TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

["US-CERT" <US-CERT () ncas us-cert gov>]

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance [ https://www.us-cert.gov/ncas/alerts/TA18-004A ] 
01/04/2018 01:47 PM EST 
Original release date: January 04, 2018

Systems Affected

CPU hardware implementations

Overview

On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of 
security vulnerabilitiesknown as Meltdown [ https://meltdownattack.com/ ] and Spectre [ https://spectreattack.com/ ] 
that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access 
to sensitive information.

Description

CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. These attacks 
are described in detail by CERT/CCs Vulnerability Note VU#584653 [ https://www.kb.cert.org/vuls/id/584653 ], the United 
Kingdom National Cyber Security Centres guidance on Meltdown and Spectre [ 
https://www.ncsc.gov.uk/guidance/meltdown-and-spectre-guidance ], Google Project Zero [ 
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html ], and the Institute of Applied 
Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz). The Linux kernel 
mitigations for this vulnerability are referred to as KAISER, and subsequently KPTI, which aim to improve separation of 
kernel and user memory pages.

Intel and Linux have developed tools to detect and mitigate the Meltdown and Spectre vulnerabilities in Windows and 
Linux. See INTEL-SA-00075 Detection and Mitigation Tool (Windows) [ 
https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool ] and INTEL-SA-00075 Linux 
Detection and Mitigation Tools (Linux) [ https://github.com/intel/INTEL-SA-00075-Linux-Detection-And-Mitigation-Tools ] 
for further information.

Impact

Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

Solution

NCCICencourages users and administrators to refer to their OS vendors for the most recent information. However, the 
table provided below lists available patches. Due to the fact that the vulnerability exists in CPU architecture rather 
than in software, patching may not fully address these vulnerabilities in all cases.

After patching, performance may be diminished by up to 30 percent. Administrators should ensure that performance is 
monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the 
effect if possible.

Additionally, impacts to availability in some cloud service providers (CSPs) have been reported as a result of patches 
to host OSes. Users and administrators who rely on cloud infrastructure should work with their CSP to mitigate and 
resolve any impacts resulting from host OS patching and mandatory rebooting.

The following table contains links to patch information published in response to the vulnerabilities.

*Link to Vendor Patch Information* *Date Added* Amazon [ 
https://aws.amazon.com/security/security-bulletins/AWS-2018-013/ ] January 4, 2018 AMD [ 
https://www.amd.com/en/corporate/speculative-execution ] January 4, 2018 Android [ 
https://source.android.com/security/bulletin/2018-01-01 ] January 4, 2018 ARM [ 
https://developer.arm.com/support/security-update ] January 4, 2018 CentOS [ 
https://lists.centos.org/pipermail/centos-announce/2018-January/date.html ] January 4, 2018 Chromium [ 
https://www.chromium.org/Home/chromium-security/ssca ] January 4, 2018 Citrix [ 
https://support.citrix.com/article/CTX231399 ] January 4, 2018 F5 [ https://support.f5.com/csp/article/K91229003 ] 
January 4, 2018 Google [ https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html ] January 
4, 2018 Huawei [ http://www.huawei.com/en/psirt/security-notices/huawei-sn-20180104-01-intel-en ] January 4, 2018 IBM [ 
https://exchange.xforce.ibmcloud.com/collection/Central-Processor-Unit-CPU-Architectural-Design-Flaws-c422fb7c4f08a679812cf1190db15441
 ] January 4, 2018 Intel [ https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr ] 
January 4, 2018 Lenovo [ https://support.lenovo.com/us/en/solutions/len-18282 ] January 4, 2018 Linux [ 
https://lkml.org/lkml/2017/12/4/709 ] January 4, 2018 Microsoft Azure [ 
https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/ ] January 4, 2018 Microsoft 
Windows [ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 ] January 4, 2018 NVIDIA [ 
http://nvidia.custhelp.com/app/answers/detail/a_id/4609 ] January 4, 2018 OpenSuSE [ 
https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00001.html ] January 4, 2018 Red Hat [ 
https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&documentKind=PortalProduct
 ] January 4, 2018 SuSE [ http://lists.suse.com/pipermail/sle-security-updates/2018-January/date.html ] January 4, 2018 
Trend Micro [ 
https://success.trendmicro.com/solution/1119183-important-information-for-trend-micro-solutions-and-microsoft-january-2018-security-updates
 ] January 4, 2018 VMware [ https://www.vmware.com/security/advisories/VMSA-2018-0002.html ] January 4, 2018 Xen [ 
http://xenbits.xen.org/xsa/advisory-254.html ] January 4, 2018 



References

  * Graz University of Technology Meltdown website [ https://meltdownattack.com/ ] 
  * Graz University of Technology Spectre website [ https://spectreattack.com/ ] 
  * CERT/CCs Vulnerability Note VU#584653 [ https://www.kb.cert.org/vuls/id/584653 ] 
  * United Kingdom National Cyber Security Centres guidance on Meltdown and Spectre [ 
https://www.ncsc.gov.uk/guidance/meltdown-and-spectre-guidance ] 
  * Google Project Zero blog [ https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html 
] 
  * INTEL-SA-00075 Detection and Mitigation Tool (Windows) [ 
https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool ] 
  * INTEL-SA-00075 Linux Detection and Mitigation Tools (Linux) [ 
https://github.com/intel/INTEL-SA-00075-Linux-Detection-And-Mitigation-Tools ] 

Revision History

  * January 4, 2018 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]