawei
IBM
Intel
Lenovo
Linux
Microsoft Azure
Microsoft Windows
NVIDIA
OpenSuSE
Red Hat
SuSE
Trend Micro
VMware
Xen

Link to Vendor Patch Information from the National Cyber Awareness System:
https://www.us-cert.gov/ncas/alerts/TA18-004A

McAfee released the following list of products being confirmed as compatible.
Data Loss Prevention 9.4 and later
Endpoint Security 10.2 and later
Drive Encryption 7.0 and later
Host IPS 8.0 Patch 9 and later
McAfee Agent 4.8.3 and later
McAfee Application Control 8.0 and later
McAfee Active Response 1.1 and later
McAfee Client Proxy 1.2 and later
System Information Reporter (SIR) 1.0.1
VirusScan Enterprise 8.8 Patch 9 and later

I found this spreadsheet that's being updated with supported anti-virus applications. Thought of sharing since this will be helpful.
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

All Mac systems and iOS devices are affected.
https://support.apple.com/en-us/HT208394

Am I reading the MS guidance on servers correctly. Doesnt it say that even after applying patches the server is not protected unless you also "switch it on" by setting registry keys?

in the "Recommended actions" section of article:

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

it says:

1.Apply the Windows operating system update

2. Make necessary configuration changes to enable protection.

3. Apply an applicable firmware update from the OEM device manufacturer.


This is very confusing. Do I need to set the keys in the registry or not??

That KB confuses me as well. I think I understand that you need both the patch and the registry keys, but the "FeatureSettingsOverrideMask" is listed with a value of "3" for both enabled & disabled in the examples.. I wonder if that is a typo or factual?

-Joel