Meltdown and Spectre side-channel attack risk mitigation information from processor, server, and software vendors

Posted by Paul Braren on Jan 10 2018 (updated on Jan 22 2018) in
  • CPU
  • Microsoft
  • Windows
  • ESXi
  • VMware
  • This story continues to develop. Please expect that the information in the article below may be updated at any time, especially these first few days. Consider revisiting and refreshing.

    Disclosure:
    I'm a vSAN Systems Engineer, but this article isn't official VMware documentation. Please refer to articles on vmware.com listed below, and to each of the vendor's sites listed below, for their latest, official information on this issue, since the contents of the excerpts may be changed.

    Disclaimer:
    It's your responsibility to back up first, and to proceed with updates at your own risk, as stated in the detailed disclaimer below every TinkerTry article.


    I'm getting questions lately from my customers wondering about these security vulnerabilities. VMware has this to say about side-channel attacks:

    VMware hypervisors do not require the new speculative-execution control mechanism to achieve this class of mitigation and therefore these types of updates can be installed on any currently supported processor. No significant performance degradation is expected for VMware’s hypervisor-specific mitigations.

    That doesn't mean there aren't patches, please scroll down...

    Table of Contents

    Meltdown-and-Spectre-overviews-from-spectreattach-dot-com-mashed-vertically

    CPU VENDORS

    GPU VENDORS

    SERVER VENDORS

    SOFTWARE VENDORS

    SOFTWARE TOOLS

    BLOGS AND PODCASTS

    Introduction

    Yes, VMware vSphere should also patched, both VCSA and ESXi, along with your system's BIOS, and all your VMs. This one article helps bring together some of the crucial information IT Pros need as they begin to prepare for those risk mitigation actions in their environment. I've brought all the key articles from processor, server, and software vendors together, and added some very helpful blog posts, videos, and podcasts too.

    I make no claims to be an expert on security in general, I've just collected and organized the links, and highlight some excerpts. While I usually stick to home lab topics here at TinkerTry, this particular set of risks certainly cross right over, threatening companies of any size.

    This whole issue has been quite the IT story. For me personally, it all started when I noticed this little Jan 01 2018 tweet by Matt Tait @pwnallthethings that predicted this story would be big. Very big. How right he was!

    2018-01-10_18-43-19

    In a way, all this behind-the-scenes collaboration between so many companies, especially between and Intel and various software and hardware companies, has been, dare I say it, reassuring? The idea here was to hopefully head-off exploitation of these weaknesses in the wild, which doesn't tend to take long once details are disclosed. This hurculean industry-wide effort seems to me to have required an unprecedented level of collaborative and coordination. One can only hope that the industry comes out of this mess stronger than ever, eventually.

    Did you know that the Meltdown vulnerability can be traced all the way back to 1995?

    Unfortunately, performance for folks with older CPUs (Haswell and earlier) are likely to suffer a performance hit after these fixes, but the overall impact should be negligible for client workloads on systems that get BIOS and OS patches. Only time, and testing, will tell.

    This collection of technical articles should help you get up to speed on what you need to do, since a careful look at all elements of your datacenter is warranted. This collection of links is really just a starting point in your personal journey of understanding, before taking action.

    If you're interested in seeing the exact mitigation steps I've taken in my own virtualization home lab, see:

    google-project-zero-spectre-and-meltdown-patch-and-flash-for-vmware-esxi-on-supermicro-xeon-d

    Personally, as of Jan 12 2018, I've already updated my:

    1. Xeon D hypervisor and VCSA appliance, still waiting for BIOS 1.3 to be released, and for time to patch all those VMs, see also William Lam's script.
    2. Phone X to iOS 11.2.2. Uneventful, and easy.
    3. Dell Precision 5520 (laptop) to BIOS 1.70, with all Windows 10 patching done automatically for VMware employees.

    As of Jan 22 2018, I've now noticed that BIOS 1.70 has been pulled.


    CPU VENDORS


    AMD

    Jan 04 2018

    Date is estimated, based on first Wayback Machine entry.

    speculative-execution
    • An Update on AMD Processor Security

      Information Security is a Priority at AMD

      There has been recent press coverage regarding a potential security issue related to modern microprocessors and speculative execution. Information security is a priority at AMD, and our security architects follow the technology ecosystem closely for new threats.

      It is important to understand how the speculative execution vulnerability described in the research relates to AMD products, but please keep in mind the following:

      • The research described was performed in a controlled, dedicated lab environment by a highly knowledgeable team with detailed, non-public information about the processors targeted.
      • The described threat has not been seen in the public domain.

      ...


    Arm

    Jan 03 2018

    • Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
      security-update

      Based on the recent research findings from Google on the potential new cache timing side-channels exploiting processor speculation, here is the latest information on possible Arm processors impacted and their potential mitigations. We will post any new research findings here as needed.

      Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding. However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed. This is the issue addressed here and in the Cache Speculation Side-channels whitepaper.
      ...


