Original release date: January 04, 2018

Systems Affected

CPU hardware implementations

Overview

On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre— that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

Description

CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. These attacks are described in detail by CERT/CC’s Vulnerability Note VU#584653, the United Kingdom National Cyber Security Centre’s guidance on Meltdown and Spectre, Google Project Zero, and the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz). The Linux kernel mitigations for this vulnerability are referred to as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.

Intel and Linux have developed tools to detect and mitigate the Meltdown and Spectre vulnerabilities in Windows and Linux. See INTEL-SA-00075 Detection and Mitigation Tool (Windows) and INTEL-SA-00075 Linux Detection and Mitigation Tools (Linux) for further information.

Impact

Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

Solution

NCCIC encourages users and administrators to refer to their OS vendors for the most recent information. However, the table provided below lists available patches. Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.

After patching, performance may be diminished by up to 30 percent. Administrators should ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect if possible.

Additionally, impacts to availability in some cloud service providers (CSPs) have been reported as a result of patches to host OSes. Users and administrators who rely on cloud infrastructure should work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.

The following table contains links to patch information published in response to the vulnerabilities.

Link to Vendor Patch Information	Date Added
Amazon	January 4, 2018
AMD	January 4, 2018
Android	January 4, 2018
ARM	January 4, 2018
CentOS	January 4, 2018
Chromium	January 4, 2018
Citrix	January 4, 2018
F5	January 4, 2018
Google	January 4, 2018
Huawei	January 4, 2018
IBM	January 4, 2018
Intel	January 4, 2018
Lenovo	January 4, 2018
Linux	January 4, 2018
Microsoft Azure	January 4, 2018
Microsoft Windows	January 4, 2018
NVIDIA	January 4, 2018
OpenSuSE	January 4, 2018
Red Hat	January 4, 2018
SuSE	January 4, 2018
Trend Micro	January 4, 2018
VMware	January 4, 2018
Xen	January 4, 2018

 

References

• Graz University of Technology Meltdown website
• Graz University of Technology Spectre website
• CERT/CC’s Vulnerability Note VU#584653
• United Kingdom National Cyber Security Centre’s guidance on Meltdown and Spectre
• Google Project Zero blog
• INTEL-SA-00075 Detection and Mitigation Tool (Windows)
• INTEL-SA-00075 Linux Detection and Mitigation Tools (Linux)