Meltdown and Spectre – what you need to know!

Hi all,

I was going to mention this topic in my newsletter this weekend.  But things got sort of crazy and now there is so much info it is confusing out there so I thought I would treat this as a separate subject rather than as part of my newsletter.

Here is an article by one of the top security thinkers – good info! Here is some good technical detail as well.

Meltdown

What is Meltdown – this is an Intel processor flaw that will let a process see beyond expected boundaries.  This information can be found or seen, in ways that you think is not possible. It is in fact melting the fundamental isolation between user applications and operating systems – and virtual machines and hypervisors – and virtual machines and virtual machines.  There are proof of concepts that can see passwords or encryption keys – from one virtual machine to another.  Essentially this is a privilege escalation flaw.

  • The official reference is CVE-2017-5754.
  • One of the first articles I saw on this subject was this one.
  • Software should be able to mitigate this issue.
  • Where can I learn more about anti-virus and will mine help with this or not?  Find out here.
  • If you want to see a comparison of Meltdown and Spectre check this article out.
  • There was initially a lot of concern about performance impacts.  So far, we are not seeing much of that.  Not all patches are out yet so we will see.

How can I protect myself?

  • Apple Mac – mitigation is in High Sierra 10.13.2, iOS 11.2 and tvOS 11.2 and further work will be in next release (s). This current mitigation does not noticeable impact performance.  See the Apple KB article for more info. Here is a new Apple KB article about security patches – including some out 1/8/18 or iOS and macOS.
  • VMware – this does not impact VMware as ESXi does not run untrusted code, and Fusion /Workstation are type 2 hypervisors so it their hosting OS that needs to be patched. However, some appliances maybe impacted and you can check that in this KB article. Here is a new VMware KB article that is an overview and one to watch.
  • Windows – learn more in this Microsoft articleImportant note – patches will not help if you don’t set the registry. In this article you can learn about the performance impact of the patches.
  • Intel is very quickly making microcode updates available to their partners, which means you will get HP or Dell server updates at some point that contain the fix.  See this article for info on this. Update as soon as it is reasonable.
  • NetApp says it has no issues but here is their words.
  • More information for HPE servers can be found here.
  • HyTrust Cloud Advisor for Data has updates for Spectre / Meltdown.  I have no details but I was told by their support org so likely if you are a user you should be hearing soon.
  • You can find out all you need for Dell gear in this article.

Spectre

This is an exploitation technique that can occur on Intel, ARM, and AMD processors. It is very difficult to exploit even when applications are running local.  It may be potentially exploited with JavaScript running local in a Web Browser. I personally believe that this is currently not likely to be seen by many number of people due to complexity of exploiting it.  This essentially works due to a process or code tricking the processor to execute things that they should not be able to convince the processor to do on their behalf.

  • The official reference is CVE-2017-5753 and CVE-2017-5715.
  • Software should be able to mitigate this issue but it is tricky!
  • Where can I learn more about anti-virus and will mine help with this or not?  Find out here.
  • Intel is very quickly making microcode updates available to their partners, which means you will get HP or Dell server updates at some point that contain the fix.  See this article for info on this.
  • You can use my vSphere Documentation article to print out reports on both VMware patch level, and firmware level, as it relates to Spectre.  Very handy! I see in the release of v2.4 today (of the script referenced in the article) that is now supports more checks – that it got from VMSA-2018-0004.  So pretty cool.

How can I protect myself?

