NOTE: released Security Advisory 18002 on Wednesday, January 3, 2018 announcing mitigation for a major vulnerability to Windows in modern architectures. ESET released Antivirus and Antispyware module 1533.3 the same day to all customers to ensure that use of our products would not affect compatibility with Microsoft’s patch.

Background

The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel’s Core architecture used in PCs for many years, as well as processors from AMD.  The scope of the vulnerability is wide-ranging, affecting everything from the ARM processors commonly used in tablets and smartphones to the IBM POWER processors used in supercomputers.  For information about the effects of these vulnerabilities on the Internet of Things, please see Righard Zwienenberg’s article, “MADIoT – The nightmare after XMAS (and Meltdown, and Spectre).”

When this article was initially written, not all details have been released, but reportedly the issue was that programs running in user-mode address space (the “normal” range of memory in which software, games and the like run) on a computer can infer or “see ” some of the information stored in kernel-mode address space (the “protected” range of memory used to contain the operating system, its device drivers, and sensitive information such as passwords and cryptography certificates).

Fixes to prevent user-mode programs from “peering inside” kernel-mode memory are being introduced by operating system vendors, hypervisor vendors and even cloud computing companies, but it appears the initial round of patches will slow down operating systems to some extent.  The exact amount of slowdown is open to debate.  Intel has stated the performance penalty will “not be significant” for most users, but enthusiast site Phoronix has benchmarked performance penalties from 5-30%, depending upon what the computer is doing.

History

A long Reddit thread titled Intel bug incoming has been tracking the vulnerability since information about it began to appear on January 2, 2018; Ars Technica and The Register have had excellent coverage, as well.

Processor manufacturer AMD announced that they are unaffected, according to reports on CNBC and a message to the Linux Kernel Mailing List by an AMD engineer, but reports from both Google‘s Project Zero and Microsoft state that AMD processors are affected.  Since then, AMD has released a statement for clarification.  Both AMD and Nvidia announced that their GPUs are not vulnerable, although the latter has issued software updates to its device drivers for operating systems affected by the vulnerabilities.  Qualcomm has confirmed to journalists that its CPUs are affected, but has issued no security advisories or bulletins at the time of this writing.

The Microsoft article goes on to note that this is not a Windows-specific issue, and that it affects Android, Chrome OS, iOS and macOS as well.  Red Hat‘s advisory includes IBM’s POWER architecture as being vulnerable, which IBM subsequently confirmed.  Hypervisor manufacturers VMware and Xen have issued their own advisories, as has Amazon Web Services.

Patching operating systems and processor microcode is a complex process, and not all of the updates have gone smoothly:  On January 9, Microsoft suspended the Windows update for some older AMD CPUs due to compatibility issues.  On January 13, Dell, Lenovo and VMware suspended their microcode updates for some Broadwell, Haswell, Kaby Lake and Xeon CPUs due to reports of issues after installation.

Affected Vendors

Here is a list of affected vendors and their respective advisories and/or patch announcements:

