On January 3, 2018, a set of vulnerabilities for CPUs were disclosed to the public. These vulnerabilities allow for reading privileged memory through a side channel attack. The vulnerabilities have been named Meltdown (CVE-2017-5754), and Spectre (CVE-2017-5753 and CVE-2017- 5715).
This vulnerability breaks the isolation between user- and kernel-space in the operating system, allowing a local attacker to dump kernel memory, or any other address, regardless of the owner. Meltdown is applicable to both the Linux kernel and Windows running on Intel (verified), but might also be applicable to some AMD and ARM processors.
Some operating systems have already supplied a fix, while others are working on it. Therefore, it is important to keep up to date with the latest information and update when a fix is supplied, to mitigate the vulnerability.
Read more about Meltdown and how it works
Spectre uses a flaw in the CPU (hardware) to trick legitimate programs to leak information. To do so, it takes advantage of speculative execution in the processor to gain information. It is more difficult to exploit than Meltdown, but is also harder to mitigate. Spectre is applicable to most devices, and is verified on Linux and Windows running on Intel, AMD and ARM processors. There are ways to harden these systems against future attacks.
Read more about Spectre and how it works
How to Protect Your Organization against Meltdown and Spectre
Outpost24 has tests for both Meltdown and Spectre. The tests are patch-based to ensures that the solutions provided by Microsoft are installed. We are working to add a check for the vulnerable processor manufacturer which will improve potential false positives (i.e. AMD processors). We recommend you stay current with Outpost24 updates to get the benefits of the latest improvements. For more information, check Microsoft Security Updates
We recommend you patch whenever your OS vendor has provided a patch or update. An authenticated check for Meltdown is available now, which work like our other authenticated checks. With an authenticated connection, we can determine whether the host is vulnerable or not. This will help you identify the vulnerability while waiting for further vendor patches. In addition, we are working to add a check if the kernel has the KPTI patch selected at build time. Our testing confirms detection for RHEL, Oracle Linux, CentOS, Fedora, Debian, Ubuntu, Mint, Gentoo, and OpenSUSE.
Current support - updated 05 Jan 2018
At Outpost24 we have released patch/package based checks in our vulnerability management solutions for the following operating systems:
- Apple OSX
- VMware ESXi
- VMware Workstation
- Mozilla Firefox