Updated Jan. 5, 2018

The worldwide information security community has been discussing the recently announced vulnerabilities in common hardware CPU (central processing unit) on a wide range of devices that can be exploited via Meltdown and Spectre algorithms. These exploits have the potential to obtain private information on devices without any privileges required. The following provides some preliminary advice for end users and technical staff. Links to references for up-to-date technical and patch information are included.

 

I’m a Device Owner and User – What Should I Do?

  1. Keep up to date with device patching.
  2. Continue to exercise caution when encountering email attachments and links.
  3. Do not install software for which you are not confident of the source.
  4. Check with your departmental IT staff for more information.

Information for Technical Staff

There are two exploits identified:

Meltdown (CVE-2017-5754) is an exploit of ‘Speculative Execution’, a CPU chip internal algorithm that applies to Intel products only.

Spectre (CVE-2017-5753 and CVE-2017-5715) is an exploit of ‘Speculative Execution’ and ‘Branch Prediction’, both CPU chip algorithms that apply to a broad range of products.

Reference sites:

https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/

https://meltdownattack.com/

https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html

ISEA Detection/Remediation Advice

It will be difficult to detect data compromise since system logs generally would not contain memory leakage activity. The ISEA Nessus scanning service cannot detect the existence of patching. Administrators of virtual environments should be concerned with patching of the host and guest components at this time.

Patch Status

NOTE: Check patch install docs carefully – some patches are installed but not activated due to potential negative performance effect. Here are links to current information on operating system, firmware, and virtual environment patches:

Microsoft:

https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-updates-to-fix-meltdown-and-spectre-cpu-flaws/

Apple (partial release):

http://appleinsider.com/articles/18/01/03/apple-has-already-partially-implemented-fix-in-macos-for-kpti-intel-cpu-security-flaw

Redhat: Patches for Meltdown are pending:

https://access.redhat.com/security/cve/cve-2017-5754

CentOS: Patches are available.
Google Applications (Android, Chrome browser, etc.)

https://support.google.com/faqs/answer/7622138

VMware: is releasing patches for their products here:

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html