CPU hardware implementations
On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern computer processors. These vulnerabilities can be exploited to steal sensitive data present in a computer systems' memory.
CPU hardware implementations are vulnerable to side-channel attacks, referred to as Meltdown and Spectre. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw an attacker can exploit to force a program to reveal its data. The name derives from "speculative execution"—an optimization method a computer system performs to check whether it will work to prevent a delay when actually executed. Spectre affects almost all devices including desktops, laptops, cloud servers, and smartphones.
More details of these attacks can be found here:
An attacker can gain access to the system by establishing command and control presence on a machine via malicious Javascript, malvertising, or phishing. Once successful, the attacker could escalate privileges to exploit Meltdown and Spectre vulnerabilities, revealing sensitive information from a computer's kernel memory, including keystrokes, passwords, encryption keys, and other valuable information.
Mitigation
NCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information. In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however, this vulnerability is more difficult to exploit.
After patching, performance impacts may vary, depending on use cases. NCCIC recommends administrators ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect, if possible.
Additionally, NCCIC recommends users and administrators who rely on cloud infrastructure work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.
For machines running Windows Server, a number of registry changes must be completed in addition to installation of the patches. NCCIC recommends verifying your Windows Server version before downloading applicable patches and performing registry edits. A list of registry changes can be found here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Antivirus
Typical antivirus programs are built on a signature management system, and may not be able to detect the vulnerabilities. NCCIC recommends checking with your antivirus vendor to confirm compatibility with Meltdown and Spectre patches. Microsoft recommends third-party antivirus vendors add a change to the registry key of the machine running the antivirus software. Without it, that machine will not receive any of the following fixes from Microsoft:
More information can be found here: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software.
Vendor Links
The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.
Note: NCCIC strongly recommends:
| Link to Vendor Information | Date Added |
|---|---|
| Amazon | January 4, 2018 |
| AMD | January 4, 2018 |
| Android | January 4, 2018 |
| Apple | January 4, 2018 |
| ARM | January 4, 2018 |
| CentOS | January 4, 2018 |
| Chromium | January 4, 2018 |
| Cisco | January 10, 2018 |
| Citrix | January 4, 2018 |
| Debian | January 5, 2018 |
| DragonflyBSD | January 8, 2018 |
| F5 | January 4, 2018 |
| Fedora Project | January 5, 2018 |
| Fortinet | January 5, 2018 |
| HP | January 19, 2018 |
| January 4, 2018 | |
| Huawei | January 4, 2018 |
| IBM | January 5, 2018 |
| Intel | January 4, 2018 |
| Juniper | January 8, 2018 |
| Lenovo | January 4, 2018 |
| Linux | January 4, 2018 |
| LLVM: variant #2 | January 8, 2018 |
| LLVM: builtin_load_no_speculate | January 8, 2018 |
| LLVM: llvm.nospeculatedload | January 8, 2018 |
| Microsoft Azure | January 4, 2018 |
| Microsoft | January 4, 2018 |
| Mozilla | January 4, 2018 |
| NetApp | January 8, 2018 |
| Nutanix | January 10, 2018 |
| NVIDIA | January 4, 2018 |
| OpenSuSE | January 4, 2018 |
| Oracle | January 17, 2018 |
| Qubes | January 8, 2018 |
| Red Hat | January 4, 2018 |
| SuSE | January 4, 2018 |
| Synology | January 8, 2018 |
| Trend Micro | January 4, 2018 |
| Ubuntu | January 17, 2018 |
| VMware | January 10, 2018 |
| Xen | January 4, 2018 |
This product is provided subject to this Notification and this Privacy & Use policy.