How to Protect Your Computers From Spectre, Meltdown Vulnerabilities


For some users protecting your systems against a potential security threats from two processor design vulnerabilities will be straightforward, but for others more complicated.

The first thing you have to know in regards to the two processor vulnerabilities affecting Intel and other makers is that there are currently no exploits out there in the malware world right now. This means that if you can’t find a fix for the Spectre or Meltdown vulnerabilities for your organization’s computers, you don’t have to panic—yet. 





But that doesn’t mean you shouldn’t start working on a permanent solution to the problem, because it’s very real, and eventually it’s likely that someone, somewhere, will find a way to use the vulnerabilities to hack into something. 

Both of the vulnerabilities are present in Intel chips and have been since 1995. However, it would be wrong to consider either a bug or a design flaw, because they used the features behind the vulnerabilities to enhance performance. 

Meltdown is based on support for memory sharing between the kernel and an application. Spectre is based in speculative execution, a technique in which the processor assumes what the next CPU instruction will be and begins executing it. 

Researchers at Google Zero found that some extremely subtle timing differences in how a processor was executing instructions could provide insight into memory. Likewise, kernel memory sharing allowed some leakage of memory contents. Both of these could potentially be used by malware creators to gather protected information. 

There are three potential pathways for malware to gain system access . The most serious are through a browser and through the computer’s operating system. Closing off those pathways requires OS vendors and the browser developers to make changes to protect against these attacks. 

Microsoft has already released updates for Windows 10 that protect against both vulnerabilities. Updates for other Microsoft operating systems including Windows Server and Windows 7 will be sent out on Jan. 9, the normal Patch Tuesday. Updates for some versions of Linux are already available with other versions available soon. Apple has said that it’s MacOS and iOS devices are vulnerable and the company will be releasing updates soon, although an exact date is not available. 

Browser developers are already starting to send out updates. Firefox has already been updated; Microsoft has sent out updates for its Edge and Internet Explorer browsers. Google has said it will update the Chrome browser soon. 

The other pathway is through the processor itself. This requires microcode updates by reflashing the processor or by reflashing the computer’s BIOS as a way to bypass the problem. But when it comes to updating your hardware, you may find yourself in Update Hell. 

This is because you have to depend on the maker of the computer to provide the firmware updates required and whether you can get an update easily—or at all—depends on what company made your computer or server. 

I investigated updates to computers and servers from three vendors, Dell, Hewlett Packard and Lenovo. Where possible, I attempted to perform the necessary updates by downloading and flashing the relevant firmware or the BIOS. 

Lenovo made it easy. The company provides an update engine that’s included with its products—even old ones—that will find and download the files needed for the update. Then it will ask you when it’s OK to install them. The process is automated and fast. 

I don’t have an operational Dell machine in my office right now, but a search revealed Dell’s support pages for its client PCs and servers. This allows product users to search for your specific computer models. Next you will be referring to a link where you can download the updated firmware. While I didn’t try the updates for Dell’s full line of servers, it didn’t seem to be restrictions on what you can download. 

The situation is different with HP. First, the company has divided itself into two parts, HP and HPE (Hewlett Packard Enterprise). Servers and other enterprise hardware are handled by HPE while consumer and business computers such as laptops, desktops and workstations are handled by HP. 

Getting firmware updates from HP is fairly easy, but the company does not appear to have released any updates for these vulnerabilities. Some of the firmware downloads available on HP’s business computer site haven’t been updated for years. 

At HPE the firmware updates may be available, but unless you have a machine that’s under warranty or you have been paying HPE for a maintenance contract, you’re out of luck. The way you tell this is when you go to the download page for HPE servers, you’ll see the words “entitlement required” which means that if you can’t prove you’ve been paying for support, you don’t get the update. 

What makes things worse is even though HPE indicates that you may be able to pay a license fee for the update, there’s no apparent means of doing so and customer service personnel aren’t able to help. So if you have equipment from HPE, you’re on your own with one less than convenient recourse, which is to find another server vendor. 

You should note that not every computer with every processor is going to receive updates immediately. While Intel has released updates to the manufacturers, it’s up to them to turn that into a readily-accessible package you can use to flash your firmware and microcode. You can expect newer hardware to be available first. You need to keep checking and hope you get lucky.


Current Mitigation Patch Status
Linux distributions have started to distribute patches, but no distributions are yet fully patched.

Distributions that have released kernel updates with partial mitigation include:

CentOS 7: kernel 3.10.0-693.11.6
CentOS 6: kernel 2.6.32-696.18.7
Fedora 27: kernel 4.14.11-300
Fedora 26: kernel 4.14.11-200
Ubuntu 17.10: kernel 4.13.0-25-generic
Ubuntu 16.04: kernel 4.4.0-108-generic
Ubuntu 14.04: kernel 3.13.0-139-generic
Debian 9: kernel 4.9.0-5-amd64
Debian 8: kernel 3.16.0-5-amd64
Debian 7: kernel 3.2.0-5-amd64
Fedora 27 Atomic: kernel 4.14.11-300.fc27.x86_64
CoreOS: kernel 4.14.11-coreos

If your kernel is updated to at least the version corresponding to the above, some updates have been applied.

Operating systems that have not yet released kernels with mitigation include:

FreeBSD 11.x
FreeBSD 10.x

Ubuntu 17.04, which is reaching end of life on January 13, 2018 will not receive patches. Users are strongly encouraged to update or migrate.

Warning: We strongly recommend that you update or migrate off of any release that has reached end of life. These releases do not receive critical security updates for vulnerabilities like Meltdown and Spectre, which can put your systems and users at risk.

Because of the severity of this vulnerability, we recommend applying updates as they become available instead of waiting for a full patch set. This may require you to upgrade the kernel and reboot more than once in the coming days and weeks.

To update your servers, you need to update your system software once patches are available for your distribution. You can update by running your regular package manager to download the latest kernel version and then rebooting your server to switch over to the patched code.

For Ubuntu and Debian servers, you can update your system software by refreshing your local package index and then upgrading your system software:

sudo apt-get update
sudo apt-get dist-upgrade

For CentOS servers, you can download and install updated software by typing:

sudo yum update

For Fedora servers, use the dnf tool instead:

sudo dnf update

Regardless of the operating system, once the updates are applied, reboot your server to switch to the new kernel:

sudo reboot

Once the server is back online, log in and check the active kernel against the list above to ensure that your kernel has been upgraded. Check for new updates frequently to ensure that you receive further patches as they become available.


Conclusion

Spectre and Meltdown represent serious security vulnerabilities; the full potential of their possible impact is still developing.

To protect yourself, be vigilant in updating your operating system software as patches are released by vendors and continue to monitor communications related to the Meltdown and Spectre vulnerabilities.




No comments