    Intel

    Jan 03 2018

    Jan 04 2018

    Jan 09 2018

    intel-offers-security-issue-update
    • Intel Offers Security Issue Update
      at Intel News Byte

      ...
      In early December we began distributing Intel firmware updates to our OEM partners. For Intel CPUs introduced in the past five years, we expect to issue updates for more than 90 percent of them within a week, and the remainder by the end of January. We will continue to issue updates for other products thereafter. We are pleased with this progress, but recognize there is much more work to do to support our customers.
      Press Kit: Security Exploits and Intel Products

      Our goal is to provide our customers with the best possible protection against the exploits while minimizing the performance impact of the updates. We plan to share more extensive information about performance impact when we can, but we also want to provide some initial information today.
      Based on our most recent PC benchmarking, we continue to expect that the performance impact should not be significant for average computer users. This means the typical home and business PC user should not see significant slowdowns in common tasks such as reading email, writing a document or accessing digital photos. Based on our tests on SYSmark 2014 SE, a leading benchmark of PC performance, 8th Generation Core platforms with solid state storage will see a performance impact of 6 percent or less*. (SYSmark is a collection of benchmark tests; individual test results ranged from 2 percent to 14 percent.)

      Ensuring the security of our customers’ data is job one. To help keep our customers’ data safe, we have been focused on the development and testing of the updates. We still have work to do to build a complete picture of the impact on data center systems. However, others in the industry have begun sharing some useful results. As reported last week, several industry partners that offer cloud computing services to other businesses have disclosed results that showed little to no performance impact. Also, Red Hat and Microsoft have both shared performance information.
      ...

    Jan 10 2018

    intel-security-issue-update-initial-performance-data-results-client-systems

    Jan 11 2018

    security-first-pledge
    • Security-First Pledge
      An Open Letter from Brian Krzanich, CEO of Intel Corporation, to Technology Industry Leaders

      Following announcements of the Google Project Zero security exploits last week, Intel has continued to work closely with our partners with the shared goal of restoring confidence in the security of our customers’ data as quickly as possible. As I noted in my CES comments this week, the degree of collaboration across the industry has been remarkable. I am very proud of how our industry has pulled together and want to thank everyone for their extraordinary collaboration. In particular, we want to thank the Google Project Zero team for practicing responsible disclosure, creating the opportunity for the industry to address these new issues in a coordinated fashion.

      As this process unfolds, I want to be clear about Intel’s commitments to our customers. This is our pledge:

      1. Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.

      2. Transparent and Timely Communications: As we roll out software and firmware patches, we are learning a great deal. We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique. We commit to provide frequent progress reports of patch progress, performance data and other information. These can be found at the Intel.com website.

      3. Ongoing Security Assurance: Our customers’ security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.

      We encourage our industry partners to continue to support these practices. There are important roles for everyone: Timely adoption of software and firmware patches by consumers and system manufacturers is critical. Transparent and timely sharing of performance data by hardware and software developers is essential to rapid progress.

      The bottom line is that continued collaboration will create the fastest and most effective approaches to restoring customer confidence in the security of their data. This is what we all want and are striving to achieve.

      — Brian Krzanich
      ...

    Jan 11 2018

    intel-security-issue-update-addressing-reboot-issues
    • Intel Security Issue Update: Addressing Reboot Issues

      By Navin Shenoy

      As Intel CEO Brian Krzanich emphasized in his Security-First Pledge, Intel is committed to transparency in reporting progress in handling the Google Project Zero exploits.

      We have received reports from a few customers of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center. We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to directly discuss the issue.

      End-users should continue to apply updates recommended by their system and operating system providers.

      More: Security Exploits and Intel Products (Press Kit) | Security Research Findings (Intel.com)

      Navin Shenoy is executive vice president and general manager of the Data Center Group at Intel Corporation.
      ...

    Jan 17 2018

    firmware-updates-and-initial-performance-data-for-data-center-systems
    • Firmware Updates and Initial Performance Data for Data Center Systems

      By Navin Shenoy

      Over the past several days, Intel has made further progress to address the exploits known as “Spectre” and “Meltdown.” We are continuing to support our customers through this process and we remain focused on doing so. As we continue these efforts, I would like to express my appreciation to many of our partners, including Dell, HPE, HPI, Lenovo and Microsoft, for joining our Security-First Pledge.
      More: Security Exploits and Intel Products (Press Kit) | Security Research Findings (Intel.com)

      I’ll be covering two topics in this blog post: our progress in rolling out firmware updates for the exploits, as well as addressing the reboot issue I discussed last week; and initial data from the benchmarking we are doing on data center platforms.
      We have now issued firmware updates for 90 percent of Intel CPUs introduced in the past five years, but we have more work to do. As I noted in my blog post last week, while the firmware updates are effective at mitigating exposure to the security issues, customers have reported more frequent reboots on firmware updated systems.

      As part of this, we have determined that similar behavior occurs on other products in some configurations, including Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms. We have reproduced these issues internally and are making progress toward identifying the root cause. In parallel, we will be providing beta microcode to vendors for validation by next week.
      ...

    2018-01-17_23-22-44
    From Intel. Click the image to visit the source pdf.

