2018 – WEEK ONE
Hopes it would be a quiet end to the first week of 2018 have been crushed. As i’m sure you’re aware by now, the security world is in a flutter over the leaked announcment of two critical CPU vulnerabilities called Meltdown and Spectre.
Meltdown can read the contents of private kernel memory from an unprivileged user process.
ALL Intel processors released since 1995 with the exception of Itanium and pre-2013 Atoms are effected. No AMD processors are affected by Meltdown.
Workaround patches have been released for Windows and Linux, Apple’s iOS has been patched since version 10.13.2.
Spectre extract information from other running processes (ex: stealing login cookies from browsers).
Intel, ARM, and AMD processors are all reportedly affected to some degree. See this post for more specifics.
There have been two good posts by Microsoft that might be of help to fellow network administrators in a similar boat “SO, NOW WHAT”.
Watchout though! Microsoft has said that during its testing phase, it had some anti-virus programs causing BSOD crashes that prevented computers from booting after the installation of the Meltdown and Spectre patches. Microsoft has said it instructed “anti-virus vendors to modify their products and create a registry key on customers’ computers when they’ve confirmed or updated their products so not to crash Windows PCs post-Meltdown/Spectre updates”. To help prevent BSOD caused by incompatible anti-virus applications, Microsoft will only show the Windows security updates published 3rd Jan, 2018 to devices running anti-virus software from partners who have fully confirmed their software is compatible with the January 2018 Windows operating system security update.
Note: Windows Server admins must enable the kernel-user space splitting feature once the update is installed. Amazon has issued updates to its AWS Linux guest kernels and Microsoft is rolling out fixes to Azure, as well. A good list of vendor advisories and updates is available here.
Amazon has released a security bulletin that provides information on how Amazon AWS services are affected by Meltdown and Spectre. In summary, this bulletin states:
This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.
While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems. Updates for Amazon Linux have been made available, and instructions for updating existing instances are provided further below along with any other AWS-related guidance relevant to this bulletin.
It’s also worth checking and updating ALL internet browsers, Chrome, Firefox IE…
To enable the mitigations
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Please check the following article about mitigation options for Server OS:
Windows Server guidance to protect against speculative execution side-channel vulnerabilities
Also checkout the windows KB4056890 patch at > https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056890
Patch Releases (last updated 09/01/2018 11:05 AM)
Not all patches have been released yet, but it is likely that initial patches will be released by the previously planned date of 9th January.
RHEL 5: pending
RHEL 6: kernel-2.6.32-696.18.7.el6
RHEL 7: kernel-3.10.0-693.11.6.el7
CentOS 5: pending
CentOS 6: kernel-2.6.32-696.18.7.el6
CentOS 7: kernel-3.10.0-693.11.6.el7
Debian 6 Squeeze: not expected
Debian 7 Wheezy: pending
Debian 8 Jessie: pending
Debian 9 Stretch: 4.9.65-3+deb9u2
Ubuntu 12.04: pending
Ubuntu 14.04: pending
Ubuntu 16.04: pending
Windows Server 2008: not expected
Windows Server 2008R2: KB4056897
Windows Server 2012: not expected
Windows Server 2012R2: KB4056898
Windows Server 2016: KB4056890
We will add links to new patches as soon as they are available.