Meltdown and Spectre are hardware design vulnerabilities in all modern CPUs based on speculative execution. Background infos:
- https://spectreattack.com/ or https://meltdownattack.com/ (both pages serve identical content)
The bug is in the hardware, but mitigations in operating systems are possible and are getting shipped now. I’m collecting notes on the patch status in various software products. This will change rapidly and may contain errors. If you have better info please send pull requests.
- In a recent tweet, Moritz Lipp (Graz University of Technology) has announced the release of their PoC implementations for Meltdown.
Linux upstream kernel
Kernel Page Table Isolation is a mitigation in the Linux Kernel, originally named KAISER.
- Version 4.14.11 contains KPTI.
- Version 4.15-rc6 contains KPTI.
- Longterm support kernels Version 4.9.75 and 4.4.110 contain KPTI backports.
minipli is an unofficial fork of the former grsecurity patches (original grsecurity is no longer publicly available). minipli is based on the longterm kernel 4.9, which supports KPTI since 4.9.75, yet the patchset isn’t ported yet.
- Fixed with Android Security Bulletin—January 2018.
- Microsoft Advisory
- Windows Server Guidance and Windows Client Guidance. Note: both links include a Powershell tool to query the status of Windows mitigations for CVE-2017-5715 (branch target injection) and CVE-2017-5754 (rogue data cache load).
- Protecting guest virtual machines from CVE-2017-5715 (branch target injection)
Update – Tue 9 Jan 09:00 UTC
Microsoft has reports of some customers with AMD devices getting into an unbootable state after installing this KB. To prevent this issue, Microsoft will temporarily pause Windows OS updates to devices with impacted AMD processors (older CPUs, eg. Athlon and Sempron) at this time. Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible. If you have experienced an unbootable state or for more information see KB4073707. For AMD specific information please contact AMD.
Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown.
Update Mon 8 Jan 18:00 UTC
Apple has released security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715):
- macOS High Sierra 10.13.2 Supplemental Update
- Safari 11.0.2 for Mac OS X El Capitan 10.11.6 and macOS Sierra 10.12.6
- iOS 11.2.2 update for iPhone and iPad
Update – Sun 7 Jan 2018, 9:00 UTC
Based on the Apple’s response posted here, Meltdown (CVE-2017-5754) is currently only addressed in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Apple cannot say at this time if there will be updates to OS versions prior to the ones listed in their article at this time. The same can be said for Spectre (CVE-2017-5753 and CVE-2017-5715) and any updates for Safari. This means that at this given time there are NO patches for 10.11.x (El Capitan) or 10.12.x (Sierra).
- Red Hat Advisory
- Fedora – Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
- Ubuntu (tl;dr: Release candidate kernels with patches for Meltdown 4.4.x and 4.13.x are now available through a dedicated PPA; subsequent patches for Spectre are coming in the future before the kernels are pushed to official release branch):
Update – Sun 7 Jan 2018, 22:00 UTC
Release candidate kernels 4.4.x (Trusty HWE / Xenial GA) and 4.13.x (Xenial HWE-edge / Artful GA / Artful HWE) are now publicly available from a dedicated Launchpad PPA and currently contain patches for CVE-2017-5754 aka Meltdown, with support only some architactures. Support for a broader array of architectures and patches for CVE-2017-5715 and CVE-2017-5753 aka Spectre are expected in the near future. After some testing, the patched kernels will be pushed to the main release branch.
Update – Mon 8 Jan 2018, 16:00 UTC
Canonical Ltd. announced that, in order to speed up the patching process for all supported distribution versions and branches, the 4.10.x Xenial HWE kernel will be migrated early to version 4.13.x, thus leaving no supported kernel branch exposed to vulnerabilities. The migration will occur concurrently to the push of patched kernels to the main distribution repositories. In addition, Ubuntu 17.04, aka Zesty Zapus, will reach End Of Life on Sat 13 Jan 2018 and will not receive any kind kernel patch support.
- Debian: „Meltdown“ fixed in stretch (4.9.65-3+deb9u2, DSA-4078-1). „Spectre“ mitigations are a work in progress.
- SUSE Advisory
- Scientific Linux:
- CoreOS Container Linux: Fixes for Meltdown are available in all release channels now (Alpha 1649.0.0, Beta 1632.1.0, Stable 1576.5.0). Auto-updated systems will receive the releases containing the patch on 2017-01-08. Spectre patches are still WIP.
- NixOS: According to #33414, KPTI is in nixpkgs since 1e129a3.