    Jan 22 2018

    root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners

    GPU VENDORS


    AMD GPU Drivers

    Jan 04 2018

    Date is estimated, based on first Wayback Machine entry.

    speculative-execution
    • An Update on AMD Processor Security

      There have also been questions about GPU architectures. AMD Radeon GPU architectures do not use speculative execution and thus are not susceptible to these threats.
      ...


    NVIDIA GPU Drivers

    Jan 10 2018

    security-bulletin%3A-nvidia-driver-security-updates-for-cpu-speculative-side-cropped

    Date estimated based on Google search.

    • Security Bulletin: NVIDIA Driver Security Updates for CPU Speculative Side Channel Vulnerabilities

      Answer ID 4611 Updated 01/16/2018 11:14 AM
      NVIDIA DRIVER RESPONSE TO CPU SPECULATIVE SIDE CHANNEL VULNERABILITIES - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754
      Bulletin Summary
      NVIDIA is providing an initial security update to mitigate aspects of Google Project Zero’s January 3, 2018 publication of novel information disclosure attacks that combine CPU speculative execution with known side channels.

      NVIDIA's core business is GPU computing.

      We believe our GPU hardware is immune to the reported security issue. As for our driver software, we are providing updates to help mitigate the CPU security issue.

      ...


    SERVER VENDORS


    Dell EMC

    Jan 03 2018

    To learn more about upcoming VxRail patches, use the link from the article below, but note that a Dell EMC log in is required to view it.

    support-for-meltdown-and-spectre

    Jan 03 2018

    impact-on-dell-emc-products--dell-enterprise-servers--storage-and-networking
    • Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)

      CVE ID: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

      Dell EMC is aware of the new side-channel analysis vulnerabilities (also known as Meltdown and Spectre) affecting many modern microprocessors that were discovered and published by a team of security researchers on January 3, 2018. We encourage customers to review the Security Advisories in the References section for more information.

      Dell EMC is investigating this issue to identify any potential impact to products and will update this article with information as it becomes available, including impacted products and remediation steps.

      There are two essential components that need to be applied to mitigate the above mentioned vulnerabilities:
      System BIOS as per Tables below
      Operating System & Hypervisor updates.
      ...
      ...

    Notice that the BIOS updates for popular systems like 14G R740 and R740xd became available on Jan 08 2018, and are listed in the detailed article above.


    IBM

    Jan 04 2018

    ibm-cloud-spectre-meltdown-vulnerabilities
    • We’re taking action to secure our cloud against recent security vulnerabilities
      by Jay Jubran, Director, IBM Cloud Platform, Compute Offering Management

      We’ve been working closely with our vendors concerning the security vulnerability announced on January 3, 2018. This vulnerability has the potential to allow those with malicious intent to gather sensitive data from computing devices. Intel believes these exploits do not have the potential to corrupt, modify, or delete data.

      We will be applying patches to our VSI cloud hosts worldwide starting January 5, 2018 through January 8, 2018 to mitigate the risk to our virtual server clients. Due to the nature of this vulnerability and the affected components, we are not able to mitigate this potential vulnerability via hot patching; cloud host reboots are required. While we do not expect any problems with the reboots, all customers should create a backup of all data from their virtual server instances.

      In addition to providing an overall schedule to clients with active virtual servers, we’ll also use maintenance tickets to notify customers when their VSIs are scheduled to be rebooted. These maintenance tickets will identify the scheduled VSIs and provide the date and time of the cloud host reboot. Clients also can expect to receive a two-hour reminder update before the maintenance event, a ticket update with the start of maintenance, and a final ticket update once the maintenance is complete.

      Firmware updates and operating system updates will be required for our bare metal offerings. Please watch for these updates and instructions as they become available in the client control portal. We will push these notifications as soon as we receive updates from the relevant vendors.

      In addition to the cloud infrastructure mitigations above, our engineers will apply similar patches to the platform compute offerings from the IBM Container Service, IBM Cloud Foundry platform, and IBM Cloud Functions, after the necessary vendor updates are available and tested.

      We will update this blog post as more information is available.
      ...

    Jan 04 2018

    Jan 09 2018

    • Potential Impact on Processors in the POWER family

      On Wednesday, January 3, researchers from Google announced a security vulnerability impacting microprocessors, including processors in the IBM POWER family.

      This vulnerability doesn’t allow an external unauthorized party to gain access to a machine, but it could allow a party that has access to the system to access unauthorized data.
      ...


    HPE

    Jan 09 2018

    Side_Channel_Analysis_Method

    Version 4.0 : Last Updated: January 9th, 2018

    This website is updated frequently, as new product information becomes available.

    On January 3 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM update from HPE. Intel has provided a high level statement here: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

    Note: Intel has informed HPE that Itanium is not impacted by these vulnerabilities.
    ...


    Lenovo

    Jan 04 2018

    len-18282

    Supermicro

    Jan 05 2018

    Date is estimated, and based on this page.

    security_Intel-SA-00088-700

    Note that Supermicro hasn't yet updated their ESXi 6.0 entries on the VMware Hardware Compatibility Guide to 6.5 yet, check all vendor's Xeon D entries here. Please feel free to contact Supermicro directly, to register your request, stating that you would like for ESXi 6.5 and ESXi 6.5U1 to appear on the VMware Hardware Compatibility Guide. While Xeon D SuperServers works great with ESXi 6.5 just like they did with 6.0, it would be best to have official support for this latest release.


