As most of you may be aware, Intel (and AMD) do have some nasty
bugs design flaws inside their CPUs….
This Page tries to keep you updated on the current status.
Please bear with us if we’re a bit late sometimes, but our first and utmost Priority currently is to keep our customers safe.
There is an Update-Section at the end of the page that will be kept up2date as timely as possible.
- Meltdown & Spectre Bugs make it possible to access System-Memory Ranges thus making it possible to access private data that must not be accessible
- The Bug(s) seems to be a mere 15 years old.
- Any recent Intel System is concerned.
- The bugs can be exploited locally only.
- But: Data can be retrieved using remotely initiated attacks (i.e. Scripts that may run in a Browser, Viruses, Trojans).
- The complete impact as of today is not yet clear.
- The official statement on current exploits being in the wild is that there haven’t been any. Officially. We cannot evaluate if this is true.
THIS POST WILL BE UPDATED AS SOON AS WE HAVE NEW INFORMATION
You may bookmark this Page: https://www.compination.ch/meltdown
In this Chapter we will (try) to give a Status on the availability of fixes:
Proxmox did release several patches and a new kernel to mitigate the attack:
According to: the Proxmox Forum:
Proxmox VE 5.x: pve-kernel (4.13.13-34)
cherry-pick / backport of KPTI / Meltdown fixes (from Ubuntu-4.13.0-23.25)
add Google Spectre PoC fix for KVM
fix objtool build regression
Proxmox VE 4.x: pve-kernel (4.4.98-102)
cherry-pick / backport of KPTI / Meltdown fix (based on Ubuntu-4.4.0-107.130)
add Google Spectre PoC fix for KVM
Mac OS X
Apple has released macOS High Sierra 10.13.2 in order to resolve the Problem.
On the same page, the Status for all the other Products is available.
BIG WARNING TO ALL USERS RUNNING MAC OS (X) 10.10 OR OLDER: YOU WILL MOST PROBABLY SEE NO PATCHES AT ALL! UPDATE YOUR SYSTEM IF POSSIBLE!
Patches for Windows 10, Windows 2012R2 and Windows 2016 are out and available (just run System Update and reboot).
However, there seem to be some problems with current Anti-Virus Software Suites around that may render your system unusable! Please check with your AV-Distributor BEFORE updating.
As much as we hate to say this: You may not be able to update right now because of your Antivirus!
More Informational Links:
Various Kernels have been updated, so Linux Kernel Security can be re-assured by installing them and rebooting your system.
- Please note that older Kernels (i.e. 2.4.X, 3.X) may not be patched – and might never get the patch. Unless you are able to patch the Kernel yourself (which is possible).
- Please make sure you are running one of the “stable” Kernels.
- If you use RedHat Linux, please check back with RedHat directly.
- If you use Oracle OEL, please check back with Oracle directly.
Generally, the same as for Proxmox VE (above in this article) applies.
pfSense / *BSD
Netgate, the owner of the pfSense Project, has released Information as of today as follows:
- Most of our users should not be concerned as long as they follow our basic guidelines for limiting access to the WebGUI, shell as well as physical access to the pfSense appliance.
- If you are running a virtualized pfSense instance make sure to update your host. Major virtualization vendors have already issued updates with fixes for Meltdown and / or Spectre.
- Our Amazon Web Services and Microsoft Azure customers are safe as both providers already patched their infrastructure against these vulnerabilities.
Note: As many of our customers are currently running virtual firewall systems (and we are restlessly updating all server systems as fast as we can) the impact for our Customers is somewhat smaller.
OpnSense has not yet issued an official statement on the issues. However, there’s a quite well written blog article from some days ago:
Other than that (as of the similarity of the two systems) we think the OpnSense Exposure is about similar with the pfSense one.
NetApp has released a Security Advisory (https://security.netapp.com/advisory/ntap-20180104-0001/) on Spectre & Meltdown.
As of now, the Impact seems to be non-critical:
Successful exploitation of these vulnerabilities allows unprivileged attackers to abuse CPU data cache timing to leak information out of speculated execution, potentially leading to the arbitrary read of virtual memory across local security boundaries via targeted attacks. These attacks require the ability to run malicious code directly on the target system.
ONTAP: Unlike a general-purpose operating system, ONTAP does not provide mechanisms for non-administrative users to run third-party code. Due to this behavior, ONTAP is not affected by either the Spectre or Meltdown attacks. The same is true of all ONTAP variants including both ONTAP running on FAS/AFF hardware as well as virtualized ONTAP products such as ONTAP Select and ONTAP Cloud.
While ONTAP Select and ONTAP Cloud are not directly affected by these attacks, these attacks may be possible against the utilized hypervisor platform. NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform.
StorageGRID: StorageGRID and StorageGRID Webscale do not provide mechanisms for running unprivileged third-party code and are not directly affected. For virtualized deployments, NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform. For Docker-based deployments, NetApp recommends working with your operating system and hardware vendors to ensure that your NetApp product is running on a secure and patched platform.
SolidFire: Unlike a general-purpose operating system, Element OS is a closed system that does not provide mechanisms for running third-party code. Due to this behavior, Element OS running on SolidFire or NetApp HCI Storage nodes is not affected by either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system.
Our engineering has already rolled out all (available) Patches in our Datacenter. We, indeed, do see some increased CPU Utilization (~3-5% higher CPU Usage) on our systems.
Especially, Systems with high IO Workloads seem to digest the Bug-Fix worse than other normal systems.
According to This Article (https://www.theregister.co.uk/2018/01/04/amazon_ec2_intel_meltdown_performance_hit/), AWS has seen a change in utilization since applying the Patch. Rumors tell that, depending on the type of workload, the Performance-Degradation might be up to 35%.
The below screenshot has been posted on: https://pbs.twimg.com/media/DSsR9VuW0AAdJBH.jpg:large, the Twitter-Feed is: https://twitter.com/timgostony/status/948682862844248065/photo/1
There is nothing other for us to do than:
- Patch our Customers Systems
- Mitigate the Risks
- Drink Coffee
- Drink Tea
- … and keep you updated 🙂
-=0 Updates 0=-
Jan. 15 2018
- BE AWARE: 32-Bit Systems will (if ever) receive Patches later than 64Bit Systems: https://www.heise.de/security/meldung/Meltdown-Patches-32-Bit-Systeme-stehen-hinten-an-3940207.html
- Some users with Haswell-Server Systems have been complaining about “unmotivated reboots” after the installation of Meltdown- and Spectre Patches: https://www.theregister.co.uk/2018/01/12/intel_warns_meltdown_spectre_fixes_make_broadwells_haswells_unstable/ (we have been lucky so far…)
- We just found this one: https://www.theregister.co.uk/2018/01/15/oracle_still_silent_on_meltdown_but_lists_patches_for_x86_servers/
Article by Bruce Schneier
Bruce Schneier (https://www.schneier.com) has published an article about the whole Thing. We are posting it below:
Jan. 12 2018
- As it looks now, AMD is vulnerable to SPECTRE, too: https://www.heise.de/newsticker/meldung/AMD-rudert-zurueck-Prozessoren-doch-von-Spectre-2-betroffen-Microcode-Updates-fuer-Ryzen-und-Epyc-in-3939975.html
- And… we do have some side-effects to the patches: https://www.heise.de/newsticker/meldung/Meltdown-und-Spectre-Spontane-Neustarts-nach-Updates-von-Intels-Haswell-und-Broadwell-CPUs-3940326.html
- If you want to see how Marketing works these days, this (https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/) is a almost unbeatable example….
and here is a (in our point of view) more realistic estimation of the overall impact:
Jan. 11, 2018
- According to this article, the first exploits are already “in the wild”: https://www.heise.de/newsticker/meldung/Meltdown-und-Spectre-Mitentdecker-warnt-vor-erstem-Schadcode-3939576.html
- Those who thought (or: hoped) that because they use SPARC Architecture they are safe… nope, sorry! https://www.heise.de/newsticker/meldung/Spectre-Luecke-Auch-Server-mit-IBM-POWER-Fujitsu-SPARC-und-ARMv8-betroffen-3938749.html It currently looks like we should (instead of listing all systems that are vulnerable) list the systems that are not vulnerable (See: https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/) – that currently seems to be the complete listing so far 🙁
Jan. 9, 2018
- The following link provides an overview of the vendor-status’: https://www.heise.de/newsticker/meldung/Meltdown-und-Spectre-Die-Sicherheitshinweise-und-Updates-von-Hardware-und-Software-Herstellern-3936141.html