Meltdown & Spectre – STATUS

As most of you may be aware, Intel (and AMD) do have some nasty bugs design flaws inside their CPUs….

This Page tries to keep you updated on the current status.

Please bear with us if we’re a bit late sometimes, but our first and utmost Priority currently is to keep our customers safe.

There is an Update-Section at the end of the page that will be kept up2date as timely as possible.


Abstract:

  • Meltdown & Spectre Bugs make it possible to access System-Memory Ranges thus making it possible to access private data that must not be accessible
  • The Bug(s) seems to be a mere 15 years old.
  • Any recent Intel System is concerned.
  • The bugs can be exploited locally only.
    • But: Data can be retrieved using remotely initiated attacks (i.e. Scripts that may run in a Browser, Viruses, Trojans).
  • The complete impact as of today is not yet clear.
  • The official statement on current exploits being in the wild is that there haven’t been any. Officially. We cannot evaluate if this is true.

THIS POST WILL BE UPDATED AS SOON AS WE HAVE NEW INFORMATION

You may bookmark this Page: https://www.compination.ch/meltdown


The Fixes

In this Chapter we will (try) to give a Status on the availability of fixes:


ProxMox VE

Proxmox did release several patches and a new kernel to mitigate the attack:

According to: the Proxmox Forum:

Proxmox VE 5.x: pve-kernel (4.13.13-34)
  • cherry-pick / backport of KPTI / Meltdown fixes (from Ubuntu-4.13.0-23.25)
  • add Google Spectre PoC fix for KVM
  • fix objtool build regression
Proxmox VE 4.x: pve-kernel (4.4.98-102)
  • cherry-pick / backport of KPTI / Meltdown fix (based on Ubuntu-4.4.0-107.130)
  • add Google Spectre PoC fix for KVM

Mac OS X

Apple has released macOS High Sierra 10.13.2 in order to resolve the Problem.

On the same page, the Status for all the other Products is available.

BIG WARNING TO ALL USERS RUNNING MAC OS (X) 10.10 OR OLDER: YOU WILL MOST PROBABLY SEE NO PATCHES AT ALL! UPDATE YOUR SYSTEM IF POSSIBLE!


Microsoft Windows

Patches for Windows 10, Windows 2012R2 and Windows 2016 are out and available (just run System Update and reboot).

However, there seem to be some problems with current Anti-Virus Software Suites around that may render your system unusable! Please check with your AV-Distributor BEFORE updating.

As much as we hate to say this: You may not be able to update right now because of your Antivirus!

More Informational Links:

https://www.theregister.co.uk/2018/01/09/meltdown_spectre_slowdown/

https://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/

https://www.theregister.co.uk/2018/01/04/microsoft_windows_patch_meltdown/

https://www.theregister.co.uk/2018/01/05/spectre_flaws_explained/


Linux

Various Kernels have been updated, so Linux Kernel Security can be re-assured by installing them and rebooting your system.

  • Please note that older Kernels (i.e. 2.4.X, 3.X) may not be patched – and might never get the patch. Unless you are able to patch the Kernel yourself (which is possible).
  • Please make sure you are running one of the “stable” Kernels.
  • If you use RedHat Linux, please check back with RedHat directly.
  • If you use Oracle OEL, please check back with Oracle directly.

Generally, the same as for Proxmox VE (above in this article) applies.


pfSense / *BSD

Netgate, the owner of the pfSense Project, has released Information as of today as follows:

https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html

Excerpt:

  • Most of our users should not be concerned as long as they follow our basic guidelines for limiting access to the WebGUI, shell as well as physical access to the pfSense appliance.
  • If you are running a virtualized pfSense instance make sure to update your host. Major virtualization vendors have already issued updates with fixes for Meltdown and / or Spectre.
  • Our Amazon Web Services and Microsoft Azure customers are safe as both providers already patched their infrastructure against these vulnerabilities.

Note: As many of our customers are currently running virtual firewall systems (and we are restlessly updating all server systems as fast as we can) the impact for our Customers is somewhat smaller.


OpnSense

OpnSense has not yet issued an official statement on the issues. However, there’s a quite well written blog article from some days ago:

https://blog.werk21.de/de/2018/01/04/spectre-und-meltdown

Other than that (as of the similarity of the two systems) we think the OpnSense Exposure is about similar with the pfSense one.


NetApp

NetApp has released a Security Advisory (https://security.netapp.com/advisory/ntap-20180104-0001/) on Spectre & Meltdown.

As of now, the Impact seems to be non-critical:

Successful exploitation of these vulnerabilities allows unprivileged attackers to abuse CPU data cache timing to leak information out of speculated execution, potentially leading to the arbitrary read of virtual memory across local security boundaries via targeted attacks. These attacks require the ability to run malicious code directly on the target system.

ONTAP: Unlike a general-purpose operating system, ONTAP does not provide mechanisms for non-administrative users to run third-party code. Due to this behavior, ONTAP is not affected by either the Spectre or Meltdown attacks. The same is true of all ONTAP variants including both ONTAP running on FAS/AFF hardware as well as virtualized ONTAP products such as ONTAP Select and ONTAP Cloud.
While ONTAP Select and ONTAP Cloud are not directly affected by these attacks, these attacks may be possible against the utilized hypervisor platform. NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform.

StorageGRID: StorageGRID and StorageGRID Webscale do not provide mechanisms for running unprivileged third-party code and are not directly affected. For virtualized deployments, NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform. For Docker-based deployments, NetApp recommends working with your operating system and hardware vendors to ensure that your NetApp product is running on a secure and patched platform.

