Meltdown and Spectre side-channel attack risk mitigation information from processor, server, and software vendors
This story continues to develop. Consider revisiting and refreshing.
Disclosure:
I'm a vSAN Systems Engineer, but this article isn't official VMware documentation. Please refer to articles on vmware.com listed below, and to each of the vendor's sites listed below, for their latest, official information on this issue, since the contents of the excerpts may be changed.
Disclaimer:
It's your responsibility to back up first, and to proceed with updates at your own risk, as stated in the detailed disclaimer below every TinkerTry article.
I'm getting questions lately from my customers wondering about these security vulnerabilities. VMware has this to say about side-channel attacks:
VMware hypervisors do not require the new speculative-execution control mechanism to achieve this class of mitigation and therefore these types of updates can be installed on any currently supported processor. No significant performance degradation is expected for VMware’s hypervisor-specific mitigations.
That doesn't mean there aren't patches, please scroll down...
Table of Contents
- Gibson Research Corporation InSpectre
- Microsoft Speculation Control
- Microsoft Speculation Control Validation PowerShell Script
- VMware
*
(*
William Lam) VerifyESXiMicrocode.ps1 PowerCLI Script
- Aaron Buley
- Cloudflare
- Cyber Frontiers
- Notes from MWhite
- PC Perspective
- Security Now
- STH
- spectreattack.com
- Storage Unpacked
- TECHSPOT
- The Next Platform
- TinkerTry
- VIRTUALBYTES
- vInfrastructure Blog
- virtuallyGhetto
- Wired
- Yellow Bricks
Introduction
Yes, VMware vSphere should also patched, both VCSA and ESXi, along with your system's BIOS, and all your VMs. This one article helps bring together some of the crucial information IT Pros need as they begin to prepare for those risk mitigation actions in their environment. I've brought all the key articles from processor, server, and software vendors together, and added some very helpful blog posts, videos, and podcasts too.
I make no claims to be an expert on security in general, I've just collected and organized the links, and highlight some excerpts. While I usually stick to home lab topics here at TinkerTry, this particular set of risks certainly cross right over, threatening companies of any size.
This whole issue has been quite the IT story. For me personally, it all started when I noticed this little Jan 01 2018 tweet by Matt Tait @pwnallthethings that predicted this story would be big. Very big. How right he was!
In a way, all this behind-the-scenes collaboration between so many companies, especially between and Intel and various software and hardware companies, has been, dare I say it, reassuring? The idea here was to hopefully head-off exploitation of these weaknesses in the wild, which doesn't tend to take long once details are disclosed. This hurculean industry-wide effort seems to me to have required an unprecedented level of collaborative and coordination. One can only hope that the industry comes out of this mess stronger than ever, eventually.
Did you know that the Meltdown vulnerability can be traced all the way back to 1995?
Unfortunately, performance for folks with older CPUs (Haswell and earlier) are likely to suffer a performance hit after these fixes, but the overall impact should be negligible for client workloads on systems that get BIOS and OS patches. Only time, and testing, will tell.
This collection of technical articles should help you get up to speed on what you need to do, since a careful look at all elements of your datacenter is warranted. This collection of links is really just a starting point in your personal journey of understanding, before taking action.
If you're interested in seeing the exact mitigation steps I've taken in my own virtualization home lab, see:
Personally, as of Jan 12 2018, I've already updated my:
- Xeon D hypervisor and VCSA appliance, still waiting for BIOS 1.3 to be released, and for time to patch all those VMs, see also William Lam's script.
- Phone X to iOS 11.2.2. Uneventful, and easy.
- Dell Precision 5520 (laptop) to BIOS 1.70, with all Windows 10 patching done automatically for VMware employees.
As of Jan 22 2018, I've now noticed that BIOS 1.70 has been pulled.
CPU VENDORS
AMD
Jan 04 2018
Date is estimated, based on first Wayback Machine entry.
- An Update on AMD Processor Security
Information Security is a Priority at AMD
There has been recent press coverage regarding a potential security issue related to modern microprocessors and speculative execution. Information security is a priority at AMD, and our security architects follow the technology ecosystem closely for new threats.
It is important to understand how the speculative execution vulnerability described in the research relates to AMD products, but please keep in mind the following:
- The research described was performed in a controlled, dedicated lab environment by a highly knowledgeable team with detailed, non-public information about the processors targeted.
- The described threat has not been seen in the public domain.
Mar 21 2018
- Initial AMD Technical Assessment of CTS Labs Research
The security issues identified by the third-party researchers are not related to the AMD “Zen” CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018. Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
As described in more detail below, AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations. It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings
...
Arm
Jan 03 2018
- Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
Based on the recent research findings from Google on the potential new cache timing side-channels exploiting processor speculation, here is the latest information on possible Arm processors impacted and their potential mitigations. We will post any new research findings here as needed.
Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding. However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed. This is the issue addressed here and in the Cache Speculation Side-channels whitepaper.
...
Intel
Jan 03 2018
Jan 03 2018
- Facts About the New Security Research Findings and Intel® Products
This article has been updated throughout January, and now includes a section entitled "Useful Resources About the Issue" that indexes the various resources available from a wide variety of vendors, similar to this article's objective.
Jan 04 2018
Jan 09 2018
- Intel Offers Security Issue Update
at Intel News Byte...
In early December we began distributing Intel firmware updates to our OEM partners. For Intel CPUs introduced in the past five years, we expect to issue updates for more than 90 percent of them within a week, and the remainder by the end of January. We will continue to issue updates for other products thereafter. We are pleased with this progress, but recognize there is much more work to do to support our customers.
Press Kit: Security Exploits and Intel ProductsOur goal is to provide our customers with the best possible protection against the exploits while minimizing the performance impact of the updates. We plan to share more extensive information about performance impact when we can, but we also want to provide some initial information today.
Based on our most recent PC benchmarking, we continue to expect that the performance impact should not be significant for average computer users. This means the typical home and business PC user should not see significant slowdowns in common tasks such as reading email, writing a document or accessing digital photos. Based on our tests on SYSmark 2014 SE, a leading benchmark of PC performance, 8th Generation Core platforms with solid state storage will see a performance impact of 6 percent or less*. (SYSmark is a collection of benchmark tests; individual test results ranged from 2 percent to 14 percent.)Ensuring the security of our customers’ data is job one. To help keep our customers’ data safe, we have been focused on the development and testing of the updates. We still have work to do to build a complete picture of the impact on data center systems. However, others in the industry have begun sharing some useful results. As reported last week, several industry partners that offer cloud computing services to other businesses have disclosed results that showed little to no performance impact. Also, Red Hat and Microsoft have both shared performance information.
...