Vendor Advisory/Announcement
A10 Networks SPECTRE/MELTDOWN – CVE-2017-5715/5753/5754
A56 Informatique Infrastructure VMWare et failles « Spectre » et « Meltdown »
AbacusNext AbacusNext Research and Statement on Meltdown / Spectre
ABB ABB Doc Id 9AKK107045A8219: Cyber Security Notification – Meltdown & Spectre
Abbott Cybersecurity Update on Meltdown and Spectre
Acer Answer ID 53104: Meltdown and Spectre security vulnerabilities
Acronis KB 60847: Acronis Access Advanced: Spectre and Meltdown vulnerabilities
ADP Information Regarding Meltdown and Spectre Vulnerabilities
Aerohive Product Security Announcement: Aerohive’s response to Meltdown and Spectre
AgileBits Same as it ever was: There’s no reason to melt down
AhnLab [Notice] Security Alert for Intel CPU Flaw
Aiven Aiven statement on Meltdown and Spectre vulnerabilities
Akamai Impact of Meltdown and Spectre on Akamai
Algolia The Meltdown and Spectre impact on Algolia infrastructure
Alibaba Cloud [Security Bulletin] Intel Processor Meltdown and Specter Security Vulnerability Bulletin
Amazon (AWS) AWS-2018-013: Processor Speculative Execution Research Disclosure
AMD An Update on AMD Processor Security
American Megatrends American Megatrends Statement in Response to “Meltdown” and “Spectre” Security Vulnerabilities
Android (Google) Android Security Bulletin—January 2018
Apache Protecting Apache Ignite from ‘Meltdown’ and ‘Spectre’ vulnerabilities
APC UPDATED: 10-JAN-2018 | Security Notification: “Meltdown” (CVE-2017-5754) and “Spectre” (CVE-2017-5753 & CVE-2017-5715)​ – impact to APC products
Appalachia Technologies Spectre + Meltdown
Apple HT208331: About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
HT208394: About speculative execution vulnerabilities in ARM-based and Intel CPUs
HT208403: About the security content of Safari 11.0.2
Aptible Meltdown and Spectre are Critical Vulnerabilities for Cloud Infrastructure. Here’s How the Aptible Security Team Responded
ArchLinux CVE-2017-5715
CVE-2017-5753
CVE-2017-5754
Arista Networks Security Advisory 0031: Arista Products vulnerability report
ARM Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
ARM Trusted Firmware Security Advisory TFV 6
Aruba Networks ARUBA-PSA-2018-001: Unauthorized Memory Disclosure through CPU Side-Channel Attacks (“Meltdown” and “Spectre”)
Aspera Security Bulletin: Aspera Products and the Meltdown and Spectre vulnerabilities (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
ASRock FAQ ID 33: What is Meltdown and Spectre issue
ASRock Support: Latest BIOS Update
ASUS ASUS Motherboards Microcode Update for Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
ASUS Update on Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
Auth0 Meltdown & Spectre: What Auth0 Customers Need to Know
Avast Avast Antivirus compatibility with Windows update for Meltdown and Spectre vulnerabilities
Avaya ASA-2018-001: linux-firmware security update (RHSA-2018-0007)
ASA-2018-002: linux-firmware security update (RHSA-2018-0013)
ASA-2018-004: linux-firmware security update (RHSA-2018-0012)
ASA-2018-005: linux-firmware security update (RHSA-2018-0008)
ASA-2018-006: linux-firmware security update (RHSA-2018-0014)
ASA-2018-011: VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution. (VMSA-2018-0002)
AVG AVG Antivirus compatibility with Windows update for Meltdown and Spectre vulnerabilities
Avira Don’t be afraid of a ‘Meltdown’ with the new Microsoft update
Answer 71132: Is Avira Antivirus compatible with the new Microsoft patch for the Meltdown vulnerability?
AVM Aktuelle Sicherheitshinweise: Meltdown und Spectre – keine Angriffsmöglichkeit bei AVM-Produkten
Azure (Microsoft) Securing Azure customers from CPU vulnerability
Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities
Guidance for mitigating speculative execution side-channel vulnerabilities in Azure
Barkly The Meltdown and Spectre CPU Bugs, Explained
Barracuda Networks Barracuda Networks Security Advisory
BD Product security bulletin for Meltdown and Spectre
Product security bulletin for Meltdown and Spectre Update 1
BerganKDV Security Alert: Meltdown and Spectre Hardware Bugs Put Nearly All Devices at Risk
BitDefender 2072: Understanding the impact of Meltdown and Spectre CPU exploits on Bitdefender GravityZone users
9033: Information for Bitdefender users on the Microsoft January 2018 Security Update
Bitnami Spectre and Meltdown: Privileged memory read vulnerability in several CPUs (Reading privileged memory with a side-channel)
BMC CPU Vulnerabilities – Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715)
Update: CPU Vulnerabilities – Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715)
Bomgar Bomgar and the latest CVEs
Box The Meltdown and Spectre CPU vulnerabilities: What you need to know as a Box customer
Update: The Meltdown and Spectre CPU vulnerabilities: What you need to know as a Box customer
BrightSign Security Statement: Meltdown and Spectre Vulnerabilities
brightsolid Processor Vulnerability Advice
Bromium Important information relating to the Intel CPU design flaw
CA Technologies DOC-231179418: Meltdown / Spectre vulnerabilities – Workload Automation AE / DE / Agents Advisory
TEC1272616: Addressing the Spectre and Meltdown Vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) for the API Management Product Suite
Official announcement on Meldown/Spectre
Capsule8 Part One: Detecting Meltdown using Capsule8
Part Two: Detecting Meltdown and Spectre by Detecting Cache Side Channels