SolidFire: Unlike a general-purpose operating system, Element OS is a closed system that does not provide mechanisms for running third-party code. Due to this behavior, Element OS running on SolidFire or NetApp HCI Storage nodes is not affected by either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system.


Overall Impact

Our engineering has already rolled out all (available) Patches in our Datacenter. We, indeed, do see some increased CPU Utilization (~3-5% higher CPU Usage) on our systems.

Especially, Systems with high IO Workloads seem to digest the Bug-Fix worse than other normal systems.

According to This Article (https://www.theregister.co.uk/2018/01/04/amazon_ec2_intel_meltdown_performance_hit/), AWS has seen a change in utilization since applying the Patch. Rumors tell that, depending on the type of workload, the Performance-Degradation might be up to 35%.

The below screenshot has been posted on: https://pbs.twimg.com/media/DSsR9VuW0AAdJBH.jpg:large, the Twitter-Feed is: https://twitter.com/timgostony/status/948682862844248065/photo/1


Verdict

There is nothing other for us to do than:

  1. Patch our Customers Systems
  2. Mitigate the Risks
  3. Drink Coffee
  4. Drink Tea
  5. Wait
  6. Hope.
  7. … and keep you updated 🙂

-=0 Updates 0=-

Jan. 15 2018

Article by Bruce Schneier

Bruce Schneier (https://www.schneier.com) has published an article about the whole Thing. We are posting it below:

Spectre and Meltdown Attacks Against Microprocessors

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution -- which of course is not
a solution -- is to throw them all away and buy new ones.
On January 3, researchers announced a series of major security vulnerabilities in the microprocessors at the heart of the world's computers for the past 15-20 years. They've been named Spectre and Meltdown, and they have to do with manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets elsewhere on the computer.
This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer -- maybe one running in a browser window from that sketchy site you're visiting, or as a result of a phishing attack -- can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Someone can run a process in the cloud and steal data from every other user on the same hardware.
Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling. By now all the major cloud vendors have patched their systems against the vulnerabilities that can be patched against.
"Throw it away and buy a new one" is ridiculous security advice, but it's what US-CERT recommends. It is also unworkable. The problem is that there isn't anything to buy that isn't vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.
This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.
The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren't security teams on call to write patches, and there often aren't mechanisms to push patches onto the devices. We're already seeing this with home routers, digital video recorders, and webcams. The vulnerability that allowed them to be taken over by the Mirai botnet last August simply can't be fixed.
The second is that some of the patches require updating the computer's firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a vulnerability in its Management Engine (ME): another flaw in its microprocessors. But it couldn't get that update directly to users; it had to work with the individual hardware companies, and some of them just weren't capable of getting the update to their customers.
We're already seeing this. Some patches require users to disable the computer's password, which means organizations can't automate the patch. Some antivirus software blocks the patch, or -- worse -- crashes the computer. This results in a three-step process: patch your antivirus software, patch your operating system, and *then* patch the computer's firmware.
The final reason is the nature of these vulnerabilities themselves. These aren't normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.
It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren't thinking about security. They didn't have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors. Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.
Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.
This isn't to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don't click on strange e-mail attachments, don't visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.
You probably won't notice that performance hit once Meltdown is patched, except maybe in backup programs and networking applications. Embedded systems that do only one task, like your programmable thermostat or the computer in your refrigerator, are unaffected. Small microprocessors that don't do all of the vulnerable fancy performance tricks are unaffected. Browsers will figure out how to mitigate this in software. Overall, the security of the average Internet-of-Things device is so bad that this attack is in the noise compared to the previously known risks.
It's a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they'll figure out some clever way of detecting and blocking the attacks. All in all, as bad as Spectre and Meltdown are, I think we got lucky.
But more are coming, and they'll be worse. 2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride.

Note: A shorter version of this essay previously appeared on CNN.com.
https://www.cnn.com/2018/01/04/opinions/security-of-nearly-every-computer-has-just-gotten-a-lot-worse-opinion-schneier/index.html

News articles:
https://www.nytimes.com/2018/01/03/business/computer-flaws.html
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/
http://www.zdnet.com/article/security-flaws-affect-every-intel-chip-since-1995-arm-processors-vulnerable/
https://www.forbes.com/sites/thomasbrewster/2018/01/03/intel-meltdown-spectre-vulnerabilities-leave-millions-open-to-cyber-attack/#277e7f0b3932
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/

Vulnerability's website:
https://spectreattack.com/

Technical information:
https://lwn.net/SubscriberLink/742702/83606d2d267c0193/
http://www.tomshardware.com/news/meltdown-spectre-exploits-intel-amd-arm-nvidia,36219.html
https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/

Research papers:
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf

Vulnerabilities in browsers:
https://www.lawfareblog.com/spectre-advertising-meltdown-what-you-need-know
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html

Early news about the vulnerability:
https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

US-CERT recommendation:
https://www.kb.cert.org/vuls/id/584653

Who's patched what:
https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/

Unpatchable devices:
https://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/

Mirai botnet:
https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/

Intel ME vulnerability:
https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot/

Problems with patching:
http://www.zdnet.com/article/windows-meltdown-spectre-patches-if-you-havent-got-them-blame-your-antivirus/
https://docs.google.com/spreadsheets/u/2/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

 


Jan. 12 2018

and here is a (in our point of view) more realistic estimation of the overall impact:


Jan. 11, 2018


Jan. 9, 2018