Jan 10 2018
- Intel Security Issue Update: Initial Performance Data Results for Client Systems
Testing Intel Core Processor Platforms and a Variety of Workloads
by Navin Shenoy at Intel NewsroomJan. 10 Performance Data Results
Today we are sharing data on several 6th, 7th and 8th Generation Intel® Core™ processor platforms using Windows* 10. We previously said that we expected our performance impact should not be significant for average computer users, and the data we are sharing today support that expectation on these platforms.
More: Security Exploits and Intel Products (Press Kit) | Security Research Findings (Intel.com)
We shared some initial assessments of performance impact yesterday. We now have additional data on some of our client platforms, and we are sharing that with you today. This is part of our ongoing effort to keep you apprised through frequent updates. We plan to share initial data on some of our server platforms in the next few days. Please know we are working around the clock to generate the data that you want to see as fast as possible. As we endeavor to continue our pace, please understand that – as is common in testing of this type – our results may change as we conduct additional testing.
...
Jan 11 2018
- Security-First Pledge
An Open Letter from Brian Krzanich, CEO of Intel Corporation, to Technology Industry LeadersFollowing announcements of the Google Project Zero security exploits last week, Intel has continued to work closely with our partners with the shared goal of restoring confidence in the security of our customers’ data as quickly as possible. As I noted in my CES comments this week, the degree of collaboration across the industry has been remarkable. I am very proud of how our industry has pulled together and want to thank everyone for their extraordinary collaboration. In particular, we want to thank the Google Project Zero team for practicing responsible disclosure, creating the opportunity for the industry to address these new issues in a coordinated fashion.
As this process unfolds, I want to be clear about Intel’s commitments to our customers. This is our pledge:
-
Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.
-
Transparent and Timely Communications: As we roll out software and firmware patches, we are learning a great deal. We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique. We commit to provide frequent progress reports of patch progress, performance data and other information. These can be found at the Intel.com website.
- Ongoing Security Assurance: Our customers’ security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.
We encourage our industry partners to continue to support these practices. There are important roles for everyone: Timely adoption of software and firmware patches by consumers and system manufacturers is critical. Transparent and timely sharing of performance data by hardware and software developers is essential to rapid progress.
The bottom line is that continued collaboration will create the fastest and most effective approaches to restoring customer confidence in the security of their data. This is what we all want and are striving to achieve.
— Brian Krzanich
... -
Jan 11 2018
- Intel Security Issue Update: Addressing Reboot Issues
By Navin Shenoy
As Intel CEO Brian Krzanich emphasized in his Security-First Pledge, Intel is committed to transparency in reporting progress in handling the Google Project Zero exploits.
We have received reports from a few customers of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center. We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to directly discuss the issue.
End-users should continue to apply updates recommended by their system and operating system providers.
More: Security Exploits and Intel Products (Press Kit) | Security Research Findings (Intel.com)
Navin Shenoy is executive vice president and general manager of the Data Center Group at Intel Corporation.
...
Jan 17 2018
- Firmware Updates and Initial Performance Data for Data Center Systems
By Navin Shenoy
Over the past several days, Intel has made further progress to address the exploits known as “Spectre” and “Meltdown.” We are continuing to support our customers through this process and we remain focused on doing so. As we continue these efforts, I would like to express my appreciation to many of our partners, including Dell, HPE, HPI, Lenovo and Microsoft, for joining our Security-First Pledge.
More: Security Exploits and Intel Products (Press Kit) | Security Research Findings (Intel.com)I’ll be covering two topics in this blog post: our progress in rolling out firmware updates for the exploits, as well as addressing the reboot issue I discussed last week; and initial data from the benchmarking we are doing on data center platforms.
We have now issued firmware updates for 90 percent of Intel CPUs introduced in the past five years, but we have more work to do. As I noted in my blog post last week, while the firmware updates are effective at mitigating exposure to the security issues, customers have reported more frequent reboots on firmware updated systems.As part of this, we have determined that similar behavior occurs on other products in some configurations, including Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms. We have reproduced these issues internally and are making progress toward identifying the root cause. In parallel, we will be providing beta microcode to vendors for validation by next week.
...
Jan 22 2018
- Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners
By Navin Shenoy
As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.
Feb 07 2018
- Security Issue Update: Progress Continues on Firmware Updates
By Navin Shenoy
...
Earlier this week, we released production microcode updates for several Skylake-based platforms to our OEM customers and industry partners, and we expect to do the same for more platforms in the coming days. We also continue to release beta microcode updates so that customers and partners have the opportunity to conduct extensive testing before we move them into production.Ultimately, these updates will be made available in most cases through OEM firmware updates. I can’t emphasize enough how critical it is for everyone to always keep their systems up-to-date. Research tells us there is frequently a substantial lag between when people receive updates and when they actually implement them. In today’s environment, that must change. According to the Department of Homeland Security’s cyber-emergency unit, US-CERT, as many as 85 percent of all targeted attacks1 can be prevented with – among other things – regular system updates.
...
Mar 15 2018
- Advancing Security at the Silicon Level
Hardware-based Protection Coming to Data Center and PC Products Later this YearBy Brian Krzanich, CEO
...
Today, I want to provide several updates that show continued progress to fulfill that pledge. First, we have now released microcode updates for 100 percent of Intel products launched in the past five years that require protection against the side-channel method vulnerabilities discovered by Google. As part of this, I want to recognize and express my appreciation to all of the industry partners who worked closely with us to develop and test these updates, and make sure they were ready for production.
...
GPU VENDORS
AMD GPU Drivers
Jan 04 2018
Date is estimated, based on first Wayback Machine entry.
- An Update on AMD Processor Security
There have also been questions about GPU architectures. AMD Radeon GPU architectures do not use speculative execution and thus are not susceptible to these threats.
...
NVIDIA GPU Drivers
Jan 10 2018
Date estimated based on Google search.
- Security Bulletin: NVIDIA Driver Security Updates for CPU Speculative Side Channel Vulnerabilities
Answer ID 4611 Updated 01/16/2018 11:14 AM
NVIDIA DRIVER RESPONSE TO CPU SPECULATIVE SIDE CHANNEL VULNERABILITIES - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754
Bulletin Summary
NVIDIA is providing an initial security update to mitigate aspects of Google Project Zero’s January 3, 2018 publication of novel information disclosure attacks that combine CPU speculative execution with known side channels.NVIDIA's core business is GPU computing.
We believe our GPU hardware is immune to the reported security issue. As for our driver software, we are providing updates to help mitigate the CPU security issue.
SERVER VENDORS
Dell EMC
Jan 03 2018
To learn more about upcoming VxRail patches, use the link from the article below, but note that a Dell EMC log in is required to view it.
