Protecting yourself from Spectre and Meltdown

Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) are exploits in CPU architecture allowing attakers access to protected memory they should not have access to. Spectre effects all CPU vendors, while Meltdown is specific to Intel chips. More details below.

Lucky for you, there are patches available to remediate or workaround the issue. The downside is there is up to a 30% performance reduction in CPU performance after installing these patches. Older intel CPU’s will be harder hit than new intel CPUs.

**Update: several vendors have pulled their firmware updates due to problem related to the remediation process. Be sure to check with your hardware vendor to ensure that your configurations are supported, and that it is safe to install the firmware patch(s).

What are these vulnerabilities?

Whitepapers have been publihed for Spectre Attack and Meltdown Attack if you want real detailed explanations as to how they work. However, I have included summaries below.

Meltdown
Meltdown affects intel CPU’s produced in the last 20 years.

There are a couple of scary videos showing how Meltdown works. They are Meltdown spying demo and Meltdown Memory Dump.

In the first video, you can see how one application is able to pull protected memory from another in order to display a password that someone is typing. The second video is simply a memory dump that shows plain text in memory for various applications running on the system.

Spectre
Spectre affects CPU’s made/designed by Intel, AMD, and ARM. That means it affects a very large percentage of the devices you own.

Spectre takes advantage of performance optimization features called Speculative Execution and Branch Prediction. And allows one process to read the memory from another process. It is similar to the meltdown vulnerability.

Apple Devices

Apple has confirmed that apple watches are not affected, but their other products are. To protect yourself, make sure you have upgraded your apple devices to the following software versions:

  • iOS (iPad/iPhone/iPod): 11.2
  • MacOS (macbook, iMac, Mac mini, etc..): 10.13.2
  • TVOS (Apple TV): 11.2

Apple will be releasing patches for Safari in the coming days to help protect against these exploits as it is possible to exploit them via Javascript.

Android

If you have the latest android patch released in January, then you are safe. However, not all Android devices get patched right away or at all. Google has released instructions on how to check your android version and patch level.

Windows

In case you are running windows, and you are not sure if you are currently protected, Microsoft has released a powershell module for checking.

If you have Windows Management Framework 5.x installed, you can run the following two commands:

  • Install-Module SpeculationControl
  • Get-SpeculationControlSettings

The first command will intall the module, the other will report your vulnerability status.

If you are on Windows 10 or Server 2016, it is likely that you have already received the January windows update that includes the patch for Spectre and Meltdown. However, you will still need to get a firmware update from your hardware manufacturer. For that reason, I would recommend that everyone run this script to check your computers protection.

If you are running a Microsoft Surface branded product, you will get your firmware update via windows update. For all other devices, you will need to check with the manufacturer.

Windows 8 and Windows 7 should have patches available in a few days on patch Tuesday.

Another gotcha is if your antivirus is incompatible, your computer will not detect the patch via windows update. Microsoft recommends you check with your antivirus vendor to confirm that it is compatible. If it is compatible, your Antivirus vendor should set a registry key letting windows know that it is ok to install the patch.

After installing the patch and updating your firmware, be sure to re-run the powershell script to confirm that you are protected.

**Note: This registry key described in this section is very important. If you have an unsupported antivirus, and the registry key has not been created, you may be prevented from getting any future windows updates untl that registry key is created.

Linux

There is a Meltdown Vulnerablity checker where someone has released a tool to check if your Linux system is vulnerable to meltdown.


Patching Ubuntu

Ubuntu has promised patches for the following verions by January 9, 2018:

  • Ubuntu 17.10 (Artful) — Linux 4.13 HWE
  • Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE)
  • Ubuntu 14.04 LTS (Trusty) — Linux 3.13
  • Ubuntu 12.04 ESM** (Precise) — Linux 3.2

Ubuntu 18.04 will ship with the patch re-installed.

Once the patch is released, you can install it by running:
sudo apt-get update && sudo apt-get upgrade && sudo shutdown -r now
**Note your server/computer will reboot.

Patching Redhat/CentOS

Redhat has published a list of updates and a status showing if the updates are currently available for a given product. At this time, most versions of Redhat have patches available. But other software like Libvirt are still awaiting patches.

To patch your system on Redhat/Centos, simply run:

  • sudo yum update
  • sudo shutdown -r now

**Note, your computer/server will reboot.

VMWare ESX, Workstation, and Fusion

VMWare released the following advisory VMSA-2018-0002 for ESXi, Workstation, and Fusion back on 1/3/2018. This advisory references patch(es) to remediate the Spectre and Meltdown vulnerabilities.

To be sure you are protected, be sure to apply the following patches:

  • VMware vSphere 6.5: apply patch ESXi650-201712101-SG (released on Dec, 19th 2017)
  • VMware vSphere 6.0: apply patch ESXi600-201711101-SG
  • VMware vSphere 5.5: apply patch ESXi550-201709101-SG (this patch has remediation against CVE-2017-5715 but not against CVE-2017-5753)
  • VMware Workstation 12.x: update to version 12.5.8
  • VMware Fusion 8: update to version 8.5.9

**Note Previous version of vSphere (like 5.0 or 5.1) are no more supported, so one reason more to upgrade fast your infrastructure to a supported version!

You can patch these products using the built-in update tools.

%d bloggers like this: