Recently discovered speculative execution side-channel vulnerabilities make it possible for threat actors to fetch memory content across trust boundaries, leading to disclosure of sensitive data such as passwords, keys, tokens, etc.
While this flaw is web-enabled and exploitable through Mozilla Firefox and MS Internet explorer, webservers, CDNs etc., there is no known exploit in the wild and the mechanics of the exploits themselves have not yet been disclosed. Patches are available from motherboard and graphics card manufacturers, hypervisor vendors and soon antivirus vendors.
In mitigation testing, performance impact has been recorded and may occur after mitigation.
“In testing Microsoft has seen some performance impact with these mitigations. For most consumer devices, the impact may not be noticeable, however, the specific impact varies by hardware generation and implementation by the chip manufacturer.?Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. We continue to work with hardware vendors to improve performance while maintaining a high level of security.”
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
Details:
This issue affects almost every user across all platforms and is not isolated to any one operating system or brand of hardware. However, varying implementations of motherboards, virtualization or operating systems may carry increased or decreased risks based on design decisions.
Vendors affected include:
- Amazon
- AMD
- Apple
- Arm
- CentOS
- Cisco
- Citrix
- Debian GNU/Linux
- Fedora Project
- Fortinet
- IBM Corporation
- Intel,
- Linux Kernel
- Microsoft
- Mozilla
- NVIDIA
- openSUSE project
- Red Hat
- SUSE Linux
- Ubuntu
- VMware
- Xen
- F5 Networks.
Many of these vendors already have patches available via the link below, others are forthcoming.
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=584653&SearchOrder=4
Recommendations:
Mitigation:
- rmsource will implement network protections and patches for rmsource-hosted environments as they become available.
- rmsource will work with client IT personnel and staff to plan, schedule and implement security patches to affected platforms
- rmsource recommends the following actions for all addition client and end user devices:
- Customers should review the list of affected vendors to assess their risk, determine which updates are available, and follow specific vendor recommendations for upgrades
Urgent Security Bulletins:
- US-CERT Vulnerability Note VU#584653
https://www.kb.cert.org/vuls/id/584653
Related articles:
- Microsoft – ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
- Mozilla – Mitigations landing for new class of timing attack
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack
- Mozilla Foundation Security Advisory 2018-01
https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
Additional References:
- https://meltdownattack.com/
- https://spectreattack.com/
- https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
- https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
- https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities
- https://github.com/IAIK/KAISER
- https://gruss.cc/files/kaiser.pdf
- https://gruss.cc/files/prefetch.pdf
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5aa90a84589282b87666f92b6c3c917c8080a9bf
- https://lwn.net/Articles/741878/
- https://lwn.net/Articles/737940/
- http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table