Carbon Black Carbon Black Solutions Currently Compatible With Major OS Vendor Patches on Meltdown & Spectre
CentOS CESA-2018:0007 Important CentOS 7 kernel Security Update
CESA-2018:0008 Important CentOS 6 kernel Security Update
CESA-2018:0012 Important CentOS 7 microcode_ctl Security Update
CESA-2018:0013 Important CentOS 6 microcode_ctl Security Update
CESA-2018:0014 Important CentOS 7 linux-firmware Security Update
Check Point sk122205: Check Point Response to Meltdown and Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
Chromium Actions Required to Mitigate Speculative Side-Channel Attack Techniques
Status of mitigations for CVE-2017-5754 (Meltdown) for each Chrome OS device
Cisco cisco-sa-20180104-cpusidechannel – CPU Side-Channel Information Disclosure Vulnerabilities
Alert ID 56354: CPU Side-Channel Information Disclosure Vulnerabilities
Citrix CTX231399: Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
ClearOS CVE-2017-5715
CVE-2017-5753
CVE-2017-5754
Cloud Foundry Meltdown and Spectre Attacks
Commvault Security: Meltdown and Spectre Chip Vulnerability
Comodo Meltdown and Spectre – Serious Vulnerabilities Which Affect Nearly Every Computer and Device
ConnectWise Meltdown and Spectre Sparks Fire for Immediate OS Patch
Contegix Our Response to Meltdown and Spectre
CoreOS Container Linux patched to address Meltdown vulnerability
Couchbase Speculative Execution Processor Vulnerabilities – ‘Meltdown and Spectre’: What you need to know
cPanel Meltdown – CVE-2017-5753 CVE-2017-5715 CVE-2017-5754
Crestron Answer ID 5471: The latest details from Crestron on security and safety on the Internet
Cumulus Networks Meltdown and Spectre: Modern CPU Vulnerabilities
Cumulus Networks® Security Advisory 2018-January-4
CyberAdapt The Spectre of a Meltdown:
Cylance Meltdown and Spectre Vulnerabilities (account required)
Cylance Not Impacted by Meltdown or Spectre Vulnerabilities
Cyren IMPORTANT – Hotfix 2018-01 for F-PROT and CSAM
Debian Debian Security Advisory DSA-4078-1 linux — security update
Deep Instinct Deep Instinct Announces it is Not Impacted by Meltdown or Spectre Vulnerabilities
Dell Meltdown and Spectre Vulnerabilities
SLN308587 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products
SLN308588 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)
Digi Spectre and Meltdown Vulnerabilities – (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754)
Digital Ocean A Message About Intel Security Findings
How To Protect Your Server Against the Meltdown and Spectre Vulnerabilities
DocuSign Update 1/4/2018 – DocuSign Meltdown and Spectre Security Alert Status
Update 1/12/2018 – DocuSign Meltdown and Spectre Response Status
Dragonfly BSD Intel Meltdown bug mitigation in master
More Meltdown fixes
Druva Troubleshooting Spectre and Meltdown
Duo Security Article 4612: Is Duo affected by the recent Spectre or Meltdown vulnerabilities?
Elastic Elastic Cloud and Meltdown
Emsisoft Chip vulnerabilities and Emsisoft: What you need to know
Endgame Endgame Is Compatible with the Spectre/Meltdown Patches
Ensilo Frequently Asked Questions: Spectre & Meltdown
Epic Games Epic Services & Stability Update
ESET ESET Customer Advisory 2018-001: Spectre and Meltdown Vulnerabilities Discovered
ESET Support Alert 6644: ESET can stop malware that in the future may use Spectre and Meltdown vulnerabilities
Meltdown & Spectre: How to protect yourself from these CPU security flaws
Extreme Networks Meltdown and Spectre (VN 2017-001 & VN 2017-002)
VN 2018-001 (CVE-2017-5715, CVE-2017-5753 – Spectre)
VN 2018-002 (CVE-2017-5754 – Meltdown)
F5 Networks K91229003: Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754
Faronics KB 435: Faronics Antivirus and Microsoft updates from January 3, 2018 (Spectre / Meltdown)
Fasthosts Answer ID 3136: Mitigating Meltdown and Spectre – Linux
Fedora Protect your Fedora system against Meltdown
Fifty Seven Network Meltdown, Spectre, and Smartsheet
FireEye FireEye Endpoint Security Agent is Compatible with the Meltdown Windows Security Update
Forcepoint Forcepoint Updates on Spectre and Meltdown
KB000014933: Meltdown and Spectre Vulnerability CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
Fortinet Fortinet Advisory on New Spectre and Meltdown Vulnerabilities
Foundation IT Meltdown and Spectre Exploits
FreeBSD FreeBSD News Flash
Response to Meltdown and Spectre
Fujitsu CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Side-Channel Analysis Method: (Spectre & Meltdown) Security Review
G DATA “Meltdown” and “Spectre”: researchers discover severe CPU bugs
Gandi Meltdown and Spectre vulnerabilities
Gemalto Meltdown and Spectre microprocessor vulnerabilities
Gentoo Linux Bug 643340 (CVE-2017-5753) – [TRACKER] hw: cpu: speculative execution bounds-check bypass (CVE-2017-5753)
Bug 643342 (CVE-2017-5715) – [TRACKER] hw: cpu: speculative execution branch target injection (CVE-2017-5715)
Bug 643344 (CVE-2017-5754) – [TRACKER] hw: cpu: speculative execution permission faults handling (CVE-2017-5754)
Getac Getac’s Statement on Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
GFI GFI LanGuard – Security flaws “Meltdown” and “Spectre” affecting CPU
Gigabyte BIOS update for Side Channel Analysis Security issue Mitigations
Google Google Project Zero: Reading Privileged Memory with a Side-Channel
Google’s Mitigations Against CPU Speculative Execution Attack Methods
Heroku Meltdown and Spectre Security Update
Hetzner Online Spectre and Meltdown