    SOFTWARE VENDORS


    Apple

    Jan 08 2018

    HT208401-cropped
    • About the security content of iOS 11.2.2

      ...
      iOS 11.2.2
      Released January 8, 2018

      Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

      Description: iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

      We would like to acknowledge Jann Horn of Google Project Zero; and Paul Kocher in collaboration with Daniel Genkin of University of Pennsylvania and University of Maryland, Daniel Gruss of Graz University of Technology, Werner Haas of Cyberus Technology, Mike Hamburg of Rambus (Cryptography Research Division), Moritz Lipp of Graz University of Technology, Stefan Mangard of Graz University of Technology, Thomas Prescher of Cyberus Technology, Michael Schwarz of Graz University of Technology, and Yuval Yarom of University of Adelaide and Data61 for their assistance.
      ...

    Jan 09 2018

    HT208394-cropped
    • About speculative execution vulnerabilities in ARM-based and Intel CPUs

      Update: Apple has released updates for iOS, macOS High Sierra, and Safari on Sierra and El Capitan to help defend against Spectre. Apple Watch is unaffected by both Meltdown and Spectre.

      Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.

      Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan. Apple Watch is not affected by either Meltdown or Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, and tvOS.
      ...


    EPIC Games

    Jan 05 2018

    132642-epic-services-stability-update
    • Epic Services & Stability Update

      Attention Fortnite community,

      We wanted to provide a bit more context for the most recent login issues and service instability. All of our cloud services are affected by updates required to mitigate the Meltdown vulnerability. We heavily rely on cloud services to run our back-end and we may experience further service issues due to ongoing updates.

      Here is a link to an article which describes the issue in depth.

      The following chart shows the significant impact on CPU usage of one of our back-end services after a host was patched to address the Meltdown vulnerability.

      pasted image 0

      ...


    Google

    Jan 03 2018

    reading-privileged-memory-with-side
    • Project Zero

      Reading privileged memory with a side-channel
      Posted by Jann Horn, Project Zero

      We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.

      Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 [1].

      So far, there are three known variants of the issue:

      Variant 1: bounds check bypass (CVE-2017-5753)
      Variant 2: branch target injection (CVE-2017-5715)
      Variant 3: rogue data cache load (CVE-2017-5754)
      ...


    Microsoft

    Jan 09 2018

    protect-your-windows-devices-against-spectre-meltdown
    • Protect your Windows devices against Spectre and Meltdown

      ...
      Summary
      Microsoft is aware of new vulnerabilities in hardware processors named “Spectre” and “Meltdown”. These are a newly discovered class of vulnerabilities based on a common chip architecture that, when originally designed, was created to speed up computers. The technical name is “speculative execution side-channel vulnerabilities”. You can learn more about these vulnerabilities at Google Project Zero.

      Who is affected?
      Affected chips include those manufactured by Intel, AMD, and ARM, which means all devices running Windows operating systems are potentially vulnerable (e.g., desktops, laptops, cloud servers, and smartphones). Devices running other operating systems such as Android, Chrome, iOS, and MacOS are also affected. We advise customers running these operating systems to seek guidance from those vendors.

      At this time of publication, we have not received any information to indicate that these vulnerabilities have been used to attack customers.
      ...

    Jan 09 2018

    understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems
    • Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

      TERRY MYERSON
      Executive Vice President, Windows and Devices Group
      in Security Development, Security Strategies, Industry Trends
      Last week the technology industry and many of our customers learned of new vulnerabilities in the hardware chips that power phones, PCs and servers. We (and others in the industry) had learned of this vulnerability under nondisclosure agreement several months ago and immediately began developing engineering mitigations and updating our cloud infrastructure. In this blog, I’ll describe the discovered vulnerabilities as clearly as I can, discuss what customers can do to help keep themselves safe, and share what we’ve learned so far about performance impacts.

      What Are the New Vulnerabilities?
      On Wednesday, Jan. 3, security researchers publicly detailed three potential vulnerabilities named “Meltdown” and “Spectre.” Several blogs have tried to explain these vulnerabilities further — a clear description can be found via Stratechery.
      ...


    Nutanix

    Jan 07 2018


    Red Hat

    Jan 03 2018

    speculativeexecution
    • Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

      Red Hat has been made aware of multiple microarchitectural (hardware) implementation issues affecting many modern microprocessors, requiring updates to the Linux kernel, virtualization-related components, and/or in combination with a microcode update. An unprivileged attacker can use these flaws to bypass conventional memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. There are 3 known CVEs related to this issue in combination with Intel, AMD, and ARM architectures. Additional exploits for other architectures are also known to exist. These include IBM System Z, POWER8 (Big Endian and Little Endian), and POWER9 (Little Endian).
      ...


    SUSE

    Jan 10 2018

    7022512-cropped
    • Security Vulnerability: "Meltdown" and "Spectre" side channel attacks against modern CPUs.

