Many blog posts have been written about the two biggest security vulnerabilities discovered so far in 2018. In fact, we are talking about three different vulnerabilities:
- CVE-2017-5715 (branch target injection)
- CVE-2017-5753 (bounds check bypass)
- CVE-2017-5754 (rogue data cache load)
CVE-2017-5715 and CVE-2017-5753 are known as “Spectre”, CVE-2017-5754 is known as “Meltdown”. If you want to read more about these vulnerabilities, please visit spectreattack.com & meltdownattack.com
Multiple steps are necessary to be protected, and all necessary information are often repeated, but were distributed over several websites, vendor websites, articles, blog posts or security announcements.
How to protect yourself against these attacks
Two (apparent simple) steps are necessary to be protected against these vulnerabilities:
- Apply operating system updates
- Update the microcode (BIOS) of your server/ workstation/ laptop
If you use a hypervisor to virtualize guest operating systems, then you have to update your hypervisor as well. Just treat it like an ordinary operating system. Also if your using vendor created software appliances that may be based on OS distributions like CentOS then those need to be protected also.
Sounds pretty simple, but it’s not. I will focus on three vendors in this blog post:
- Microsoft
- Linux
- VMware
Let’s start with Microsoft. Microsoft has published the security advisory ADV180002 on 01/03/2018.
Microsoft Windows (Client)
The necessary security updates are available for Windows 7 (SP1), Windows 8.1, and Windows 10. The January 2018 security updates are ONLY offered in one of theses cases (Source: Microsoft):
- An supported anti-virus application is installed
- Windows Defender Antivirus, System Center Endpoint Protection, or Microsoft Security Essentials is installed
- A registry key was added manually
| Update | |
| Windows 10 (1709) | KB4056892 |
| Windows 10 (1703) | KB4056891 |
| Windows 10 (1607) | KB4056890 |
| Windows 10 (1511) | KB4056888 |
| Windows 10 (initial) | KB4056893 |
| Windows 8.1 | KB4056898 |
| Windows 7 SP1 | KB4056897 |
Please note, that you also need a microcode update! Reach out to your vendor.
Windows Server
The necessary security updates are available for Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016 and Windows Server Core (1709). The security updates are NOT available for Windows Server 2008 and Server 2012!. The January 2018 security updates are ONLY offered in one of theses cases (Source: Microsoft):
- An supported anti-virus application is installed
- Windows Defender Antivirus, System Center Endpoint Protection, or Microsoft Security Essentials is installed
- A registry key was added manually
| OS | Update |
| Windows Server, version 1709 (Server Core Installation) | KB4056892 |
| Windows Server 2016 | KB4056890 |
| Windows Server 2012 R2 | KB4056898 |
| Windows Server 2008 R2 | KB4056897 |
After applying the security update, you have to enable the protection mechanism. This is different to Windows Windows 7, 8.1 or 10! To enable the protection mechanism, you have to add three registry keys:
The primary advice is to check your kernel version against the list of known patches, update if required, reboot your server and ensure you are then using the recommended patch.
Please refer to the documentation made available below for information on which patches should be applied to mitigate Meltdown & Spectre.
Updating RedHat, CentOS
$ uname -a
$ yum clean all
$ yum update
$ rpm -q kernel
$ reboot
...
$ uname -a
Updating Debian/Ubuntu
$ uname -a
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo shutdown -r now
...
$ uname -a
Further information on OS patches
RedHat/CentOS
More information on how RedHat/CentOS is handling Meltdown & Spectre can be found at https://access.redhat.com/security/vulnerabilities/speculativeexecution. You can read an overview of how the issue affects RedHat/CentOS, its impact and ultimately how to resolve each version of the RedHat/CentOS OS.
RedHat/CentOS 6
Three security advisories have been released for RedHat/CentOS 6 detailing security updates required.
https://access.redhat.com/errata/RHSA-2018:0008
RedHat/CentOS 7
Five security advisories have been released for RedHat/CentOS 7 detailing security updates required.
https://access.redhat.com/errata/RHSA-2018:0007
https://access.redhat.com/errata/RHSA-2018:0016
https://access.redhat.com/errata/RHSA-2018:0029
Ubuntu
Further information made available by Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html
Ubuntu have not released updates as yet, but have said that they will be released by the 9th Jan.
Debian
Further information made available by Debian:
https://security-tracker.debian.org/tracker/CVE-2017-5753
Arch Linux
There is currently a patch for Meltdown (Variant 3) 5754 which was fixed in version 4.14.11-1
Further information made available by Arch:
https://security.archlinux.org/CVE-2017-5753
openSUSE leap 42.2
Further information made available by openSUSE:
https://www.suse.com/security/cve/CVE-2017-5753
VMware has published two VMware Security Advisories (VMSA):
VMware Workstation Pro, Player, Fusion, Fusion Pro, and ESXi are affected by CVE-2017-5753 and CVE-2017-5715. VMware products seems to be not affected by CVE-2017-5754. On 09/01/2017, VMware has published VMSA-2018-0004, which also addresses CVE-2017-5715. Just to make this clear:
- Hypervisor-Specific Remediation (documented in VMSA-2018-0002)
- Hypervisor-Assisted Guest Remediation (documented in VMSA-2018-0004)
Before you apply any security updates, please make sure that you :
- Deploy the updated version of vCenter listed in the table (only if vCenter is used).
- Deploy the ESXi security updates listed in the table.
- Ensure that your VMs are using Hardware Version 9 or higher. For best performance, Hardware Version 11 or higher is recommended.
For more information about Hardware versions, read VMware KB article 1010675.
VMSA-2018-0002
| OS | Update |
| ESXi 6.5 | ESXi650-201712101-SG |
| ESXi 6.0 | ESXi600-201711101-SG |
| ESXi 5.5 | ESXi550-201709101-SG |
VMSA-2018-0004
| OS | Update |
| ESXi 6.5 | ESXi650-201801401-BG, and ESXi650-201801402-BG |
| ESXi 6.0 | ESXi600-201801401-BG, and ESXi600-201801402-BG |
| ESXi 5.5 | ESXi550-201801401-BG |
| vCenter 6.5 | 6.5 U1e |
| vCenter 6.0 | 6.0 U3d |
| vCenter 5.5 | 5.5 U3g |
All you have to do is:
- Update your vCenter to the latest update release, then
- Update your ESXi hosts with all available security updates
- Apply the necessary guest OS security updates and enable the protection (Windows Server)
Make sure that you also apply microcode updates from your server vendor!
VirtuallyLG 