- Arch Linux Advisory
- Oracle Linux (ELSA Security Advisory):
- CloudLinux: Intel CPU Bug – Meltdown and Spectre – KernelCare and CloudLinux
- Parrot Security OS: meltdown/spectre security patches
- Wind River Linux and Pulsar Linux: Wind River Security Vulnerability Notice: Linux Kernel Meltdown and Spectre Break (Side-Channel Attacks)
- Citrix XenServer – Citrix XenServer Multiple Security Updates
- KVM: Update – Tue 9 Jan 07:50 UTC – Paolo Bonzini, KVM developer, posted in a tweet the following status update for CVE-2017-5715 (Spectre):
- Already in Linus’s tree: clearing registers on vmexit
- First wave of KVM fixes here: https://marc.info/?l=kvm&m=151543506500957&w=2
- He is also mentioning that a full solution will require all the Linux parts to be agreed upon, but this will unblock the QEMU updates.
- Nutanix – Nutanix Security Advisory #0007 v1 – Nutanix Side-Channel Speculative Execution Vulnerabilities
Update – Mon 8 Jan 2018
- New Nutanix Security Advisory #0007 v2 – Nutanix Side-Channel Speculative Execution Vulnerabilities
- Proxmox: Meltdown and Spectre Linux Kernel fixes
- QEMU – unofficial patch published here, official blog post, discussion on qemu-devel
- Red Hat Enterprise Virtualization – Impacts of CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 to Red Hat Virtualization products
- Virtuozzo – Virtuozzo Addresses Intel Bug Questions
- VMware – VMSA-2018-0002 ** Update 01/04/18: „OS vendors have begun issuing patches that address CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 for their operating systems. For these patches to be fully functional in a guest OS additional ESXi and vCenter Server updates will be required. These updates are being given the highest priority. Please sign up to the Security-Announce mailing list to be alerted when these updates are available.“ ** William Lam suggests forthcoming patches for ESXi 5.5 and a vCenter patch to deliver microcode when using EVC. ** KB 52264 tracks VMware appliance status (currently all unaffected or pending)
- XEN – XSA-254 and Xen Project Spectre/Meltdown FAQ, no patches yet – also https://wiki.xenproject.org/wiki/Xen_Project_Meltdown_and_Spectre_Technical_FAQ
- Mozilla: Mitigations landing for new class of timing attack (blog post), Security Advisory 2018-01, Firefox mitigation update 57.0.4
- Google Chrome: Actions Required to Mitigate Speculative Side-Channel Attack Techniques
- Microsoft Edge: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer
- Webkit (open source browser engine): What Spectre and Meltdown Mean For WebKit
- Brave Browser: New desktop release just out (0.19.131) with various security enhancements, including Strict Site Isolation support.
Update Mon 8 Jan 2018, 13:00 UTC
Tencent’s Xuanwu Lab has released a web-based tool that can detect whether your browser is vulnerable to Spectre Attack and can be easily exploited. Official tweet: https://twitter.com/XuanwuLab/status/950345917013504001
- Alibaba Cloud: Intel Processor Meltdown and Specter Security Vulnerability Bulletin
- Amazon AWS: Processor Speculative Execution Research Disclosure
- Microsoft Azure: Securing Azure customers from CPU vulnerability
- DigitalOcean: A Message About Intel Security Findings
- Gandi: Meltdown and Spectre vulnerabilities
- Google Cloud: Google’s Mitigations Against CPU Speculative Execution Attack Methods
- Heroku: Meltdown and Spectre Security Update
- Hetzner: Spectre and Meltdown
- Linode: CPU Vulnerabilities: Meltdown & Spectre
- OVH: Meltdown, Spectre bug impacting x86-64 CPU – OVH fully mobilised (en), Vulnérabilités Meltdown/Spectre affectant les CPU x86-64 : OVH pleinement mobilisé (fr)
- Rackspace: Rackspace is Tracking Vulnerabilities Affecting Processors by Intel, AMD and ARM
- Scaleway/Online: Spectre and Meltdown vulnerabilities status
- UpCloud: Information regarding the Intel CPU vulnerability (Meltdown)
- Vultr: Intel CPU Vulnerability Alert
- Zscaler: Meltdown and Spectre vulnerabilities: What you need to know
Chip Manufacturers / HW Vendors
- A10 Networks: SPECTRE/MELTDOWN – CVE-2017-5715/5753/5754
- Aerohive Networks: Aerohive’s response to Meltdown and Spectre
- AMD: An Update on AMD Processor Security
- ARM: Security Update
- Arista: Security Advisories
- Aruba Networks: ARUBA-PSA-2018-001 – Unauthorized Memory Disclosure through CPU Side-Channel Attacks
- ASUS: ASUS Motherboards Microcode Update for Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
- Avaya: Recent Potential CPU Vulnerabilities: Meltdown and Spectre