      This document (7022512) is provided subject to the disclaimer at the end of this document.

      Environment
      Based on research from various groups and individuals, Google's security team has identified a family of side channel attacks against modern CPUs that can be used by attackers to read memory content of otherwise inaccessible memory.

      To help mitigating this hardware implementation related flaw on the software layer, SUSE as an operating system vendor is preparing mitigations for these side channel attacks in the Linux kernel.
      ...
      Mitigation is done with help of Linux Kernel fixes on the Intel/AMD x86_64 and IBM Z architectures. On x86_64, this requires also updates of the CPU microcode packages, delivered in separate updates.

      SUSE has shipped microcode updates for Intel and AMD processors that supply control of the "indirect branch speculation" feature, please also check your CPU and hardware vendors firmware / BIOS download pages for updates.

      For IBM Power and IBM Z the required firmware updates are supplied over regular channels by IBM.
      ...


    VMware

    Jan 03 2018

    VMSA-2018-0002

    Hypervisor-Specific Remediation

    • VMSA-2018-0002
      VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

      at VMware Security Advisories

      ...

      1. Summary
        VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

      2. Relevant Products
        VMware vSphere ESXi (ESXi)
        VMware Workstation Pro / Player (Workstation)
        VMware Fusion Pro / Fusion (Fusion)

      3. Problem Description
        Bounds-Check bypass and Branch Target Injection issues

      CPU data cache timing can be abused to efficiently leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. (Speculative execution is an automatic and inherent CPU performance optimization used in all modern processors.) ESXi, Workstation and Fusion are vulnerable to Bounds Check Bypass and Branch Target Injection issues resulting from this vulnerability.

      Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. The remediation listed in the table below is for the known variants of the Bounds Check Bypass and Branch Target Injection issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-5753 (Bounds Check bypass) and CVE-2017-5715 (Branch Target Injection) to these issues.
      ...

    Jan 09 2018

    VMSA-2018-0004

    Hypervisor-Assisted Guest Remediation

    • VMSA-2018-0004
      VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue

      Jan 09 2018 at VMware Security Advisories

      ...
      1. Summary
      VMware vSphere, Workstation and Fusion updates add Hypervisor- Assisted Guest Remediation for speculative execution issue.

      Notes:

      Hypervisor remediation can be classified into the two following categories:

      • Hypervisor-Specific Remediation (documented in VMSA-2018-0002)
      • Hypervisor-Assisted Guest Remediation (documented in this advisory)

      2. Relevant Products
      VMware vCenter Server (VC)
      VMware vSphere ESXi (ESXi)
      VMware Workstation Pro / Player (Workstation)
      VMware Fusion Pro / Fusion (Fusion)

      3. Problem Description
      New speculative-execution control mechanism for Virtual Machines

      Updates of vCenter Server, ESXi, Workstation and Fusion virtualize the new speculative-execution control mechanism for Virtual Machines (VMs). As a result, a patched Guest Operating System (Guest OS) can remediate the Branch Target Injection issue (CVE-2017-5715). This issue may allow for information disclosure between processes within the VM.
      ...

    Jan 09 2018

    The purpose of this article is to describe the issues related to speculative execution in modern-day processors as they apply to VMware and then highlight VMware’s response.
    Date estimated, based on last update.

    52245
    • VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52245)

      Document Id
      52245
      Purpose
      The purpose of this article is to describe the issues related to speculative execution in modern-day processors as they apply to VMware and then highlight VMware’s response.

      For VMware, the mitigations fall into 3 different categories:

      • Hypervisor-Specific Mitigation
      • Hypervisor-Assisted Guest Mitigation
      • Operating System-Specific Mitigations

      Additionally, VMware is mitigating these issues in its services.

      This Knowledge Base article will be updated as new information becomes available.
      ...
      VMware hypervisors do not require the new speculative-execution control mechanism to achieve this class of mitigation and therefore these types of updates can be installed on any currently supported processor. No significant performance degradation is expected for VMware’s hypervisor-specific mitigations.
      ...

    Jan 11 2018

    Date estimated, based on last update.

    52312-fade

    Jan 11 2018

    Date estimated, based on last update.

    52085
    • Hypervisor-Assisted Guest Mitigation for branch target injection (52085)

      Document Id
      52085
      Purpose
      This article provides instructions for enabling Hypervisor-Assisted Guest Mitigation for the branch target injection issue identified in CVE-2017-5715.

      For background information, see VMware Response to Speculative Execution security issues(52245).

      Recent microcode updates by Intel and AMD provide hardware support for branch target injection mitigation. In order to use this new hardware feature within virtual machines, Hypervisor-Assisted Guest Mitigation must be enabled.

      See VMware Security Advisory VMSA-2018-0004 for the VMware provided patches related to this KB
      ...
      For each virtual machine, enable Hypervisor-Assisted Guest mitigation via the following steps:
      Apply all security patches for your Guest OS which are available from the OS vendor.
      Ensure that your VMs are using Virtual Hardware Version 9 or higher. Upgrading a virtual machine to the latest hardware version (multiple versions) (1010675) discusses Hardware Versions .
      Virtual Hardware Version 9 is minimum requirement for Hypervisor-Assisted Guest Mitigation for branch target injection (CVE-2017-5715).
      For best performance, Virtual Hardware Version 11 or higher is recommended. Virtual Hardware Version 11 enables PCID/INVPCID. These features may reduce the performance impact of CVE-2017-5754 mitigations on CPUs that support those features.
      Power cycle the Virtual Machine (cold boot).
      ...