Hitachi Hitachi Storage Solutions: Notice on “side channel attack to the CPUs with speculative execution function”
Hitachi Vantara: Support Information: CVE Security Notices (account required)
HP Document ID: c05869091: HPSBHF03573 rev. 2 – Side-Channel Analysis Method
HPE Side Channel Analysis Method allows information disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
HPESBHF03805 – Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure.
a00039267en_us: Bulletin: (Revision) HPE ProLiant, Moonshot and Synergy Servers – Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Huawei Security Notice – Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design
IBM Potential CPU Security Issue
Potential Impact on Processors in the POWER Family
IBM Security Bulletin: This Power firmware update is being released to address Common Vulnerabilities and Exposures issue numbers CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 (known as Spectre and Meltdown)
IBM Security Bulletin: IBM has released PTFs in response to the vulnerabilities known as Spectre and Meltdown
IGEL IGEL Furthers Product Security with Meltdown and Spectre Fix
Ikarus Two far-reaching vulnerabilities discovered in all modern CPUs. Some updates are available
Imperva Imperva Security Response to “Meltdown” and “Spectre” Exploits (Side-Channel Attacks to CPU privileged memory)
Intego Meltdown and Spectre: What Apple Users Need to Know
Intel INTEL-SA-00088 Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
Intel-SA-00088 for Intel NUC, Intel Compute Stick, and Intel Compute Card
INTEL-OSS-10002: Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method
INTEL-OSS-10003: Speculative Execution Data Cache and Indirect Branch Prediction Method Side Channel Analysis
Security Exploits and Intel Products
Ivanti DOC-65669: Ivanti Device and Application Control (formerly HEAT Endpoint Security) compatibility with Microsoft patches for Meltdown/Spectre
Johnson & Johnson January 12, 2017 – Product Security Notification for Meltdown and Spectre
Johnson Controls Meltdown and Spectre Vulnerabilities
Juniper JSA10842: 2018-01 Out of Cycle Security Bulletin: Meltdown & Spectre: CPU Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
K7 Computing K7 Products are Compatible with Meltdown & Spectre Patches!
Kaspersky Lab Kaspersky Lab Daily January 4, 2018: Two severe vulnerabilities found in Intel’s hardware
ID: 14042: Compatibility of Kaspersky Lab solutions with the Microsoft Security update of January 3, 2018
KEMP Technologies Meltdown and Spectre (CVE-2017-5754 & CVE-2017-5753)
LANCOM Systems Allgemeine Sicherheitshinweise: Spectre und Meltdown: LANCOM Geräte sind nicht betroffen
Lansweeper Meltdown and Spectre
Lenovo Lenovo Security Advisory LEN-18282: Reading Privileged Memory with a Side Channel
Lime Technology unRAID Server OS 6.4.0 Released
Linode CPU Vulnerabilities: Meltdown & Spectre
Linux Mint Security notice: Meltdown and Spectre
Liquid Web Here Is What You Need to Know About Meltdown and Spectre
Littlefish Meltdown & Spectre Security Vulnerabilities
LLVM D41723: Introduce the “retpoline” x86 mitigation technique for variant #2 of the speculative execution vulnerabilities
D41760: Introduce __builtin_load_no_speculate
D41761: Introduce llvm.nospeculateload intrinsic
Mageia Linux CVE-2017-5715
CVE-2017-5753
CVE-2017-5754
Malwarebytes DOC-2297: Meltdown and Spectre Vulnerabilities – what you should do to protect your computer
McAfee TS102769: Microsoft Security Update January 2018 (Meltdown and Spectre) and McAfee consumer products
KB90167: Meltdown and Spectre – McAfee Business and Enterprise Product Compatibility Update
Microsoft Security Advisory 180002: Guidance to mitigate speculative execution side-channel vulnerabilities
KB4056890: Windows 10 Update (OS Build 14393.2007)
KB4072698: Windows Server guidance to protect against speculative execution side-channel vulnerabilities
KB4072699: Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software
KB4073065: Surface Guidance to protect against speculative execution side-channel vulnerabilities
KB4073119: Windows Client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
KB4073225: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer
Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems
Protecting guest virtual machines from CVE-2017-5715 (branch target injection)
SpeculationControl module provides the ability to query the speculation control settings for the system.
MicroWorld Technologies Meltdown and Spectre – CPU Vulnerabilities
Mitel Mitel Product Security Advisory 18-0001: Side-Channel Analysis Vulnerabilities
Mozilla Mozilla Foundation Security Advisory 2018-01: Speculative execution side-channel attack (“Spectre”)
MSI MSI pushes out motherboard BIOS updates to tackle recent security vulnerabilities
myAirWatch Security Vulnerability: CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown)
NetApp NTAP-20180104-0001: Processor Speculated Execution Vulnerabilities in NetApp Products
Netgate An update on Meltdown and Spectre
Netgear PSV-2018-0005: Security Advisory for Speculative Code Execution (Spectre and Meltdown) on Some ReadyNAS and ReadyDATA Storage Systems
Neverware Meltdown, Spectre, and CloudReady
UPDATE: CloudReady v61.3 released on all channels of the Home Edition
NGINX NGINX Response to the Meltdown and Spectre Vulnerabilities
Nutanix Advisory ID nutanix-sa-007-specexvul: Side-Channel Speculative Execution Vulnerabilities January 2018
nVidia ID 4609: Speculative Side Channels