  • Apple will release an update to Safari to mitigate this exploit.  Should not noticeably impact performance.  See this Apple KB article for more info. Here is a new Apple KB article about security patches – including some out 1/8/18 or iOS and macOS.
  • VMware – there was a 6.5 patch in December that protects against Spectre and due to the way that VMware does thing in ESXi there is no Meltdown vulnerability.  See the VMware Security advisory here, and a blog about it here. It covers off other VMware products – where some need a patch and some do not. Here is additional info in the form of a VMware KB article mostly concerned with appliances (the VCSA update is here). Here is a new VMware KB article that is an overview and one to watch. Today – 1/9/18 it seems there is more patches for this – see this KB article. Here is a new VMware article that helps on order of patching – meaning vC first, then ESX, then host BIOS. There is some important detail in this article! Here is an article from William Lam that has a script to help with that article – particularly important to help confirm things and scale. Here is a workaround for VCSA while the permanent fix is not here. Here is an important article that if you have installed VMware ESXi patches for microcode you need to read.  If you have not installed any VMware patches that have microcode DON’T – BTW, I discovered I had in fact applied those patches.  they were in the Not critical baseline so they were applied.  Since I have the impacted processor family in those servers I should apply the mitigation.  Here is the VMware article to watch that they will share performance impact info via. Update, all the patches in VMSA-2018-004 have been pulled.  If you installed them – like I did, they are still installed.  Which may or may not be an issue. There is no notice in the Notifications part of VUM which you would think there would be for pulled patches.
  • Windows – learn more in this Microsoft articleImportant note – patches will not help if you don’t set the registry. In my case it was set by, I asume, Microsoft Defender. In this article you can learn about the performance impact of the patches.
  • Intel is very quickly making microcode updates available to their partners, which means you will get HP or Dell server updates at some point that contain the fix.  See this article for info on this.  Update as soon as is reasonable!
  • NetApp says it has no issues but here is their words.
  • SuperMicro is working on updates and you can find out more here. For the SYS-5028D-TN4T family (sorry but cannot find the family name) we are waiting for firmware patch 1.3.
  • More information for HPE servers can be found here.
  • Nvidia graphics cards need to be patch – more info here.
  • HyTrust Cloud Advisor for Data has updates for Spectre / Meltdown.  I have no details but I was told by their support org so likely if you are a user you should be hearing soon.
  • You can find out all you need for Dell gear in this article. You can find info on BIOS firmware in this article.

Summary

Patch. As always, if you have a lab, test the patch there first.  In this case, patch means OS patches, like for Windows or macOS, but also firmware for hosts.  I think once you have your OS, hypervisors, and server firmware patched you will be better off.  I hope that our malware vendors also step up and help.  They cannot help too much as some of these sort of exploits will look like normal activities but hopefully they will be able to help out in other ways.  Also remember those Windows patches need a registry tweak to be active. And yes, you might have to re-patch, or un-patch, but it still needs to be done.

I would like to add that you need to patch in depth.  For example, you need to patch your hypervisor, and the VMs running on top of it. For the VMs there is OS level patches, and hopefully soon browser patches. The vector of attack can be from a variety of directions so patching in depth is key.

Updates:

  • 1/20/18 – added the link to the Dell-EMC article about firmware updates.
  • 1/13/18 – added the link to the VMware article that will accumulate the performance impact of these patches.  Also added the link to the article that says do not install the patches with the microcode (for 6.5 it is ESXi650-201801402-BG).
  • 1/12/18 – updated with new workaround article for VCSA, and the script that William has done to help confirm things. Also, you can have issues with some of the patches and it was due to EVC.  So see the info here.  Also added the MS article about performance impact of the patches.
  • 1/11/18 – updated with Dell info, and the fact the the vDocumentation script I mention above does more now.
  • 1/10/18 – added in the HPE info. Also added the HyTrust info.
  • 1/9/18 – added in the Supermicro info as well as my article about documenting the state of your hosts vSphere and firmware. Added a link to the additional VMware patches out today. Also added a link to the VCSA RN.
  • 1/8/18 – added the link to the Apple security article that has links and info on the iOS and macOS updates. Added the links to NetApp as well.
  • 1/8/18 – added the comment about patch in depth. Added the new VMware KB article.
  • 1/6/18 – added in the link to the VMware KB article on VMware appliances.
  • 1/5/18 – added in a link to Bruce Schneier’s article.
  • 1/5/18 – Ben let me know I had – from VMware’s point of view – Spectre and Meltdown reversed.  So fixed that, and added links to the CVE.  Thanks very much Ben!

Any questions or comments let me know,

Michael

=== END ===

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s