- AVM: Meltdown und Spectre – keine Angriffsmöglichkeit bei AVM-Produkten
- Barracuda Networks: Security Advisory
- Check Point: Check Point Response to Meltdown and Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
- Cisco CPU Side-Channel Information Disclosure Vulnerabilities
- Cumulus Linux: Meltdown and Spectre: Modern CPU Vulnerabilities
- Dell EMC: Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)
- F5: K91229003 – Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754
- FireEye: FireEye Notice for CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 (“Meltdown” and “Spectre” vulnerabilities), Community Protection Event (CPE): CPU Security Flaws (Spectre/Meltdown) (Login required)
- Fortigate: CPU hardware vulnerable to Meltdown and Spectre attacks
- Fujitsu: CPU hardware vulnerable to side-channel attacks ; Side-Channel Analysis Method (Spectre & Meltdown) Security Review List of affected Fujitsu Products
- Huawei: huawei-sn-20180104-01 – Statement on the Media Disclosure of a Security Vulnerability in the Intel CPU Architecture Design
- HP Enterprise: Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754), HPESBHF03805 Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure
- IBM: Central Processor Unit (CPU) Architectural Design Flaws, Potential Impact on Processors in the POWER family
- Infoblox: #7346: Spectre/Meltdown Vulnerabilities – CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 (Login required)
- Intel: INTEL-SA-00088 – Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method, Intel Analysis of Speculative Execution Side Channels (Whitepaper), Intel Issues Updates to Protect Systems from Security Exploits
- Juniper: 2018-01 Out of Cycle Security Bulletin: Meltdown & Spectre: CPU Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method, Meltdown & Spectre: Modern CPU vulnerabilities
- LANCOM: Spectre und Meltdown: LANCOM Geräte sind nicht betroffen
- Lenovo: LEN-18282 – Reading Privileged Memory with a Side Channel
- NetApp: NTAP-20180104-0001 – Processor Speculated Execution Vulnerabilities in NetApp Products
- Netgate: An update on Meltdown and Spectre
- NVIDIA: Security Notice: Speculative Side Channels, NVIDIA Shield Tablet Security Updates, NVIDIA Shield TV Security Updates, NVIDIA GPU Display Driver Security Updates, NVIDIA Tegra Jetson TX2 L4T Security Updates, NVIDIA Tegra Jetson TX1 L4T and Jetson TK1 L4T Security Updates
- Palo Alto Networks: Information about Meltdown and Spectre findings (PAN-SA-2018-0001)
- Polycom: Security Advisory Relating to the “Speculative Execution” Vulnerabilities with some microprocessors
- Pure Storage: Advisory (login required)
- Quanta: Intel Security Advisory update
- Raspberry Pi: Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown
- RSA: 000035890 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on RSA products (login required)
- Schneider Electric: Security Notification: „Meltdown“ (CVE-2017-5754) and „Spectre“ (CVE-2017-5753 & CVE-2017-5715) – impact to APC products
- Silver Peak: Security Advisory
- Sonicwall: Meltdown and Spectre Vulnerabilities: A SonicWall Alert
- Supermicro: Security Vulnerabilities Regarding Side Channel Speculative Execution and Indirect Branch Prediction Information Disclosure
- Symantec: Meltdown and Spectre: Are Symantec Products Affected?
- Thomas-Krenn: Sicherheitshinweise zu Meltdown und Spectre
- Veritas Appliance: Veritas Appliance Statement on Meltdown and Spectre
- CERT/CC: Vulnerability Note VU#584653 – CPU hardware vulnerable to side-channel attacks
- US-CERT: TA18-004A – Meltdown and Spectre Side-Channel Vulnerability Guidance
- CERT-EU: Security Advisory 2018-001 – Meltdown and Spectre Critical Vulnerabilities
- NCSC-UK: Meltdown and Spectre guidance
- CERT-FR: CERTFR-2018-ALE-001 – Multiples vulnérabilités de fuite d’informations dans des processeurs (french only)
- CERT Nazionale: Moderni processori vulnerabili ad attacchi side-channel (italian only)
- CERT-PA: Meltdown e Spectre, vulnerabilità sui microprocessori mettono potenzialmente a rischio informazioni sensibili (italian only)
- SingCERT: Alert on Security Flaws Found in Central Processing Units (CPUs)
- CERT.BE: Central Processor Unit (CPU) Architectural Design Flaws
- CERT-IS: Alvarlegur öryggisgalli í örgjörvum – Meltdown/Spectre (icelandic only)
- MyCERT: MA-691.012018: Alert – CPU Hardware Side-Channel Attacks Vulnerability
Latest Intel microcode update is 20171117. It is unclear whether microcode updates are needed and which version contains them. The microcode update does not contain any changelog.