    Jan 12 2018

    Date estimated, based on last update. Find the "Subscribe to Article" link at the top-right of this article to be alerted when this article is updated.

    52337
    • VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52337)

      Document Id
      52337
      Purpose
      VMware is aware of the CPU vulnerabilities that may result in side-channel analysis due to speculative execution, which impacts, amongst other products, VMware vSphere ESXi. Ensuring customer security is our top priority.

      VMware has released updates and patches which mitigate known variants of the speculative execution vulnerabilities identified by CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown). As is our practice, VMware will continue to assess any further security risks, and will continue to provide updates and patches as appropriate.

      Customers have inquired if there may be a performance cost associated with either the VMware mitigations, or mitigations of the guest operating systems as released from the OS providers. This knowledge base article will be used as the centralized document for which performance data relating to the speculative execution mitigations published.
      Resolution
      The VMware performance team is currently evaluating the performance costs of the Meltdown/Spectre mitigations for vSphere. We plan to test with a wide variety of workloads using both unpatched and patched guest operating systems to provide a comprehensive view of the performance characteristics when running on vSphere. We will be updating this KB with our data as results become available.

      Please sign up to be alerted when this KB is updated with new information.
      ...

    Jan 13 2018

    Initial publication date estimated, based on last update seen on Jan 13 2018. You can find the "Subscribe to Article" link at the top-right of this article to be alerted when updates occur, as as the significant update apparently made on Jan 14 2018:

    52345
    Xeon D is of particular interest to TinkerTry readers.
    • Intel Sightings in ESXi Bundled Microcode Patches for VMSA-2018-0004 (52345)

      Document Id
      52345
      Purpose
      Although VMware strongly recommends that customers obtain microcode patches through their hardware vendor, as an aid to customers, VMware also included the initial microcode patches in ESXi650-201801402-BG, ESXi600-201801402-BG, and ESXi550-201801401-BG. Intel has notified VMware of recent sightings that may affect some of the initial microcode patches that provide the speculative execution control mechanism for a number of Intel Haswell and Broadwell processors. The issue can occur when the speculative execution control is actually used within a virtual machine by a patched OS. At this point, it has been recommended that VMware remove exposure of the speculative-execution mechanism to virtual machines on ESXi hosts using the affected Intel processors until Intel provides new microcode at a later date. *

      Resolution
      For ESXi hosts that have not yet applied one of the following patches ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG, VMware recommends not doing so at this time. It is recommended to apply the patches listed in VMSA-2018-0002 instead.

      Resolution
      Note: All the patches associated with VMSA-2018-0004 have been pulled back from the online and offline portal.
      ...
      (This change to the "Resolution" paragraph was apparently made on Jan 14 2018, detailed below.)

    Jan 18 2018

    *Above article updated, date of this update is estimated, the first paragraph now ends like this:


    SOFTWARE TOOLS


    Gibson Research Corporation InSpectre

    Jan 08 2018

    See GRC (Gibson Research Corporation) InSpectre.

    Microsoft SpeculationControl

    Jan 04 2018

    See Microsoft SpeculationControl.

    Microsoft Speculation Control Validation PowerShell Script

    Jan 10 2018

    Date estimated, based on Google search.
    See Microsoft Speculation Control Validation PowerShell Script.

    VMware PowerCLI

    Jan 14 2018

    See William Lam's VerifyESXiMicrocode.ps1 PowerCLI script.


    BLOGS AND PODCASTS


    Aaron Buley

    Jan 05 2018

    949162622607216641
    Aaron's video features this tweet.

    Aaron Buley
    Published on Jan 11, 2018
    Further Reading Material:
    https://www.kb.cert.org/vuls/id/584653
    https://googleprojectzero.blogspot.co...
    https://meltdownattack.com/ or https://spectreattack.com/ (same)
    How to Enable Site Isolation - https://support.google.com/chrome/ans...
    https://www.engadget.com/2018/01/11/i...

    https://twitter.com/aaronbuley

    Meltdown and Spectre - Simplified

    Cloudflare

    Jan 08 2018

    by John Graham-Cumming

    meltdown-spectre-non-technical-cropped
    • An Explanation of the Meltdown/Spectre Bugs for a Non-Technical Audience

      Last week the news of two significant computer bugs was announced. They've been dubbed Meltdown and Spectre. These bugs take advantage of very technical systems that modern CPUs have implemented to make computers extremely fast. Even highly technical people can find it difficult to wrap their heads around how these bugs work. But, using some analogies, it's possible to understand exactly what's going on with these bugs. If you've found yourself puzzled by exactly what's going on with these bugs, read on — this blog is for you.
      ...


