Meltdown and Spectre vulnerability guidance

On January 3rd 2018, researchers at Google’s Project Zero team announced vulnerabilities, dubbed Spectre and Meltdown, in modern computer processors (CPUs) which could allow an attacker to access sensitive data.

This issue is an inherent design issue in the computer processors and as such the ultimate remediation is to replace the affected CPUs.

AVAILABLE GUIDANCE
Details of the vulnerabilities are available from Google Project Zero at their site.

The UK’s National Cyber Security Centre has released guidance on how to handle the vulnerabilities and the US CERT provides a listing of all the vendor updates.

There are two websites dedicated to the vulnerabilities, Meltdown Attack and Spectre Attack.

VENDOR UPDATES AND PATCHES
A number of software vendors have released information updates and/or provided patches to their platforms to mitigate the risk posed by this vulnerability. Note some vendors have warned that applying their patches may result in a performance degradation on the patched systems due to how the patch changes how the CPU manages processes.

Microsoft
Microsoft has provided guidance to protect against the vulnerabilities and have also issued their monthly patch earlier than expected.

Please note that various anti-virus vendors have announced they do not yet support the above patch so before applying the patch check with your anti-virus vendor. This is a good list that you can also refer to in order to determine if you anti-virus vendor supports the patch

Linux Operating Systems

VMWare

Citrix

  • Citrix has released information for their Citrix and Xen platforms

CLOUD COMPUTING PROVIDERS
Details of updates to the issue from various cloud providers are available as follows:

Amazon
Microsoft Azure
Google

You should also contact your own hosting provider to ensure they have applied patches to any platforms that your systems may be hosted on.

RECOMMENDATIONS
Until affected hardware can be replaced, we recommend that you make yourself familiar with the vulnerabilities and their potential impact on your systems.  You should make contact with your vendors to get their guidance and any available patches.

All patches should be thoroughly tested to determine if they impact on performance or if there are any third party compatibility issues, such as conflicts as outlined earlier with anti-virus software. Based on the results of that testing and a comprehensive risk assessment we recommend strongly that the patches are applied.

Keep in mind that you may not be able to patch all affected systems in a timely fashion so ensure you run regular reviews to detect any unpatched systems and to then apply the patches.

You should also configure your IDS/IPS systems to detect any suspicious traffic, some IDS/IPS vendors have issued updates to detect attacks against these vulnerabilities.

Regularly monitoring of your systems for suspicious activity should be in place to detect a potential breach, and finally you should review your incident response processes to be prepared in the event of a breach resulting from these vulnerabilities.

2 Comments

  1. Denis Peach says:

    I cannot find a straight answer to my question anywhere. If I patch ESXi, do I also need to patch the respective guest OS’s running in it. Seems to me if the hardware level OS is patched the underlying hardware flaw is mitigated for all workloads below the OS kernel. That would include any guest OS’s running in the patched hypervisor. Am I wrong here? Why expose the risk of a double performance hit when you can just do it once.

Leave a Reply

Your email address will not be published. Required fields are marked *