ID 4610: NVIDIA GeForce Experience Security Updates for CPU Speculative Side Channel Vulnerabilities
ID 4611: NVIDIA GPU Display Driver Security Updates for Speculative Side Channels
ID 1612: NVIDIA DGX Systems – Response to speculative side channels CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754
ID 4613: NVIDIA Shield TV Security Updates for Speculative Side Channels
ID 4614: NVIDIA Shield Tablet Security Updates for Speculative Side Channels
ID 4616: ID: NVIDIA Tegra Jetson TX1 L4T and Jetson TK1 L4T Security Updates for Speculative Side Channels
ID 4617: NVIDIA Jetson TX2 L4T Security Updates for CPU Speculative Side Channel Vulnerabilities
Nyotron Nyotron’s PARANOID is Compatible with Microsoft Patch for Meltdown and Spectre
Okta Security Bulletin: Meltdown and Spectre vulnerabilities
OnApp Meltdown and Spectre CPU Issues
One Identity KB237253: Is Safeguard affected by the Spectre vulnerability (CVE-2017-5753 & CVE-2017-5754) or Meltdown (CVE-2017-5715)? (237253)
Open Telekom Open Telekom Cloud Security Advisory about Processor Speculation Leaks (Meltdown/Spectre)
OpenBSD Meltdown
OpenGear CVE-2017-5754, CVE-2017-5715, CVE-2017-5753 – Meltdown and Spectre CPU Vulnerabilities
OpenStack OpenStack, Spectre and Meltdown: What you need to know
OpenSUSE [Security-Announce] Meltdown and Spectre Attacks
Oracle Oracle Critical Patch Update Advisory – January 2018
Doc ID 2347948.1: Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown (account required)
Doc ID 2338411.1: January 2018 Critical Patch Update: Executive Summary and Analysis (account required)
Oracle Linux Oracle Linux CVE repository: CVE-2017-5715
Oracle Linux CVE repository: CVE-2017-5753
Oracle Linux CVE repository: CVE-2017-5754
OSIsoft AL00333 – Meltdown and Spectre: What PI System users need to know about these vulnerabilities
Outpost24 Meltdown and Spectre Vulnerabilities for CPUs
OVH Information about Meltdown and Spectre vulnerability fixes
Find your patch for Meltdown and Spectre
Packet Guide to Meltdown / Spectre CPU Vulnerabilities
Palo Alto Networks Information about Meltdown and Spectre findings (PAN-SA-2018-0001
Panasonic G18-001: Security information of vulnerability by Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
Panda Security 100059: Important information regarding Meltdown/Spectre and Microsoft Security Advisor ADV180002
Parrot meltdown/spectre security patches
Patchman Impending urgent security updates
Philips Security Advisory & Archive: Customer information on Meltdown & Spectre Global Security Issue
Plesk CVE-2017-5715 Spectre vulnerability variant 2
CVE-2017-5753 Spectre vulnerability variant 1
CVE-2017-5754 Meltdown vulnerability
Polycomm SECURITY ADVISORY – Processor based “Speculative Execution” Vulnerabilities AKA “Spectre” and “Meltdown”
PostgreSQL heads up: Fix for intel hardware bug will lead to performance regressions
Prgmr.com Speculative information disclosure
Updates on speculative information disclosure – Thu, 04 Jan 2018
Updates on speculative information disclosure – Tue, 09 Jan 2018
Protiviti Security Advisory – New Class of Vulnerabilities Introduced to Enterprise Systems: Meltdown and Spectre
Proxmox Meltdown and Spectre Linux Kernel fixes
Pulse Secure KB43597 – Impact of CVE-2017-5753 (Bounds Check bypass, AKA Spectre), CVE-2017-5715 (Branch Target Injection, AKA Spectre) and CVE-2017-5754 (Meltdown) on Pulse Secure Products
KB43600 – After installing January 3, 2018 Microsoft Patches, Pulse client connections fail when Host Checker is applied
Purism Meltdown, Spectre and the Future of Secure Hardware
Purism patches Meltdown and Spectre variant 2, both included in all new Librem laptops
QEMU QEMU and the Spectre and Meltdown attacks
Qihu 360 Meltdown与Spectre:近期CPU特性漏洞安全公告
360:处理器Meltdown与Spectre漏洞修复简要指南
QNAP NAS-201801-08: Security Advisory for Speculative Execution Vulnerabilities in Processors
Qualys Processor Vulnerabilities – Meltdown and Spectre
HOW-TO 000002746: Qualys Response to Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715)
Quanta Intel Security Advisory update
Qubes OS Announcement regarding XSA-254 (Meltdown and Spectre attacks)
Qubole Qubole Security Update Notice
Quick Heal Quick Heal is compatible with Microsoft’s Jan 3 update for Meltdown and Spectre
Rackspace Rackspace mitigations against CPU speculative execution vulnerabilities
Rapid7 Meltdown and Spectre: What you need to know (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Raspberry Pi Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown
Red Hat Kernel Side-Channel Attacks – CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
RHSA-2018:0008 – Security Advisory
RHSA-2018:0012 – Security Advisory
RHSA-2018:0013 – Security Advisory
RHSA-2018:0014 – Security Advisory
Resolver Security Vulnerability: Meltdown and Spectre
RISC-V Foundation Building a More Secure World with the RISC-V ISA
Riverbed Technology Jan 05, 2018: Update on Meltdown and Spectre
Support KB ID S31752 (account required)
Rockwell Automation Answer ID: 1070884: Rockwell Automation Briefing on “Meltdown” and “Spectre” vulnerabilities. (account required)
Answer ID: 1071234: Microsoft Windows Security Updates for Meltdown/Spectre Vulnerabilities Impact (account required)
RSA 000035890 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on RSA products
Ruckus Networks Article Number 000007583: Is there any imact of Meltdown and Spectre vulnerabilities on Ruckus Products?
ID 20180105 FAQ: Spectre and Meltdown Vulnerabilities – CVE-2017-5753 CVE-2017-5715