- Meltdown and Spectre Vulnerabilities
...
As Intel reported in their FAQ, researchers demonstrated a proof of concept. That said, Dell is not aware of any exploits to date.
...
Patch guidanceThere are essential components that need to be applied to mitigate the above mentioned vulnerabilities:
Apply the firmware update via BIOS update.
Apply the applicable operating system (OS) patch.
Apply hypervisor patches, browser and JavaScript engines updates where applicable.For more information on affected platforms and next steps to apply the updates, please refer to the following resources. They will be updated regularly as new information becomes available. Dell is testing all firmware updates before deploying them to ensure minimal impact to customers.
- Dell PCs and Thin Client
- Dell EMC Server, Dell Storage and Networking products
- Dell EMC Storage, Data Protection and Converged Platforms (log in required to access the content)
- RSA products (log in required to access the content)
- Dell EMC Converged Platforms (vBlock) (log in required to access the content)
- VMware products (log in required to access the content)
- Pivotal products
...
Jan 03 2018
- Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)
CVE ID: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
Dell EMC is aware of the new side-channel analysis vulnerabilities (also known as Meltdown and Spectre) affecting many modern microprocessors that were discovered and published by a team of security researchers on January 3, 2018. We encourage customers to review the Security Advisories in the References section for more information.
Dell EMC is investigating this issue to identify any potential impact to products and will update this article with information as it becomes available, including impacted products and remediation steps.
There are two essential components that need to be applied to mitigate the above mentioned vulnerabilities:
System BIOS as per Tables below
Operating System & Hypervisor updates.
...
...
Notice that the BIOS updates for popular systems like 14G R740 and R740xd became available on Jan 08 2018, and are listed in the detailed article above.
IBM
Jan 04 2018
- We’re taking action to secure our cloud against recent security vulnerabilities
by Jay Jubran, Director, IBM Cloud Platform, Compute Offering ManagementWe’ve been working closely with our vendors concerning the security vulnerability announced on January 3, 2018. This vulnerability has the potential to allow those with malicious intent to gather sensitive data from computing devices. Intel believes these exploits do not have the potential to corrupt, modify, or delete data.
We will be applying patches to our VSI cloud hosts worldwide starting January 5, 2018 through January 8, 2018 to mitigate the risk to our virtual server clients. Due to the nature of this vulnerability and the affected components, we are not able to mitigate this potential vulnerability via hot patching; cloud host reboots are required. While we do not expect any problems with the reboots, all customers should create a backup of all data from their virtual server instances.
In addition to providing an overall schedule to clients with active virtual servers, we’ll also use maintenance tickets to notify customers when their VSIs are scheduled to be rebooted. These maintenance tickets will identify the scheduled VSIs and provide the date and time of the cloud host reboot. Clients also can expect to receive a two-hour reminder update before the maintenance event, a ticket update with the start of maintenance, and a final ticket update once the maintenance is complete.
Firmware updates and operating system updates will be required for our bare metal offerings. Please watch for these updates and instructions as they become available in the client control portal. We will push these notifications as soon as we receive updates from the relevant vendors.
In addition to the cloud infrastructure mitigations above, our engineers will apply similar patches to the platform compute offerings from the IBM Container Service, IBM Cloud Foundry platform, and IBM Cloud Functions, after the necessary vendor updates are available and tested.
We will update this blog post as more information is available.
...
Jan 04 2018
- Potential CPU Security Issue
IBM Storage appliances are not impacted by this vulnerability.
...
Jan 09 2018
- Potential Impact on Processors in the POWER family
On Wednesday, January 3, researchers from Google announced a security vulnerability impacting microprocessors, including processors in the IBM POWER family.
This vulnerability doesn’t allow an external unauthorized party to gain access to a machine, but it could allow a party that has access to the system to access unauthorized data.
...
HPE
Jan 09 2018
Version 4.0 : Last Updated: January 9th, 2018
This website is updated frequently, as new product information becomes available.
On January 3 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM update from HPE. Intel has provided a high level statement here: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
Note: Intel has informed HPE that Itanium is not impacted by these vulnerabilities.
...
Lenovo
Jan 04 2018
- Reading Privileged Memory with a Side Channel
...
Lenovo is aware of vulnerabilities regarding certain processors nicknamed “Spectre” and “Meltdown” by their discoverers. Both are “side channel” exploits, meaning they do not access protected data directly, but rather induce the processor to operate in a specific way, and observe execution timing or other externally visible characteristics to infer the protected data. We continue to work with our processor and operating system suppliers to incorporate fixes as we receive them. Lenovo will update this page frequently as fixes are released and new information emerges. Please check back often
...
Product Impact:
Please click for more info.
CLIENT SYSTEMS
Desktop
Desktop - All In One
IdeaPad
Tablet
ThinkPad
ThinkStation
ENTERPRISE SYSTEMS
Converged and ThinkAgile Solutions
Hyperscale
Networking Switches
Server Management Software
Storage
System x - IBM
System x - Lenovo
ThinkServer
ThinkSystemOther Information and References:
- Intel: https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
- Google Security Blog: https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
- Google Project Zero research: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
- Google Product Status: https://support.google.com/faqs/answer/7622138
- Original research: https://meltdownattack.com/ or https://spectreattack.com/
- Microsoft: https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
Advisories and Patch Guidance:
- Intel: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
- AMD: http://www.amd.com/en/corporate/speculative-execution
- ARM: https://developer.arm.com/support/security-update
- Cert/CC: https://www.kb.cert.org/vuls/id/584653
- Chromium: https://www.chromium.org/Home/chromium-security/ssca
- Citrix: https://support.citrix.com/article/CTX231390
- Google: https://support.google.com/faqs/answer/7622138#chrome
- Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
- Microsoft Knowledge Base: https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056890
- Microsoft (Client): https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
- Microsoft (Server): https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
- Microsoft (AntiVirus): https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software
- Mozilla: https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
- Nutanix (pdf): http://info.nutanix.com/m0005p00w098CO7EV0V0GQ0
- NVIDIA: http://nvidia.custhelp.com/app/answers/detail/a_id/4611
- Red Hat: https://access.redhat.com/security/vulnerabilities/speculativeexecution
- SUSE: https://www.suse.com/support/kb/doc/?id=7022512
- Symantec: https://support.symantec.com/en_US/article.INFO4793.html
- Ubuntu : https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
- US-CERT: https://www.us-cert.gov/ncas/alerts/TA18-004A
- VMware: https://www.vmware.com/security/advisories/VMSA-2018-0002.html
- Xen: https://xenbits.xen.org/xsa/advisory-254.html
...
