meltdownspectre-patches

Summary of the patch status for Meltdown / Spectre

What?

Meltdown and Spectre are hardware design vulnerabilities in all modern CPUs based on speculative execution. Background infos:

• https://spectreattack.com/ or https://meltdownattack.com/ (both pages serve identical content)
• https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html

The bug is in the hardware, but mitigations in operating systems are possible and are getting shipped now. I'm collecting notes on the patch status in various software products. This will change rapidly and may contain errors. If you have better info please send pull requests.

Linux upstream kernel

Kernel Page Table Isolation is a mitigation in the Linux Kernel, originally named KAISER.

• Version 4.14.11 contains KPTI.
• Version 4.15-rc6 contains KPTI.
• The patches have not been backported to the longterm kernels like 4.9 (state: 4.9.74).

minipli patches

minipli is an unofficial fork of the former grsecurity patches (original grsecurity is no longer publicly available). minipli is based on the longterm kernel 4.9 which does not contain KPTI yet.

• bug report with discussion about backporting KPTI

Android

• Fixed with Android Security Bulletin—January 2018.

Windows

• Microsoft Advisory
• Windows Server Guidance and Windows Client Guidance. Note: both links include a Powershell tool to query the status of Windows mitigations for CVE-2017-5715 (branch target injection) and CVE-2017-5754 (rogue data cache load).

Apple

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. In the coming days they plan to release mitigations in Safari to help defend against Spectre. They continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

• Official statement

The security patch released on December 6, 2017 includes Meltdown mitigation also for Sierra and El Capitan

• About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan

Linux distributions

• Red Hat Advisory
• CentOS - CESA-2018:0007 (kernel), CESA-2018:0012 (microcode_ctl), CESA-2018:0014 (linux-firmware)
• Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
• Ubuntu (tl;dr - Ubuntu users of the 64-bit x86 architecture (aka, amd64) can expect updated kernels by the original January 9, 2018 coordinated release date, and sooner if possible.):
  • Ubuntu Wiki SecurityTeam KnowledgeBase
  • Ubuntu Insights blog - Ubuntu Updates for the Meltdown / Spectre Vulnerabilities
  • Details about CVE-2017-5753 (variant 1, aka "Spectre")
  • Details about CVE-2017-5715 (variant 2, aka "Spectre")
  • Details about CVE-2017-5754 (variant 3, aka "Meltdown")
• Debian: Fixed in stretch (4.9.65-3+deb9u2, DSA-4078-1)
  • Details about CVE-2017-5753 (variant 1, aka "Spectre")
  • Details about CVE-2017-5715 (variant 2, aka "Spectre")
  • Details about CVE-2017-5754 (variant 3, aka "Meltdown")
• SUSE Advisory
• Scientific Linux:
  • 7 - SLSA-2018:0007-1 (kernel), SLSA-2018:0012-1 (microcode_ctl), SLSA-2018:0014-1 (linux-firmware)
  • 6 - SLSA-2018:0008-1 (kernel), SLSA-2018:0013-1 (microcode_ctl)
• CoreOS Container Linux: a tweet posted by CoreOS' Security Team states that the team is now testing a round of patches developed by the Linux Kernel community to address the Meltdown vulnerabilities and crash issues identified in 4.14.11. The patches being tested are here
• NixOS: According to #33414, KPTI is in nixpkgs since 1e129a3.

FreeBSD

• Statement

Virtualization

• XEN - XSA-254 and Xen Project Spectre/Meltdown FAQ, no patches yet
• QEMU - unofficial patch published here, official blog post, discussion on qemu-devel
• VMware - VMSA-2018-0002 Update 01/04/18: "OS vendors have begun issuing patches that address CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 for their operating systems. For these patches to be fully functional in a guest OS additional ESXi and vCenter Server updates will be required. These updates are being given the highest priority. Please sign up to the Security-Announce mailing list to be alerted when these updates are available."
• Red Hat Enterprise Virtualization - Impacts of CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 to Red Hat Virtualization products
• Citrix XenServer - Citrix XenServer Multiple Security Updates

Browsers

• Mozilla: Mitigations landing for new class of timing attack (blog post), Security Advisory 2018-01, Firefox mitigation update 57.0.4
• Chrome: Actions Required to Mitigate Speculative Side-Channel Attack Techniques
• Microsoft Edge: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer

Cloud Providers

• Amazon AWS: Processor Speculative Execution Research Disclosure
• Google Cloud: Google’s Mitigations Against CPU Speculative Execution Attack Methods
• Microsoft Azure: Securing Azure customers from CPU vulnerability
• DigitalOcean: A Message About Intel Security Findings
• Scaleway: Emergency security update required on all hypervisors
• Linode: CPU Vulnerabilities: Meltdown & Spectre
• Rackspace: Rackspace is Tracking Vulnerabilities Affecting Processors by Intel, AMD and ARM
• OVH: Meltdown, Spectre bug impacting x86-64 CPU - OVH fully mobilised (en), Vulnérabilités Meltdown/Spectre affectant les CPU x86-64 : OVH pleinement mobilisé (fr)

Chip Manufacturers / HW Vendors

• Intel: INTEL-SA-00088 - Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method, Intel Analysis of Speculative Execution Side Channels (Whitepaper), Intel Issues Updates to Protect Systems from Security Exploits
• AMD: An Update on AMD Processor Security
• ARM: Security Update
• NVIDIA: Security Notice: Speculative Side Channels
• Lenovo: LEN-18282 - Reading Privileged Memory with a Side Channel
• IBM: Central Processor Unit (CPU) Architectural Design Flaws
• Huawei: huawei-sn-20180104-01 - Statement on the Media Disclosure of a Security Vulnerability in the Intel CPU Architecture Design
• F5: K91229003 - Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754
• Cisco CPU Side-Channel Information Disclosure Vulnerabilities
• Fortigate CPU hardware vulnerable to Meltdown and Spectre attacks
• Cumulus Linux Meltdown and Spectre: Modern CPU Vulnerabilities

CERTs

• CERT/CC: Vulnerability Note VU#584653 - CPU hardware vulnerable to side-channel attacks
• US-CERT: TA18-004A - Meltdown and Spectre Side-Channel Vulnerability Guidance
• NCSC-UK: Meltdown and Spectre guidance
• CERT-FR: CERTFR-2018-ALE-001 - Multiples vulnérabilités de fuite d’informations dans des processeurs (french only)
• CERT Nazionale: Moderni processori vulnerabili ad attacchi side-channel (italian only)

CPU microcode

Latest Intel microcode update is 20171117. It is unclear whether microcode updates are needed and which version contains them. The microcode update does not contain any changelog.
If it will become necessary to update Intel (or AMD) microcode under Windows, before the release of official OS-level patches, this VMware Labs fling - though formally experimental - can serve the purpose, at least temporarily.

Update - Thu 4 Jan 2018, 15:30 UTC

It seems that the new Intel’s microcode archive (2017-12-15) provided with the latest Red Hat’s microcode_ctl update includes three new files: 06-3f-02, 06-4f-01, 06-55-04.

Based on what we know:

1. it adds one new CPUID and two MSR for the variant of Spectre that uses indirect branches
2. it forces LFENCE to terminate the execution of all previous instructions, thus having the desired effect for the variant of Spectre that uses conditional branches (out-of-bounds-bypass)

Those IDs belong to the following processor microarchitectures: Haswell, Broadwell, Skylake (official reference)

Update - Thu 4 Jan 2018, 16:30 UTC

Regarding AMD's microcode update: it seems to be only for EPYC (maybe Ryzen, not sure!) and it only adds one of the two MSRs (IA32_PRED_CMD). It uses a different bit than Intel's in the CPUID. It is also for Spectre with indirect branches. Previous microprocessors resolved it with a chicken bit. Please note that the same solution implemented at kernel level works for both Intel and AMD.

Antiviruses

Some Antiviruses do things that break when installing the Windows patches, therefore Microsoft doesn't automatically install the patches on those systems.

Mitigation: Remove Antivirus.

Vendor overview: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

• Trend Micro: Important Information for Trend Micro Solutions and Microsoft January 2018 Security Updates (Meltdown and Spectre)
• Emsisoft: Chip vulnerabilities and Emsisoft: What you need to know
• Sophos: Advisory - Kernel memory issue affecting multiple OS (aka F..CKWIT, KAISER, KPTI, Meltdown & Spectre)
• Webroot: Microsoft Patch Release - Wednesday, January 3, 2018
• McAfee: Decyphering the Noise Around ‘Meltdown’ and ‘Spectre’ and Meltdown and Spectre – Microsoft update (January 3, 2018) compatibility issue with anti-virus products
• Kaspersky: Compatibility of Kaspersky Lab solutions with the Microsoft Security update of January 9, 2018
• ESET: Meltdown & Spectre: How to protect yourself from these CPU security flaws

RDBMS

• SQL Server: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities

Embedded Devices

• Synology: Synology-SA-18:01 Meltdown and Spectre Attacks
• Opengear: Nothing yet. Support claims an announcement is being prepared but did not provide a timeframe for public release.

Compilers

• Google's Retpoline: a software construct for preventing branch-target-injection (technical write-up)
  • LLVM: An implementation is under review for official merge here
  • GCC: An implementation for GCC is available here