& CVE-2017-5754
Salesforce Knowledge Article Number 000269171: Salesforce addresses ‘Spectre’ and ‘Meltdown’ vulnerabilities
Knowledge Article Number 000269190: Salesforce response to ‘Spectre’ and ‘Meltdown’ Vulnerabilities
Samsung About speculative execution vulnerabilities in ARM-based CPUs
Android Security Updates: January 2018
SAS SAS Statement Regarding Meltdown/Spectre Vulnerabilities
Scaleway Spectre and Meltdown Vulnerabilities Status Page
Schneider Electric SEVD-2018-005-01: Security Notification – Spectre and Meltdown
Scientific Linux CVE-2017-5715
CVE-2017-5753
CVE-2017-5754
ScyllaDB The Cost of Avoiding a Meltdown
Sentinel One Meltdown/Spectre – A tale of two vendors
SentinelOne is Compatible with “Meltdown” and “Spectre” Fixes
ServiceNow KB0661896: Spectre/Meltdown CPU Vulnerabilities – 01/04/18
Siemens SSB-068644: General Customer Information for Spectre and Meltdown
Siemens SSB-068644: General Customer Information for Spectre and Meltdown
Silver Peak CPU Side-Channel Attacks – Spectre Attacks: Exploiting Speculative Execution – Meltdown: Rogue Data Cache Load
SIOS CPU由来の脆弱性情報(Meltdown and Spectre Vulnerability : CVE-2017-5753, CVE-2017-5754, CVE-2017-5715)
Smartsheet Meltdown, Spectre and Smartsheet
Smiths Medical Cyber Security Engineering Products Security Bulletin 2018 JAN 12.1
SOC Prime Meltdown and Spectre attacks exploit vulnerabilities in CPU to steal data
SolarWinds Update: AV: January 5, 2018: Notice of Vulnerability CVE-2017-5733, CVE-2017-5715 (Spectre) and CVE-2017-5754 (Meltdown)
SonicWall Meltdown and Spectre Vulnerabilities: A SonicWall Alert
Sophos 128053: Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre)
Spectracom Spectre and Meltdown Vulnerabilities (CVE-2016-5715, CVE-2017-5753, CVE-2017-5754)
Spotinst Spotinst Update Concerning: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
SuperMicro Security Vulnerabilities Regarding Side Channel Speculative Execution and Indirect Branch Prediction Information Disclosure (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
SUSE SUSE Linux security updates CVE-2017-5715
SUSE Linux security updates CVE-2017-5753
SUSE Linux security updates CVE-2017-5754
Symantec INFO4793: Meltdown and Spectre: Are Symantec Products Affected?
SA161: Local Information Disclosure Due to Meltdown and Spectre Attacks
Synology Synology-SA-18:01 Meltdown and Spectre Attacks
Tableau [Informational] INF-2018-001: CPU Speculative Execution Vulnerabilities
Tanium Spectre and Meltdown FAQ
Tenable The First Major Security Logos of 2018: Spectre and Meltdown Vulnerabilities
Thomas Krenn Sicherheitshinweise zu Meltdown und Spectre
Tibco Meltdown and Spectre Vulnerability Update
Toshiba ID 4015952: Intel, AMD & Microsoft Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method Security Vulnerabilities
Trend Micro Solution ID: 1118996: Important Information for Trend Micro Solutions and Microsoft January 2018 Security Updates
Solution ID: 1119183: Important Information for Trend Micro Solutions and Microsoft January 2018 Security Updates (Meltdown and Spectre)
Ubuntu Ubuntu Updates for the Meltdown / Spectre Vulnerabilities
UpCloud Information regarding the Intel CPU vulnerability (Meltdown)
VAIO Side Channel Analysis に関する脆弱性対応について
Veeam KB ID 2427: Meltdown and Spectre vulnerabilities
Veritas Article ID 100041496: Veritas Appliance Statement on Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715)
Vertiv Vertiv Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
VIPRE 1000258536: Critical Alert – 1/3/2018 Windows Security Update
Virtuozzo Virtuozzo Addresses Intel Bug Questions
Important kernel security update: Fixes for Meltdown and Spectre exploits; new kernel 3.10.0-693.11.6.vz7.40.4, Virtuozzo 7.0 Update 6 Hotfix 3 (7.0.6-710)
Important kernel security update: Fixes for Meltdown and Spectre exploits; new kernel 2.6.32-042stab127.2, Virtuozzo 6.0 Update 12 Hotfix 20 (6.0.12-3690)
Important kernel security update: Fixes for Meltdown and Spectre exploits; new kernel 2.6.32-042stab127.2 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0
VMware VMSA-2018-0002 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution
VMSA-2018-0004 VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue
KB52085: Hypervisor-Assisted Guest Mitigation for branch target injection (52085)
KB52245: VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52245)
KB52264: VMware Virtual Appliances and CVE-2017-5753, CVE-2017-5715 (Spectre), CVE-2017-5754 (Meltdown) (52264)
KB52292: VMware NSX Guest Introspection compatibility for Microsoft Windows patches released for “Spectre” and “Meltdown” (52292)
KB52337: VMware Performance Impact for CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52337)
KB52345: Intel Sightings in ESXi Bundled Microcode Patches for VMSA-2018-0004 (52345)
KB52367: VMware 仮想アプライアンスと CVE-2017-5753、CVE-2017-5715 (Spectre)、CVE-2017-5754 (Meltdown) (52367)
KB52368: VMware 虚拟设备和 CVE-2017-5753、CVE-2017-5715 (Spectre)、CVE-2017-5754 (Meltdown) (52264) (52368)
Vultr Intel CPU Vulnerability Alert
WatchGuard Article ID 000011204: Meltdown and Spectre Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Webkit What Spectre and Meltdown Mean For WebKit
WebKitGTK+ Security Advisory WSA-2018-0001
Webroot Solution 2837: This solution allows users to enable their devices to receive the latest Microsoft January 2018 Security Patch
Wind River
Security Vulnerability Response Information: Meltdown and Spectre: CVE-2017-5753, CVE-2017-5715, CVE-2017-5754