Supermicro
Jan 05 2018
Date is estimated, and based on this page.
- Security Vulnerabilities Regarding Side Channel Speculative Execution and Indirect Branch Prediction Information Disclosure (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Details regarding a previously undisclosed microprocessor vulnerability that could impact Supermicro systems has been announced and requires a microcode update of the system BIOS along with an operating system update. Commonly referred to as Meltdown and Spectre the vulnerability involves malicious code utilizing a new method of side-channel analysis and running locally on a normally operating platform has the potential to allow the inference of data values from memory.
We are working around the clock to integrate, test and release the updates as soon as they are made available. To address the issue systems will need both an Operating System update and a BIOS update. Please check with operating system or VM vendors for related information.
RESOURCES:
Note that Supermicro hasn't yet updated their ESXi 6.0 entries on the VMware Hardware Compatibility Guide to 6.5 yet, check all vendor's Xeon D entries here. Please feel free to contact Supermicro directly, to register your request, stating that you would like for ESXi 6.5 and ESXi 6.5U1 to appear on the VMware Hardware Compatibility Guide. While Xeon D SuperServers works great with ESXi 6.5 just like they did with 6.0, it would be best to have official support for this latest release.
Mar 15 2018
This VMware HCG issue has recently been resolved, see Supermicro SuperServer Xeon D-1500 Bundle mini-tower and 1U rack mount are finally on the VMware Compatibility Guide for ESXi 6.5U1.
Also today, Intel announced:
First, we have now released microcode updates for 100 percent of Intel products launched in the past five years that require protection against the side-channel method vulnerabilities discovered by Google.
Mar 22 2018
For Supermicro SuperServer owners using Xeon D-1500 (X10SDV), it will take some time, weeks perhaps, for BIOS testing at Supermicro to be completed based on these latest patches from Intel. For now, the latest BIOS for X10SDV systems is still BIOS 1.2c on the various systems BIOS download pages, with the anticipated BIOS v 1.3 not appearing anywhere quite yet.
SOFTWARE VENDORS
Apple
Jan 08 2018
- About the security content of iOS 11.2.2
...
iOS 11.2.2
Released January 8, 2018Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Description: iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).
We would like to acknowledge Jann Horn of Google Project Zero; and Paul Kocher in collaboration with Daniel Genkin of University of Pennsylvania and University of Maryland, Daniel Gruss of Graz University of Technology, Werner Haas of Cyberus Technology, Mike Hamburg of Rambus (Cryptography Research Division), Moritz Lipp of Graz University of Technology, Stefan Mangard of Graz University of Technology, Thomas Prescher of Cyberus Technology, Michael Schwarz of Graz University of Technology, and Yuval Yarom of University of Adelaide and Data61 for their assistance.
...
Jan 09 2018
- About speculative execution vulnerabilities in ARM-based and Intel CPUs
Update: Apple has released updates for iOS, macOS High Sierra, and Safari on Sierra and El Capitan to help defend against Spectre. Apple Watch is unaffected by both Meltdown and Spectre.
Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.
Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan. Apple Watch is not affected by either Meltdown or Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, and tvOS.
...
EPIC Games
Jan 05 2018
- Epic Services & Stability Update
Attention Fortnite community,
We wanted to provide a bit more context for the most recent login issues and service instability. All of our cloud services are affected by updates required to mitigate the Meltdown vulnerability. We heavily rely on cloud services to run our back-end and we may experience further service issues due to ongoing updates.
Here is a link to an article which describes the issue in depth.
The following chart shows the significant impact on CPU usage of one of our back-end services after a host was patched to address the Meltdown vulnerability.
Jan 03 2018
- Project Zero
Reading privileged memory with a side-channel
Posted by Jann Horn, Project ZeroWe have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.
Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 [1].
So far, there are three known variants of the issue:
Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)
...
Microsoft
Jan 09 2018
- Protect your Windows devices against Spectre and Meltdown
...
Summary
Microsoft is aware of new vulnerabilities in hardware processors named “Spectre” and “Meltdown”. These are a newly discovered class of vulnerabilities based on a common chip architecture that, when originally designed, was created to speed up computers. The technical name is “speculative execution side-channel vulnerabilities”. You can learn more about these vulnerabilities at Google Project Zero.Who is affected?
Affected chips include those manufactured by Intel, AMD, and ARM, which means all devices running Windows operating systems are potentially vulnerable (e.g., desktops, laptops, cloud servers, and smartphones). Devices running other operating systems such as Android, Chrome, iOS, and MacOS are also affected. We advise customers running these operating systems to seek guidance from those vendors.At this time of publication, we have not received any information to indicate that these vulnerabilities have been used to attack customers.
...
Jan 09 2018
- Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems
TERRY MYERSON
Executive Vice President, Windows and Devices Group
in Security Development, Security Strategies, Industry Trends
Last week the technology industry and many of our customers learned of new vulnerabilities in the hardware chips that power phones, PCs and servers. We (and others in the industry) had learned of this vulnerability under nondisclosure agreement several months ago and immediately began developing engineering mitigations and updating our cloud infrastructure. In this blog, I’ll describe the discovered vulnerabilities as clearly as I can, discuss what customers can do to help keep themselves safe, and share what we’ve learned so far about performance impacts.What Are the New Vulnerabilities?
On Wednesday, Jan. 3, security researchers publicly detailed three potential vulnerabilities named “Meltdown” and “Spectre.” Several blogs have tried to explain these vulnerabilities further — a clear description can be found via Stratechery.
...
Nutanix
Jan 07 2018
- Nutanix Support Portal
Login required, see also Andrea Mauro's blog post Meltdown and Spectre: Nutanix products.
Red Hat
Jan 03 2018
- Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
Red Hat has been made aware of multiple microarchitectural (hardware) implementation issues affecting many modern microprocessors, requiring updates to the Linux kernel, virtualization-related components, and/or in combination with a microcode update. An unprivileged attacker can use these flaws to bypass conventional memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. There are 3 known CVEs related to this issue in combination with Intel, AMD, and ARM architectures. Additional exploits for other architectures are also known to exist. These include IBM System Z, POWER8 (Big Endian and Little Endian), and POWER9 (Little Endian).
...
SUSE
Jan 10 2018
- Security Vulnerability: "Meltdown" and "Spectre" side channel attacks against modern CPUs.
This document (7022512) is provided subject to the disclaimer at the end of this document.
Environment
Based on research from various groups and individuals, Google's security team has identified a family of side channel attacks against modern CPUs that can be used by attackers to read memory content of otherwise inaccessible memory.To help mitigating this hardware implementation related flaw on the software layer, SUSE as an operating system vendor is preparing mitigations for these side channel attacks in the Linux kernel.
...