    Cyber Frontiers

    Jan 09 2018

    cyberfrontiers
    • Meltdown and Spectre: A Tear at the Foundation of Computer Security – CF042

      This week on Cyber Frontiers we jump into full coverage of the 6-day old public disclosures of the meltdown and spectre vulnerabilities. With some issues mitigated, the news is a gravitational force that has dominated cybersecurity early into 2018 and could continue to engage industry for years to come. We discuss the short and long term security implications and performance debacles, and provide technical and non-technical explanations for the two classes of vulnerabilities disclosed. We review the mitigations users can start employing now, and discuss impacts for the average guy and the enterprise.

      Cyber Frontiers is all about Exploring Cyber security, Big Data, and the Technologies Shaping the Future! Christian Johnson will bring fresh and relevant topics to the show based on the current work he does.

      Support the Average Guy: https://www.patreon.com/theaverageguy

      WANT TO SUBSCRIBE? We now have Video Large / Small and Video iTunes options at http://theAverageGuy.tv/subscribe

      You can contact us via email at jim@theaverageguy.tv

      Full show notes and video at http://theAverageGuy.tv/cf042
      ...


    Notes from MWhite

    Jan 05 2018

    meltdown-and-spectre-what-you-need-to-know
    • Meltdown and Spectre – what you need to know!
      by Michael White

      Hi all,

      I was going to mention this topic in my newsletter this weekend. But things got sort of crazy and now there is so much info it is confusing out there so I thought I would treat this as a separate subject rather than as part of my newsletter.

      Here is an article by one of the top security thinkers – good info! Here is some good technical detail as well.
      ...


    spectreattack

    Jan 03 2018

    spectreattack
    • Meltdown and Spectre
      Vulnerabilities in modern computers leak passwords and sensitive data.

      Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

      Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
      ...


    Security Now

    Jan 03 2018

    JSYbjhI
    Queued to the right spot in the discussion.
    • Security Now 645 The Speculation Meltdown

      This week, before we focus upon the industry-wide catastrophe enabled by precisely timing the instructed execution of all contemporary high-performance processor architectures.
      ...

    Optionally, you can jump ahead to just the right spot where Steve really dives into this at length, streamed right to your browser complete with playback speed controls. See also the detailed transcript-like shownotes.

    See also the mentioned Speculation Control Validation PowerShell Script.

    Jan 17 2018

    JRPNW80-cropped
    Queued to the right spot, where InSpectre is discussed.
    • Security Now 646 The InSpectre

      This week we discuss more trouble with Intel’s AMT, what does Skype’s use of Signal really mean, the UK’s data protection legislation gives researchers a bit of relief, the continuing winding down of HTTP, “progress” on the development of Meltdown attacks, Google successfully tackles the hardest-to-fix Spectre concern with a Return Trampoline, some closing the loop feedback with our terrific listeners, and the evolving landscape of Meltdown and Spectre, including Steve’s just completed “InSpectre” test & explanation utility.
      ...

    Optionally, you can jump ahead to just the right spot, where Steve dives in and explains InSpectre. See also the detailed transcript-like shownotes. where Steve mentions the VMware Fling called VMware CPU Microcode Update Driver.

    InSpectre

    Read about InSpectre on Steve's reputable-for-decades Gibson Research Corporation website, filed under Security

    InSpectre Download

    It's FreeWare that is portable, so it doesn't require an install. Just run it on Windows, on a Windows VM, or on a Mac (via Wine):

    SN-646-Notes
    Click image to view the shownotes that describe "The InSpectre" in detail.
    2018-01-17_10-14-52
    Here's my results, run on a Windows 10 Build 1709 VM, running under ESXi 6.5 Update 1 Build 7388607 from Dec 18 2017, running on my Supermicro SuperServer SYS-5028D-TN4T Xeon D-1567 system with BIOS 1.2c. Supermicro's remediation will be BIOS 1.3, which hasn't been released yet.
    2018-01-17_11-05-24
    Here's my results, run on a Windows 10 Build 1709 VM, running under ESXi 6.5 Update 1 Build 7388607 from Dec 18 2017, running on my Supermicro SuperServer SYS-5028D-TN4T Xeon D-1567 system with BIOS 1.2c. Supermicro's remediation will be BIOS 1.3, which hasn't been released yet.
    Xeon-D-1541-BIOS-1-2c-running-Windows-10-1709-with-all-Windows-Updates-running-InSpectre-2018-01-17--by-Paul-Braren-TinkerTry
    Here's my results, run on Windows 10 Build 1709, running on my Supermicro SuperServer SYS-5028D-TN4T Xeon D-1541 system with BIOS 1.2c. Supermicro's remediation will be BIOS 1.3, which hasn't been released yet.

    STH

    Jan 07 2018

    red-hat-outlines-meltdown-spectre-patch-performance-impacts
    • Red Hat Outlines Meltdown and Spectre Patch Performance Impacts
      by Cliff Robinson

      Red Hat has been heavily involved in the Meltdown and Spectre patch efforts. It also has its initial patches ready well before the originally planned disclosure date of January 9, 2018. Red Hat is also in the unique position that it has the most robust set of open source OS enterprise customers. Those same customers are clamoring for information regarding the performance impacts of the Meltdown and Spectre series of patches.
      ...