Wind River Security Vulnerability Notice: Linux Kernel Meltdown and Spectre Break (Side-Channel Attacks) – CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
Updated Intel Microcode 20180108
Wonderware PacWest Important! Tech Alert 287
Xen Advisory XSA-254: Information leak via side effects of speculative execution
XKCD Meltdown and Spectre (user education)
Zebra Reference No 01-0118-01: Spectre and Meltdown Security Vulnerability Updates
Zerto KB Number 000001474: Meltdown and Spectre Vulnerability (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) Update
Zscaler Meltdown and Spectre vulnerabilities: What you need to know
Meltdown and Spectre vulnerabilities: Protecting Zscaler Cloud
Meltdown and Spectre Vulnerabilities – initial assessment

Kevin Beaumont of DoublePulsar Security, announced on Twitter that he is tracking the compatibility of anti-malware software with Microsoft’s patches in a Google Docs spreadsheet.

Technical Details

The confusion over brands of affected CPUs may be due to the fact that this is not one vulnerability, but two similar vulnerabilities, dubbed Meltdown and Spectre by their respective discoverers.  The Meltdown vulnerability is limited to Intel’s processors, while Spectre affects AMD, ARM, IBM, Intel  and possibly other processors as well.   These vulnerabilities have three CVE numbers (a quasi-government standard for tracking computer security vulnerabilities and exposures) assigned to them:

For many years, processor manufacturers – such as Intel – have been able to fix flaws in processor architecture through microcode updates, which write an update to the processor itself to fix a bug.  When this article was originally published, ESET wrote that the vulnerabilities might not be fixable with a microcode update to Intel processors, however, it now appears that it may be possible to mitigate the Spectre vulnerability in Intel CPUs via microcode update, as well as provide additional protection against the Meltdown vulnerability.

Intel’s security advisory, INTEL-SA-00088 Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method, lists forty-four (44) affected families of processors, each of which can contain dozens of models.  ARM Limited has released an advisory titled Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism that currently lists ten (10) affected models of processor.

Computer emergency, incident , and security response teams from around the world have issued advisories to their respective countries.

ESET’s Response

As mentioned at the beginning of the article, ESET released Antivirus and Antispyware module update 1533.3 on Wednesday, January 3, 2018, to all customers to ensure compatibility with Microsoft’s updates to the Windows operating systems.  ESET is working alongside hardware and software vendors to mitigate the risk posed by the vulnerabilities.

For additional information see:

Please periodically check these articles and revisit this blog post for updates as additional information becomes available.