Mitigation is done with help of Linux Kernel fixes on the Intel/AMD x86_64 and IBM Z architectures. On x86_64, this requires also updates of the CPU microcode packages, delivered in separate updates.SUSE has shipped microcode updates for Intel and AMD processors that supply control of the "indirect branch speculation" feature, please also check your CPU and hardware vendors firmware / BIOS download pages for updates.
For IBM Power and IBM Z the required firmware updates are supplied over regular channels by IBM.
...
VMware
Jan 03 2018
Hypervisor-Specific Remediation
- VMSA-2018-0002
VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.
at VMware Security Advisories...
-
Summary
VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution. -
Relevant Products
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion) - Problem Description
Bounds-Check bypass and Branch Target Injection issues
CPU data cache timing can be abused to efficiently leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. (Speculative execution is an automatic and inherent CPU performance optimization used in all modern processors.) ESXi, Workstation and Fusion are vulnerable to Bounds Check Bypass and Branch Target Injection issues resulting from this vulnerability.
Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. The remediation listed in the table below is for the known variants of the Bounds Check Bypass and Branch Target Injection issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-5753 (Bounds Check bypass) and CVE-2017-5715 (Branch Target Injection) to these issues.
... -
If you are interested in updating your VCSA or ESXi to new versions released on Mar 20 2018, see also:
- How to easily update your VMware vCenter Server Appliance from 6.5.x to 6.5 Update 1g (VCSA 6.5 U1g) for hypervisor-assisted guest mitigation of CVE-2017-5715
- How to easily update your VMware Hypervisor from 6.x to 6.5 Update 1 Patch Release ESXi650-201803001 (ESXi Build 7967591) for hypervisor-assisted guest mitigation for branch target injection
Jan 09 2018
Hypervisor-Assisted Guest Remediation
- VMSA-2018-0004
VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue
Jan 09 2018 at VMware Security Advisories...
1. Summary
VMware vSphere, Workstation and Fusion updates add Hypervisor- Assisted Guest Remediation for speculative execution issue.Notes:
Hypervisor remediation can be classified into the two following categories:
- Hypervisor-Specific Remediation (documented in VMSA-2018-0002)
- Hypervisor-Assisted Guest Remediation (documented in this advisory)
2. Relevant Products
VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)3. Problem Description
New speculative-execution control mechanism for Virtual MachinesUpdates of vCenter Server, ESXi, Workstation and Fusion virtualize the new speculative-execution control mechanism for Virtual Machines (VMs). As a result, a patched Guest Operating System (Guest OS) can remediate the Branch Target Injection issue (CVE-2017-5715). This issue may allow for information disclosure between processes within the VM.
...
Jan 09 2018
The purpose of this article is to describe the issues related to speculative execution in modern-day processors as they apply to VMware and then highlight VMware’s response.
Date estimated, based on last update.
- VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52245)
Document Id
52245
Purpose
The purpose of this article is to describe the issues related to speculative execution in modern-day processors as they apply to VMware and then highlight VMware’s response.For VMware, the mitigations fall into 3 different categories:
• Hypervisor-Specific Mitigation
• Hypervisor-Assisted Guest Mitigation
• Operating System-Specific MitigationsAdditionally, VMware is mitigating these issues in its services.
This Knowledge Base article will be updated as new information becomes available.
...
VMware hypervisors do not require the new speculative-execution control mechanism to achieve this class of mitigation and therefore these types of updates can be installed on any currently supported processor. No significant performance degradation is expected for VMware’s hypervisor-specific mitigations.
...
Jan 11 2018
Date estimated, based on last update.
- vCenter Server Appliance (and PSC) 6.5 / 6.0 Workaround for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52312)
Document Id
52312Purpose
CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) have been determined to affect vCenter Server Appliance 6.5 & 6.0. This vulnerability and its affect on VMware appliances is documented in VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown)(52245). Review this before continuing as there may be considerations outside the scope of this article. This document focuses on the Operating System-Specific Mitigations discussed in VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown)(52245).The vCenter Server Appliance team has investigated CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 and determined that the known attack vectors for this vulnerability can be removed by performing the steps detailed in either workaround in this article. This workaround is meant to be a temporary solution only and permanent fixes will be released as soon as they are available.
Warning
This workaround is applicable ONLY to vCenter Server Appliance (and PSC) 6.0 & 6.5. Do not apply this workaround to other VMware products.
...
Jan 11 2018
Date estimated, based on last update.
- Hypervisor-Assisted Guest Mitigation for branch target injection (52085)
Document Id
52085
Purpose
This article provides instructions for enabling Hypervisor-Assisted Guest Mitigation for the branch target injection issue identified in CVE-2017-5715.For background information, see VMware Response to Speculative Execution security issues(52245).
Recent microcode updates by Intel and AMD provide hardware support for branch target injection mitigation. In order to use this new hardware feature within virtual machines, Hypervisor-Assisted Guest Mitigation must be enabled.
See VMware Security Advisory VMSA-2018-0004 for the VMware provided patches related to this KB
...
For each virtual machine, enable Hypervisor-Assisted Guest mitigation via the following steps:
Apply all security patches for your Guest OS which are available from the OS vendor.
Ensure that your VMs are using Virtual Hardware Version 9 or higher. Upgrading a virtual machine to the latest hardware version (multiple versions) (1010675) discusses Hardware Versions .
Virtual Hardware Version 9 is minimum requirement for Hypervisor-Assisted Guest Mitigation for branch target injection (CVE-2017-5715).
For best performance, Virtual Hardware Version 11 or higher is recommended. Virtual Hardware Version 11 enables PCID/INVPCID. These features may reduce the performance impact of CVE-2017-5754 mitigations on CPUs that support those features.
Power cycle the Virtual Machine (cold boot).
...
Jan 12 2018
Date estimated, based on last update. Find the "Subscribe to Article" link at the top-right of this article to be alerted when this article is updated.
- VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52337)
Document Id
52337
Purpose
VMware is aware of the CPU vulnerabilities that may result in side-channel analysis due to speculative execution, which impacts, amongst other products, VMware vSphere ESXi. Ensuring customer security is our top priority.VMware has released updates and patches which mitigate known variants of the speculative execution vulnerabilities identified by CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown). As is our practice, VMware will continue to assess any further security risks, and will continue to provide updates and patches as appropriate.
Customers have inquired if there may be a performance cost associated with either the VMware mitigations, or mitigations of the guest operating systems as released from the OS providers. This knowledge base article will be used as the centralized document for which performance data relating to the speculative execution mitigations published.
