Between January 3 and 4, 2018, three vulnerabilities in processor hardware were made public that affect nearly all modern architectures. Impacted architectures include Intel, AMD, and ARM. If successfully exploited, an unprivileged process on an affected system could read privileged memory inside other processes or, in some cases, outside guest containers or virtualization hypervisors.
Most major operating system vendors have released patches mitigating the issues from the operating system level—hardware developers are likely to release firmware updates as well. These patches could have a detrimental impact on system performance and should therefore be monitored after implementation.
- Three CVEs disclosed by reputable sources for hardware-level vulnerabilities
- Microsoft has released patches for a number of OSs (see list below)
- RedHat has issued patches for RHEL and CentOS
- Apple has possibly released patches for Sierra and High Sierra, however, at the time of writing they have not confirmed
- No known in-the-wild attacks
- PoC code has been developed by multiple parties for local exploit, not remote
- Early public information suggested a possible performance hit between 5–30 percent (depending on workload)
- Patches should be applied and tested as they become available
Security analysts have discovered three variants of exploit that likely affect all modern processor architectures. Variants One and Two are applicable to both Intel and AMD architectures. Variant Three is possibly only applicable to Intel. Variants One and Two have been termed Spectr, while Variant Three has been named Meltdown. Unless otherwise noted, the rest of this report will refer to all three variants collectively as “The Vulnerabilities.”
The specific vulnerabilities exist in how speculative execution affects processor-level caches. All three attacks are timing attacks allowing unprivileged processes to read memory to which they should not otherwise have access. These attacks likely only result in a few bytes of data to be read at a time. For instance, Google Project Zero found that kernel virtual memory could only be read via Spectre at a rate of 2,000 bytes per second after an initial startup of four seconds. However, it is possible that additional attacks could be discovered to increase this rate.
Operating System Vendors:
At the time of writing, most major OS vendors have begun releasing patches to mitigate the effects of the hardware-level vulnerabilities. Microsoft has released the following patches for supported operating systems.
|Operating System Version||Update KB|
|Windows Server, version 1709 (Server Core |
|Windows Server 2016||4056890|
|Windows Server 2012 R2||4056898|
|Windows Server 2012||Not available|
|Windows Server 2008 R2||4056897|
|Windows Server 2008||Not available|
|Windows 10 (RTM, 1511, 1607, 1703, 1709), Windows 8.1, |
Windows 7 SP1
Microsoft has noted that anti-virus products could be incompatible with these patches and therefore systems will only be capable of patching once installed anti-virus software has been certified by the anti-virus software vendor. At the time of writing, public sources suggest supported anti-virus products include (but are not limited to): Microsoft’s Defender, Kaspersky, ESET, AVAST, Symantec, and F-Secure. Webroot and CrowdStrike are partially supported. This information will likely change rapidly throughout the day, so software vendors should be contacted directly to confirm support.
RedHat has released updates for its supported RedHat Enterprise Linux (RHEL) versions and CentOS patches can be obtained via Yum.
Mac OS X (Apple):
While Apple has not specifically confirmed its desktop and server OSs have been updated, there is evidence that updates are available for supported versions of Sierra and High Sierra.
Amazon Web Services:
As of the time of this writing Amazon had released a statement announcing that all but a few of their infrastructure systems had been patched and that AMIs would be provided to upgrade Microsoft systems. Other nodes would need to consult with applicable software vendors to protect the virtual nodes themselves.
Similar to Amazon, Microsoft claimed their infrastructure had been patched and that remaining systems would be patched soon.
Intel has released a list of all their affected products. Multiple media outlets are also reporting that Intel has claimed it will release security updates for most chips released within the past five years. Products containing Intel hardware but manufactured by other vendors should check for updates from the respective hardware manufacturer.
The immediate impact of these three vulnerabilities is that all affected systems should be patched both at the OS-level and at the firmware level as patches become available. Early reports suggest that performance could be affected anywhere between 5–30 percent (depending on workload). Given OS-level mitigation requires additional code within a critical user-to-kernel code path, these numbers could be valid; however, testing will need to be conducted to verify individual workload effects.
Unless there is a critical performance concern, given the prevalence of these vulnerabilities and the potential severity of exploit, affected software and hardware should be patched as soon as possible. Performance should be monitored to ensure any performance impact does not push resources beyond their limits.
More Posts from LogRhythm Labs
- 8 Information Security Predictions for 2018
- Detecting Petya/NotPetya Ransomware
- A Technical Analysis of WannaCry Ransomware