Special thanks to my colleagues Tony Anscombe, Richard Baranyi, Shane B., Bruce P. Burrell, Shane Curtis, Nick FitzGerald, David Harley, Elod K., James R., Peter Stancik, Marek Z., and Righard Zwienenberg for their assistance in preparing this article.


Revision History

2018-01-05: Initial Release.
2018-01-06: Added information for AMD, Android (Google), Chromium Project, Cisco, Citrix, Debian, Dell, F5 Networks, Huawei, NetApp, nVidia, Raspberry Pi, SUSE, Synology, and Ubuntu to Vendors. Revised existing links as needed.
2018-01-07: Revised Background. Added links to CERT and US-CERT to Responders. Added information for FreeBSD to Vendors. Revised existing entries as needed.
2018-01-08: Revised Background. Added information for ASUS, Dragonfly BSD, HPE, Juniper and Qubes OS to Vendors.
2018-01-09: Added information for A10 Networks, Arista Networks, Aruba Networks, Avaya, Centos, CoreOS, Digital Ocean, Duo Security, Extreme Networks, Fedora, Kemp Technologies, Linode, Liquid Web, LLVM, Mitel, Netgear, OpenBSD, OpenSUSE, Open Telekom, OVH, Palo Alto Networks, Pulse Secure, QEMU, QNAP, RISC-V, Riverbed Technology, SonicWall, Sophos and SuperMicro to Vendors. Revised existing entries as needed.
2018-01-10:  Revised Affected Vendors.  Added information for AbacusNext, Aerohive, Akamai, Alibaba Cloud, ArchLinux, Avast, AVM, Barracuda Networks, BerganKDV, BitDefender, CA Technologies, Check Point, Comodo, Crestron, Cylance, Cyren, Cumulus Networks, Elastic, Emsisoft, ESET, ForcePoint, Fujitsu, G DATA, Gandi, Gentoo, Heroku, Hetzner Online, HP, Ikarus, Kaspersky, LANCOM Systems, Linux Mint, Malwarebytes, McAfee, MicroWorld Technologies, Netgate, Nutanix, OpenGear, Okta, Oracle, OSISoft, Panda Security, Polycomm, Proxmox, Qualys, Quanta, Rackspace, RSA, SalesForce, Scaleway, Silver Peak, Symantec, Thomas Krenn, Trend Micro, UpCloud, Veritas, VIPRE, Virtuozzo, Vultur, WatchGuard, Webkit, Webroot, XKCD and Zscalar to Vendors.
2018-01-11: Revised Technical Details. Added information for Acronis, AhnLab, Apache, AVG, AVira, Box, BrightSign, Bromium, Carbon Black, Cloud Foundry, Commvault, ConnectWise, Contegix, Couchbase, Endgame, FireEye, Lansweeper, NGINX, OnApp, OpenStack, ScyllaDB and Veeam to Vendors.
2018-01-12: Added information for Acer, ADP, Appalachia Technologies, APC, Aptible, Aspera, ASRock, BMC, ClearOS, cPanel, Digi, DocuSign, GFI, Gemalto, Gigabyte, Imperva, Littlefish, MSI, Outpost24, Parrot, Patchman, Plesk, Protiviti, Rapid7, Resolver, Ruckus Networks, Samsung, SAS, Schneider Electric, Scientific Linux, Siemens, SIOS, Solar Winds, Spectracom, Spotinst, Tableau, Tibco, Vertiv, Wind Driver, Zebra, and Zerto to Vendors. Revised existing entries as needed.
2018-01-12: Revised History.  Added information for Bomgar, Ivanti, Lime Technology and ServiceNow to Vendors.  Revised existing entries as needed
2018-01-15: Added information for AgileBits, Capsule8, IGEL, myAirWatch, Neverware, Nyotron, Panasonic, PostgreSQL, Qihu 360, Quick Heal, Sentinel One, Tenable, Toshiba and VAIO to Vendors.  Added DE (BSI) to Responders.
2018-01-16: Added information for ABB, Abbott, American Megatrends, Auth0, BD, Fifty Seven Network, Johnson & Johnson, Oracle, Philips, Qubole, Rockwell Automation, Siemens, Smartsheet, Smiths Medical and Wonderware PacWest to Vendors.  Added US (NH-ISAC) to Responders. Revised existing entries as needed.
2018-01-16: Added information for A56 Informatique, Algolia, Bitnami, Epic Games, Fasthosts, Foundation IT, Johnson Controls, K7 Computing, One Identity, Packet, Prgmr.com, Purism, SOC Prime and Tanium to Vendors.  Added BE (CERT.be) to Responders. Revised existing entries as needed.
2018-01-17: Added information for Aiven, brightsolid, Faronics, Hitachi and Mageia Linux to Vendors. Revised existing entries as needed.
2018-01-18: Added information for CyberAdatpt, Barkly, Deep Instinct, Ensilo, Getac, and Intego to Vendors. Revised existing entries as needed.

Author Aryeh Goretsky, ESET





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here