Resolution
The VMware performance team is currently evaluating the performance costs of the Meltdown/Spectre mitigations for vSphere. We plan to test with a wide variety of workloads using both unpatched and patched guest operating systems to provide a comprehensive view of the performance characteristics when running on vSphere. We will be updating this KB with our data as results become available.Please sign up to be alerted when this KB is updated with new information.
...
Jan 13 2018
Initial publication date estimated, based on last update seen on Jan 13 2018. You can find the "Subscribe to Article" link at the top-right of this article to be alerted when updates occur, as as the significant update apparently made on Jan 14 2018:
- Intel Sightings in ESXi Bundled Microcode Patches for VMSA-2018-0004 (52345)
Document Id
52345
Purpose
Although VMware strongly recommends that customers obtain microcode patches through their hardware vendor, as an aid to customers, VMware also included the initial microcode patches in ESXi650-201801402-BG, ESXi600-201801402-BG, and ESXi550-201801401-BG. Intel has notified VMware of recent sightings that may affect some of the initial microcode patches that provide the speculative execution control mechanism for a number of Intel Haswell and Broadwell processors. The issue can occur when the speculative execution control is actually used within a virtual machine by a patched OS.At this point, it has been recommended that VMware remove exposure of the speculative-execution mechanism to virtual machines on ESXi hosts using the affected Intel processors until Intel provides new microcode at a later date.*
Resolution
For ESXi hosts that have not yet applied one of the following patches ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG, VMware recommends not doing so at this time. It is recommended to apply the patches listed in VMSA-2018-0002 instead.Resolution
Note: All the patches associated with VMSA-2018-0004 have been pulled back from the online and offline portal.
...
(This change to the "Resolution" paragraph was apparently made on Jan 14 2018, detailed below.)
Jan 18 2018
*
Above article updated, date of this update is estimated, the new wording looks like this:
- Intel Sightings in ESXi Bundled Microcode Patches for VMSA-2018-0004 (52345)
...
As a result, VMware is delaying new releases of microcode updates while it works with Intel to resolve microcode patch issues as quickly as possible.
...
Note: ESXi patches associated with VMSA-2018-0004 have been pulled down from the online and offline portal.
...
For ESXi hosts that have not yet applied one of the following patches ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG, VMware recommends not doing so. It is recommended to apply the patches listed in VMSA-2018-0002 instead.
When you read VMSA-2018-0002 aka VMSA-2018-0002.3, you'll see it recommends ESXi 6.5 users patch with ESXi650-201712101-SG, found at https://my.vmware.com/group/vmware/patch, with this documentation. This ESXi650-201712101-SG is included in the ESXi650-201712001 patch I wrote about here.
Feb 15 2018
- VMware vCenter Server Appliance Photon OS Security Patches
...
vCenter Server Appliance Photon OS PatchesThis document tracks the release of the monthly patches to the Photon Operating System bundled in the VMware vCenter Server Appliance.
You can download the deliverables from the VMware Patch Download Center.
IMPORTANT: vCenter Server Appliance 6.5 builds have been removed as of November 14, 2017 due to a deployment-impacting issue. This issue does not impact Windows installed vCenter Servers. To resolve this issue, you must upgrade to vCenter Server Appliance 6.5 Update 1c or later. For more information, see KB 51124.
...
- VMware Virtual Appliance updates address side-channel analysis due to speculative execution
VMSA-2018-0007.11. Summary
VMware Virtual Appliance updates address side-channel analysis due to speculative executionIn order to clarify the mitigations provided in specific releases CVE-2017-5753 (Spectre-1), and CVE-2017-5754 (Meltdown) have been separated from CVE-2017-5715 (Spectre-2). Details on this change can be found in our companion blog.
...
- VMSA-2018-0007.1 – VMware Virtual Appliance updates address side-channel analysis due to speculative execution
Greetings from the VMware Security Response Center!
We thought we should post an explanation of today’s changes to VMSA-2018-0007 as we have removed CVE-2017-5715 from the advisory.
The reason we have done this is to clarify which of these issues have been mitigated against currently known variants of the different vulnerabilities.
Because CVE-2017-5753 (Meltdown) is considered by some to be the most severe/exploitable of the issues, we did not want to wait for CVE-2017-5715 (Spectre-2) mitigations while Spectre-1/Meltdown fixes were ready to ship. We also understand that some customers may want to delay updating until all mitigations are in place. While we strongly recommend taking updates as soon as they become available, we wanted to be transparent about the fact that more updates are on the way.
...
Mar 20 2018
- VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Mitigations for speculative execution issue
- Summary
VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Mitigations for speculative execution issue.
The mitigations in this advisory are categorized as Hypervisor-Assisted Guest Mitigations described by VMware Knowledge Base article 52245.
- Relevant Products
- VMware vCenter Server (VC)
- VMware vSphere ESXi (ESXi)
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- Summary
SOFTWARE TOOLS
Gibson Research Corporation InSpectre
Jan 08 2018
See GRC (Gibson Research Corporation) InSpectre.
Microsoft SpeculationControl
Jan 04 2018
See Microsoft SpeculationControl.
Microsoft Speculation Control Validation PowerShell Script
Jan 10 2018
Date estimated, based on Google search.
See Microsoft Speculation Control Validation PowerShell Script.
VMware PowerCLI
Jan 14 2018
See William Lam's VerifyESXiMicrocode.ps1 PowerCLI script.
BLOGS AND PODCASTS
Aaron Buley
Jan 05 2018
Aaron Buley
Published on Jan 11, 2018
Further Reading Material:
https://www.kb.cert.org/vuls/id/584653
https://googleprojectzero.blogspot.co...
https://meltdownattack.com/ or https://spectreattack.com/ (same)
How to Enable Site Isolation - https://support.google.com/chrome/ans...
https://www.engadget.com/2018/01/11/i...
Cloudflare
Jan 08 2018
by John Graham-Cumming
- An Explanation of the Meltdown/Spectre Bugs for a Non-Technical Audience
Last week the news of two significant computer bugs was announced. They've been dubbed Meltdown and Spectre. These bugs take advantage of very technical systems that modern CPUs have implemented to make computers extremely fast. Even highly technical people can find it difficult to wrap their heads around how these bugs work. But, using some analogies, it's possible to understand exactly what's going on with these bugs. If you've found yourself puzzled by exactly what's going on with these bugs, read on — this blog is for you.
...
Cyber Frontiers
Jan 09 2018
- Meltdown and Spectre: A Tear at the Foundation of Computer Security – CF042
This week on Cyber Frontiers we jump into full coverage of the 6-day old public disclosures of the meltdown and spectre vulnerabilities. With some issues mitigated, the news is a gravitational force that has dominated cybersecurity early into 2018 and could continue to engage industry for years to come. We discuss the short and long term security implications and performance debacles, and provide technical and non-technical explanations for the two classes of vulnerabilities disclosed. We review the mitigations users can start employing now, and discuss impacts for the average guy and the enterprise.