If it will become necessary to update Intel (or AMD) microcode under Windows, before the release of official OS-level patches, this VMware Labs fling – though formally experimental – can serve the purpose, at least temporarily.
Update – Thu 4 Jan 2018, 15:30 UTC
It seems that the new Intel’s microcode archive (2017-12-15) provided with the latest Red Hat’s microcode_ctl update includes three new files: 06-3f-02, 06-4f-01, 06-55-04.
Based on what we know:
- it adds one new CPUID and two MSR for the variant of Spectre that uses indirect branches
- it forces LFENCE to terminate the execution of all previous instructions, thus having the desired effect for the variant of Spectre that uses conditional branches (out-of-bounds-bypass)
Those IDs belong to the following processor microarchitectures: Haswell, Broadwell, Skylake (official reference)
Update – Thu 4 Jan 2018, 16:30 UTC
Regarding AMD’s microcode update: it seems to be only for EPYC (maybe Ryzen, not sure!) and it only adds one of the two MSRs (IA32_PRED_CMD). It uses a different bit than Intel’s in the CPUID. It is also for Spectre with indirect branches. Previous microprocessors resolved it with a chicken bit. Please note that the same solution implemented at kernel level works for both Intel and AMD.
Update – Fri 5 Jan 2018, 03:35 UTC
Debian Project package maintainers released an updated version of the „intel-microcode“ package (version 2017-12-15) for the Sid (unstable) branch olny. Upon inspection, it seems to contain the same microcode additions observed in the Red Hat microcode_ctl update of Thu 4 Jan 2018, 15:30 UTC. The package in compatible with all Debian-based distributions that support post-boot microcode updates.
Some Antiviruses do things that break when installing the Windows patches, therefore Microsoft doesn’t automatically install the patches on those systems.
- Avast: Meltdown and Spectre: Yes, your device is likely vulnerable
- Avira: With our latest product update 188.8.131.52 Avira Antivirus Free, Avira Antivirus Pro and Avira Antivirus Server are compatible with the Microsoft update
- Emsisoft: Chip vulnerabilities and Emsisoft: What you need to know
- eScan: Meltdown and Spectre – CPU Vulnerabilities
- ESET: Meltdown & Spectre: How to protect yourself from these CPU security flaws
- Kaspersky: Compatibility of Kaspersky Lab solutions with the Microsoft Security update of January 9, 2018
- McAfee: Decyphering the Noise Around ‘Meltdown’ and ‘Spectre’ and Meltdown and Spectre – Microsoft update (January 3, 2018) compatibility issue with anti-virus products
- Trend Micro: Important Information for Trend Micro Solutions and Microsoft January 2018 Security Updates (Meltdown and Spectre)
- Sophos: Advisory – Kernel memory issue affecting multiple OS (aka F..CKWIT, KAISER, KPTI, Meltdown & Spectre)
- Symantec: Meltdown and Spectre: Are Symantec Products Affected?
- Webroot: Microsoft Patch Release – Wednesday, January 3, 2018
- SQL Server: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
- Elastic stack: Elastic Cloud and Meltdown
- Opengear: CVE-2017-5754, CVE-2017-5715, CVE-2017-5753 – Meltdown and Spectre CPU Vulnerabilities
- QNAP: NAS-201801-08 – Security Advisory for Speculative Execution Vulnerabilities in Processors
- Synology: Synology-SA-18:01 Meltdown and Spectre Attacks
- Google’s Retpoline: a software construct for preventing branch-target-injection (technical write-up)
Measuring the performance impact of Meltdown/Spectre
Most certainly, yes.
Probably not. The exploitation does not leave any traces in traditional log files.
While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.
If your system is affected, our proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.
We don’t know.
There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre ( LLVM patch, ARM speculation barrier header).
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected.
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre)
The vulnerability basically melts security boundaries which are normally enforced by the hardware.
The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.
CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
|Logo||Logo with text||Code illustration|
|Meltdown||PNG / SVG||PNG / SVG||PNG / SVG|
|Spectre||PNG / SVG||PNG / SVG||PNG / SVG|
Yes, there is a GitHub repository containing test code for Meltdown.
Links in the press
This post does a great job of explaining the details about what is needed.