    VIRTUABYTES

    Jan 05 2018

    spectre-vulnerability-patch-vmware-esxi
    • Spectre Vulnerability – How to Patch VMware ESXi
      by VIRTUADMIN

      Yesterday, news broke about vulnerabilities affecting AMD, Intel, and ARM CPU’s. These vulnerabilities, termed Meltdown and Spectre, have the potential to expose information that the machine(s) process. Check out this post for an in-depth look. At this point, it appears that VMware is not vulnerable to Meltdown; however, they have released patches for Spectre. It has been speculated that patching the flaws will cause performance hits. To what degree varies by reporting source. As always, test patches before deployment and contact support if you have any questions.
      ...


    vInfrastructure Blog

    Jan 07 2018

    meltdown-spectre-microsoft-products
    • Meltdown and Spectre: Microsoft products
      by Andrea Mauro

      Meltdown and Spectre are critical vulnerabilities existing in several modern CPU: these hardware bugs allow programs to steal data which is currently processed on the computer. Meltdown and Spectre can affect personal computers, mobile devices, server and several cloud services.
      ...


    VirtuallyAware

    Jan 09 2018

    hyper-v-and-spectre-meltdown-protecting-hosts-do-this

    Hyper-V and Spectre/Meltdown: Protecting Your Hosts – Do This!
    by Robert McShinsky

    There is a lot of information swirling around out there on what to do with the latest Spectre/Meltdown vulnerabilities. Whereas I can’t tell you how to solve the vulnerabilities for for every Hardware and Operating System combination, I can tell you how to get your Hyper-V environments protected.
    ...


    virtuallyGhetto

    Jan 14 2018

    automating-intel-sighting-remediation-using-powercli-ssh-not-required

    In case you may not be aware, Intel recently notified VMware that certain Intel Broadwell and Haswell CPUs are affected by Intel Sighting after applying the latest microcode update to remediate against the Spectre vulnerability. VMware has published the following KB 52345 which provides more details on the affected Intel CPUs along with the recommended workaround in case you have already applied the latest ESXi patches containing the faulty microcode. I highly recommend you carefully read over the KB before, even if you have not applied the ESXi patches proceeding further.

    With this updated news, I have also updated my existing Spectre verification script ...


    Wired

    Jan 07 2018

    meltdown-spectre-bug-collision-intel-chip-flaw-discovery
    • Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw At the Same Time
      by Andy Greenberg

      ON A COLD Sunday early last month in the small Austrian city of Graz, three young researchers sat down in front of the computers in their homes and tried to break their most fundamental security protections.

      Two days earlier, in their lab at Graz's University of Technology, Moritz Lipp, Daniel Gruss, and Michael Schwarz had determined to tease out an idea that had nagged at them for weeks, a loose thread in the safeguards underpinning how processors defend the most sensitive memory of billions of computers.
      ...


    Jan 11 2018 Update

    More emphasis is brought to VMware's KB 52245 which pulls together all relevant VMware statements about Meltdown and Spectre, and has had 22,272 views already.

    Several important new articles released last night and today, added above.


    Jan 12 2018 Update

    Added my own server, phone, and laptop patch stories to the introductory section above.


    Jan 14 2018 Update

    Back on Jan 13 2018, KB52345 stated:

    Resolution
    For ESXi hosts that have not yet applied one of the following patches ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG, VMware recommends not doing so at this time. It is recommended to apply the patches listed in VMSA-2018-0002 instead.

    but this wording has apparently been removed.

    Update!
    Special thanks to Thomas Rottig, who wrote in today to let me know that that the update had apparently been pulled:

    ...just thought you might to investigate/update your post - this update is currently not available... deployed fine yesterday

    The reason it has been pulled from VMware's update server is explained in KB52345, where the Resolution paragraph above has been replaced with the new one below:

    Resolution
    Note: All the patches associated with VMSA-2018-0004 have been pulled back from the online and offline portal.

    Thomas also provided me with this account of success on one host yesterday’s, then the of the error he noticed on another host today:

    esxcli software profile get
    (Updated) ESXi-6.5.0-20180104001-standard
    Name: (Updated) ESXi-6.5.0-20180104001-standard
    Vendor: VMware, Inc.
    Creation Time: 2018-01-13T16:13:43
    Modification Time: 2018-01-13T16:13:43
    Stateless Ready: True
    Description:
    
    build_url="hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml";esxcli software profile update --depot $build_url --profile ESXi-6.5.0-20180104001-standard
    [NoMatchError]
    No image profile found with name 'ESXi-6.5.0-20180104001-standard'
    id = ESXi-6.5.0-20180104001-standard
    Please refer to the log file for more details.

    Updates to the above article made accordingly, and all related articles.


    Jan 22 2018 Update

    Updated Intel, VMware, and Dell sections above, see also closely related tweet:

    955600223769907200

    See also at TinkerTry

    google-project-zero-spectre-and-meltdown-patch-and-flash-for-vmware-esxi-on-supermicro-xeon-d

    metool