Cyber Frontiers is all about Exploring Cyber security, Big Data, and the Technologies Shaping the Future! Christian Johnson will bring fresh and relevant topics to the show based on the current work he does.
Support the Average Guy: https://www.patreon.com/theaverageguy
WANT TO SUBSCRIBE? We now have Video Large / Small and Video iTunes options at http://theAverageGuy.tv/subscribe
You can contact us via email at jim@theaverageguy.tv
Full show notes and video at http://theAverageGuy.tv/cf042
...
Notes from MWhite
Jan 05 2018
- Meltdown and Spectre – what you need to know!
by Michael WhiteHi all,
I was going to mention this topic in my newsletter this weekend. But things got sort of crazy and now there is so much info it is confusing out there so I thought I would treat this as a separate subject rather than as part of my newsletter.
Here is an article by one of the top security thinkers – good info! Here is some good technical detail as well.
...
PC Perspective
Jan 05 2018
- Meltdown's Impact on Storage Performance - Really an Issue?
Jan 05 2018 by Allyn Malventano at PC Perspective...
Most of the published data to date shows a ~20% performance hit to small random accesses, but I've noted that the majority of reviewers seem to be focusing on the Samsung 950/960 series SSDs. Sure these are popular devices, but when evaluating changes to a storage subsystem, it's unwise to just stick with a single type of product.
...
spectreattack
Jan 03 2018
- Meltdown and Spectre
Vulnerabilities in modern computers leak passwords and sensitive data.Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
...
Security Now
Jan 03 2018
- Security Now 645 The Speculation Meltdown
This week, before we focus upon the industry-wide catastrophe enabled by precisely timing the instructed execution of all contemporary high-performance processor architectures.
...
Optionally, you can jump ahead to just the right spot where Steve really dives into this at length, streamed right to your browser complete with playback speed controls. See also the detailed transcript-like shownotes.
See also the mentioned Speculation Control Validation PowerShell Script.
Jan 17 2018
- Security Now 646 The InSpectre
This week we discuss more trouble with Intel’s AMT, what does Skype’s use of Signal really mean, the UK’s data protection legislation gives researchers a bit of relief, the continuing winding down of HTTP, “progress” on the development of Meltdown attacks, Google successfully tackles the hardest-to-fix Spectre concern with a Return Trampoline, some closing the loop feedback with our terrific listeners, and the evolving landscape of Meltdown and Spectre, including Steve’s just completed “InSpectre” test & explanation utility.
...
Optionally, you can jump ahead to just the right spot, where Steve dives in and explains InSpectre. See also the detailed transcript-like shownotes. where Steve mentions the VMware Fling called VMware CPU Microcode Update Driver.
InSpectre
Read about InSpectre on Steve's reputable-for-decades Gibson Research Corporation website, filed under Security
InSpectre Download
It's FreeWare that is portable, so it doesn't require an install. Just run it on Windows, on a Windows VM, or on a Mac (via Wine):
STH
Jan 07 2018
- Red Hat Outlines Meltdown and Spectre Patch Performance Impacts
by Cliff RobinsonRed Hat has been heavily involved in the Meltdown and Spectre patch efforts. It also has its initial patches ready well before the originally planned disclosure date of January 9, 2018. Red Hat is also in the unique position that it has the most robust set of open source OS enterprise customers. Those same customers are clamoring for information regarding the performance impacts of the Meltdown and Spectre series of patches.
...
Storage Unpacked
Jan 27 2018
- #35 – The Spectre of Meltdown with Alex Chircop
Chris Evans and Alex ChircopIn this week’s podcast, the team talk to Alex Chircop, CTO at StorageOS about the implications on storage of the recent Spectre/Meltdown vulnerabilities. Much has been made of the potential impact to I/O performance and by definition storage platforms and products. The guys talk about what the vulnerabilities actually mean for end users and what to expect from storage vendors. Finally, the podcast concludes with some suggestions from Martin, as the token end user in the discussion.
Two references were made in the podcast. The first is to a Techspot article comparing NVMe and SSD performance ...
At this spot, you'll hear a deep dive into how Meltdown actually works:
In terms of the patches that are being developed, how are they affecting the workload of an application or an operating system or a server?
At this spot, you'll hear a discussion about performance analysis results done internally, and the need for more testing externally. Listen for a couple of minutes to get to this spot:
... if you are using all flash arrays or you are using local NVMe, the performance difference could be 100%, those few microseconds could be the entire difference between doubling your performance impact on some sort of workload that is serialized, for example.
Perhaps this spot sums it all up best:
The lower latency your environment has, the much higher the impact you're gonna see.
but you really need to hear the context in which this was said. It's best to listen to the entire podcast.
TECHSPOT
Jan 07 2018
- Patched Desktop PC: Meltdown & Spectre Benchmarked
Big Slow Down for SSDs, But This Ain't Over Yet
by Steven Walton
If you read our previous article on the matter, it came within 24 hours of the emergency Windows 10 patch release intended to address the Meltdown vulnerability. We ran tests that made sense from the perspective of a desktop user and we found there was virtually no impact on gaming performance and no impact for content creators. There were however a few troubling results for NVMe storage devices, mostly impacting 4K read performance. Since then other fellow tech media outlets have published similar findings.
...
The Next Platform
Mar 16 2018
- How Spectre And Meltdown Mitigation Hits Xeon Performance
It has been more than two months since Google revealed its research on the Spectre and Meltdown speculative execution security vulnerabilities in modern processors, and caused the whole IT industry to slam on the brakes and brace for the impact. The initial microbenchmark results on the mitigations for these security holes, put out by Red Hat, showed the impact could be quite dramatic. But according to sources familiar with recent tests done by Intel, the impact is not as bad as one might think in many cases. In other cases, the impact is quite severe.
...
TinkerTry
Jan 09 2018
Feb 20 2018
Mar 20 2018
VIRTUABYTES
Jan 05 2018
- Spectre Vulnerability – How to Patch VMware ESXi
by VIRTUADMINYesterday, news broke about vulnerabilities affecting AMD, Intel, and ARM CPU’s. These vulnerabilities, termed Meltdown and Spectre, have the potential to expose information that the machine(s) process. Check out this post for an in-depth look. At this point, it appears that VMware is not vulnerable to Meltdown; however, they have released patches for Spectre. It has been speculated that patching the flaws will cause performance hits. To what degree varies by reporting source. As always, test patches before deployment and contact support if you have any questions.
