NOTE: Microsoft released Security Advisory 18002 on Wednesday, January 3, announcing mitigation for a major vulnerability to Windows in modern CPU architectures. ESET released Antivirus and Antispyware module 1533.3 the same day to all customers to ensure that use of our products would not affect compatibility with Microsoft’s patch.

Background

The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel’s Core architecture used in PCs for many years, as well as processors from AMD, and even affecting ARM processors commonly used in tablets and smartphones.

At the time of this writing, not all details have been released, but reportedly the issue is that programs running in user-mode address space (the “normal” range of memory in which application software, games and the like run) on a computer can infer or “see ” some of the information stored in kernel-mode address space (the “protected” range of memory used to contain the operating system, its device drivers, and sensitive information such as passwords and cryptography certificates).

Fixes to prevent user-mode programs from “peering inside” kernel-mode memory are being introduced by operating system vendors, hypervisor vendors and even cloud computing companies, but it appears the initial round of patches will slow down operating systems to some extent.  The exact amount of slowdown is open to debate.  Intel has stated the performance penalty will “not be significant” for most users, but Linux enthusiast site Phoronix has benchmarked performance penalties from 5-30%, depending upon what the computer is doing.

History

A long Reddit thread titled Intel bug incoming has been tracking the vulnerability since information about it began to appear on January 2, 2018; Ars Technica and The Register have had excellent coverage, as well.

Processor manufacturer AMD announced that they are unaffected, according to reports on CNBC and a message to the Linux Kernel Mailing List by an AMD engineer, but reports from both Google‘s Project Zero and Microsoft state that AMD processors are affected.  Since then, AMD has released a statement for clarification.

The Microsoft article goes on to note that this is not a Windows-specific issue, and that it affects , Chrome OS, iOS and macOS as well.  Red Hat‘s advisory includes IBM’s POWER architecture as being vulnerable.  Hypervisor manufacturers VMware and Xen have issued their own advisories, as has Amazon Web Services.

Affected Vendors

Here is a list of affected vendors and their respective advisories and/or patch announcements:

Vendor Advisory/Announcement
Amazon (AWS) AWS-2018-013: Processor Speculative Execution Research Disclosure
AMD An Update on AMD Processor Security
Android (Google) Android Security Bulletin—January 2018
Apple HT208331: About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
HT208394: About speculative execution vulnerabilities in ARM-based and Intel CPUs
ARM Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
Azure (Microsoft) Securing Azure customers from CPU vulnerability
Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities
Chromium Project Actions Required to Mitigate Speculative Side-Channel Attack Techniques
Cisco cisco-sa-20180104-cpusidechannel – CPU Side-Channel Information Disclosure Vulnerabilities
Citrix CTX231399: Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
Debian Debian Security Advisory DSA-4078-1 linux — security update
Dell SLN308587 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products
SLN308588 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)
F5 Networks K91229003: Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754
Google’s Project Zero Reading Privileged Memory with a Side-Channel
Huawei Security Notice – Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design
IBM Potential CPU Security Issue
Intel INTEL-SA-00088 Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
Lenovo Lenovo Security Advisory LEN-18282: Reading Privileged Memory with a Side Channel
Microsoft Security Advisory 180002: Guidance to mitigate speculative execution side-channel vulnerabilities
Windows Client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
Windows Server guidance to protect against speculative execution side-channel vulnerabilities
SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software
Mozilla Mozilla Foundation Security Advisory 2018-01: Speculative execution side-channel attack (“Spectre”)
NetApp NTAP-20180104-0001: Processor Speculated Execution Vulnerabilities in NetApp Products
nVidia Security Notice ID 4609: Speculative Side Channels
Security Bulletin 4611: NVIDIA GPU Display Driver Security Updates for Speculative Side Channels
Security Bulletin 4613: NVIDIA Shield TV Security Updates for Speculative Side Channels
Raspberry Pi Foundation Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown
Red Hat Kernel Side-Channel Attacks – CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
SUSE SUSE Linux security updates CVE-2017-5715
SUSE Linux security updates CVE-2017-5753
SUSE Linux security updates CVE-2017-5754
Synology Synology-SA-18:01 Meltdown and Spectre Attacks
Ubuntu Ubuntu Updates for the Meltdown / Spectre Vulnerabilities
VMware NEW VMSA VMSA-2018-0002 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution
Xen Advisory XSA-254: Information leak via side effects of speculative execution

Technical Details

The confusion over brands of affected CPUs may be due to the fact that this is not one vulnerability, but two similar vulnerabilities, dubbed Meltdown and Spectre by their respective discoverers.  These vulnerabilities have three CVE numbers (a quasi-government standard for tracking computer security vulnerabilities and exposures) assigned to them:

For many years, processor manufacturers – such as Intel – have been able to fix flaws in processor architecture through microcode updates, which write an update to the processor itself to fix a bug.  For a – so far unannounced – reason or reasons, this vulnerability may not be fixable this way in Intel processors, so instead, operating system manufacturers have collaborated with Intel to release patches for the vulnerabilities.

Intel’s security advisory, INTEL-SA-00088 Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method, lists forty-four (44) affected families of processors, each of which can contain dozens of models.  ARM Limited has released an advisory titled Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism that currently lists ten (10) affected models of processor.

ESET’s Response

As mentioned at the beginning of the article, ESET released Antivirus and Antispyware module update 1533.3 on Wednesday, January 3, 2018, to all customers to ensure compatibility with Microsoft’s updates to the Windows operating systems.  ESET is working alongside hardware and software vendors to mitigate the risk posed by the vulnerabilities.

For additional information see:

Please periodically check these articles and revisit this post for updates as additional information becomes available.

Special thanks to my colleagues Tony Anscombe, Richard Baranyi, Shane B., Bruce P. Burrell, Shane Curtis, Nick FitzGerald, David Harley, Elod K., James R., Peter Stancik, Marek Z., and Righard Zwienenberg for their assistance in preparing this article.

Author Aryeh Goretsky, ESET



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here