...
vInfrastructure Blog
Jan 07 2018
- Meltdown and Spectre: Microsoft products
by Andrea MauroMeltdown and Spectre are critical vulnerabilities existing in several modern CPU: these hardware bugs allow programs to steal data which is currently processed on the computer. Meltdown and Spectre can affect personal computers, mobile devices, server and several cloud services.
...
VirtuallyAware
Jan 09 2018
Hyper-V and Spectre/Meltdown: Protecting Your Hosts – Do This!
by Robert McShinsky
There is a lot of information swirling around out there on what to do with the latest Spectre/Meltdown vulnerabilities. Whereas I can’t tell you how to solve the vulnerabilities for for every Hardware and Operating System combination, I can tell you how to get your Hyper-V environments protected.
...
virtuallyGhetto
Jan 14 2018
- Automating Intel Sighting remediation using PowerCLI (SSH not required)
In case you may not be aware, Intel recently notified VMware that certain Intel Broadwell and Haswell CPUs are affected by Intel Sighting after applying the latest microcode update to remediate against the Spectre vulnerability. VMware has published the following KB 52345 which provides more details on the affected Intel CPUs along with the recommended workaround in case you have already applied the latest ESXi patches containing the faulty microcode. I highly recommend you carefully read over the KB before, even if you have not applied the ESXi patches proceeding further.
With this updated news, I have also updated my existing Spectre verification script ...
Wired
Jan 07 2018
- Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw At the Same Time
by Andy GreenbergON A COLD Sunday early last month in the small Austrian city of Graz, three young researchers sat down in front of the computers in their homes and tried to break their most fundamental security protections.
Two days earlier, in their lab at Graz's University of Technology, Moritz Lipp, Daniel Gruss, and Michael Schwarz had determined to tease out an idea that had nagged at them for weeks, a loose thread in the safeguards underpinning how processors defend the most sensitive memory of billions of computers.
...
Mar 13 2018
- Researchers Point to an AMD Backdoor—And Face Their Own Backlash
by Andy Greenberg...
On Tuesday morning, hardware security firm CTS Labs published a paper and website pointing to four new classes of attack that the company says are possible against AMD chips in both PCs and servers. Together, they seem to offer an array of new methods for hackers who have already gained significant access to a computer running AMD's "Zen" processor architecture. At their worst, the vulnerabilities as described would allow attackers to bypass security safeguards against tampering with the computer's operating system, and potentially plant malware that evades practically any attempts to detect or delete it on AMD chips.
...
Yellow Bricks
Jan 24 2018
- Where did ESXi 6.5.0 build 7526125 go?
I had two customers asking today what happened to ESXi 6.5 build 7526125. They downloaded patches and installed them in their test environment. Ready to patch some of their clusters they did a validation and found out that the patch (ESXi650-201801001.zip) has disappeared from the face of the earth. This patch included microcode for Intel processors, and Intel informed VMware that there was potentially an issue with their microcode. As such VMware decided to pull the patch as noted in the KB article.
...
Jan 11 2018 Update
More emphasis is brought to VMware's KB 52245 which pulls together all relevant VMware statements about Meltdown and Spectre, and has had 22,272 views already.
Several important new articles released last night and today, added above.
Jan 12 2018 Update
Added my own server, phone, and laptop patch stories to the introductory section above.
Jan 14 2018 Update
Back on Jan 13 2018, KB52345 stated:
Resolution
For ESXi hosts that have not yet applied one of the following patches ESXi650-201801402-BG, ESXi600-201801402-BG, or ESXi550-201801401-BG, VMware recommends not doing so at this time. It is recommended to apply the patches listed in VMSA-2018-0002 instead.
but this wording has apparently been removed.
Update!
Special thanks to Thomas Rottig, who wrote in today to let me know that that the update had apparently been pulled:
...just thought you might to investigate/update your post - this update is currently not available... deployed fine yesterday
The reason it has been pulled from VMware's update server is explained in KB52345, where the Resolution paragraph above has been replaced with the new one below:
Resolution
Note: All the patches associated with VMSA-2018-0004 have been pulled back from the online and offline portal.
Thomas also provided me with this account of success on one host yesterday’s, then the of the error he noticed on another host today:
esxcli software profile get
(Updated) ESXi-6.5.0-20180104001-standard
Name: (Updated) ESXi-6.5.0-20180104001-standard
Vendor: VMware, Inc.
Creation Time: 2018-01-13T16:13:43
Modification Time: 2018-01-13T16:13:43
Stateless Ready: True
Description:
build_url="hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml";esxcli software profile update --depot $build_url --profile ESXi-6.5.0-20180104001-standard
[NoMatchError]
No image profile found with name 'ESXi-6.5.0-20180104001-standard'
id = ESXi-6.5.0-20180104001-standard
Please refer to the log file for more details.
Updates to the above article made accordingly, and all related articles.
Jan 22 2018 Update
Updated Intel, VMware, and Dell sections above, see also closely related tweet:
Jan 24 2018 Update
Added Yellow Bricks article above.
Jan 27 2018 Update
Added this Intel article, along with several recent blog posts and podcasts.
Feb 09 2018 Update
Added Intel article from Feb 07 2018.
Feb 19 2018 Update
The Dell PCs and Thin Client article has been updated to show that my Dell Precision 5520 BIOS upgrade is now 1.7.1, which I have applied to my system without incident.
VMware has released VCSA 6.5 U1f (Update 1f) build number 7801515.
Mar 21 2018 Update
Many updates made, details in this tweet.
Jun 28 2018 Update
This class of attacks is shaping up to be really mostly a concern only for cloud computing providers, something Steve Gibson outlines nicely in this podcast segment from episode 668: Lazy FPU State Restore.
There is also the emergence of the related side-channel vulnerability dubbed TLBleed, see details at:
-
TLBleed is latest Intel CPU flaw to surface: But don't expect it to be fixed
Researchers find a new side-channel attack against a performance-enhancing feature in Intel CPUs.
Jun 26 2018 by Liam Tung at ZDNet - Hyperthreading under scrutiny with new TLBleed crypto key leak
A new attack prompted OpenBSD's developers to disable hyperthreading by default.
Jun 25 2018 by Peter Bright at arstechnica
Expectedly, even 6 months after these side-channel vulnerabilities were made public, this whole saga of struggle to get this fixed is still dragging on, and there's no clear end in sight. New, similar vulnerabilities are still being found. Given TinkerTry's focus tends to be mostly on home lab topics, my own interest in tracking the ins-and-outs of this issue is admittedly waning. I'll likely be wrapping up most of my updates on this article soon. Major news like Supermicro Xeon D BIOS upgrades that may further mitigate such vulnerabilities will continue to be covered at TinkerTry.