Speculative Execution Side-Channel Vulnerabilities – Vendor-Published Info

Last Modified: Jan 11, 2018 @ 11:19:36

Nothing groundbreaking here, I am just collating advisories and press releases from vendors as I find them that relate to the recently disclosed issues regarding speculative execution side-channel vulnerabilities. This is also being referred to as Spectre (variants 1 & 2) and Meltdown (variant 3). If you have any additions/corrections, please let me know in the comments, and I’ll update this post.

Disclaimer: This is my personal blog & post. This post is not an official statement or communication from Microsoft. For Microsoft’s official guidance, please see the links in the “Microsoft” section below.

Research

Vendor Info Article
Google Blog https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
Google GPZ Blog https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
Google GPZ Bugtracker https://bugs.chromium.org/p/project-zero/issues/detail?id=1272
Google More Details https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
Researchers Meltdown https://meltdownattack.com/
Researchers Spectre https://spectreattack.com/

Microsoft

Title Info Article
Securing Azure customers from CPU vulnerability Blog: Azure https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer Blog: Browsers https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/
Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems Blog: Terry Myerson https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
Guidance for mitigating speculative execution side-channel vulnerabilities Docs: Azure https://docs.microsoft.com/en-us/azure/virtual-machines/windows/mitigate-se
Windows security updates released January 3, 2018, and antivirus software KB: Antivirus https://support.microsoft.com/help/4072699
Microsoft cloud protections against speculative execution side-channel vulnerabilities KB: Cloud https://support.microsoft.com/en-us/help/4073235/cloud-protections-speculative-execution-side-channel-vulnerabilities
Protecting your device against chip-related security vulnerabilities KB: Consumer Devices https://support.microsoft.com/en-us/help/4073229/windows-protect-device-against-chip-related-security-vulnerability
Protect your Windows devices against Spectre and Meltdown KB: Devices https://support.microsoft.com/en-us/help/4073757/protect-your-devices-against-spectre-meltdown
SQL Server guidance to protect against speculative execution side-channel vulnerabilities KB: SQL Server https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server
Surface Guidance to protect against speculative execution side-channel vulnerabilities KB: Surface https://support.microsoft.com/en-us/help/4073065/surface-guidance-for-customers-and-partners-protect-your-devices-again
Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities KB: Windows Client https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
Windows Server guidance to protect against speculative execution side-channel vulnerabilities KB: Windows Server https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s
ADV180002: Guidance to mitigate speculative execution side-channel vulnerabilities Security Advisory https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv180002

Advisories & Communications

CPU Makers

Vendor Info Article
AMD Info Site https://www.amd.com/en/corporate/speculative-execution
ARM Processor Security Update https://developer.arm.com/support/security-update
ARM Whitepaper https://armkeil.blob.core.windows.net/developer/Files/pdf/Cache_Speculation_Side-channels.pdf
ARM Advisory https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Security-Advisory-TFV-6
ARM Trusted Firmware Issue https://github.com/ARM-software/tf-issues/issues/541
Intel Press Release https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
Intel Security Advisory https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Intel Microsite for Side-Channel Analysis https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
Intel Whitepaper https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf
nVidia Forums https://forums.geforce.com/default/topic/1033210/nvidias-response-to-speculative-side-channels-cve-2017-5753-cve-2017-5715-and-cve-2017-5754/
nVidia Security Advisory http://nvidia.custhelp.com/app/answers/detail/a_id/4611/~/security-bulletin%3A-nvidia-gpu-display-driver-security-updates-for-speculative
RISC-V Blog https://riscv.org/2018/01/more-secure-world-risc-v-isa/

Hardware OEMs

Client OEMs

Vendor Info Article
HP Security Advisory https://support.hp.com/document/c05869091
Dell Security Advisory www.dell.com/support/meltdown-spectre
Lenovo Security Advisory https://support.lenovo.com/us/en/solutions/len-18282
Asus Security Advisory https://www.asus.com/News/YQ3Cr4OYKdZTwnQK
Acer https://us.answers.acer.com/app/answers/detail/a_id/53104
VAIO https://solutions.vaio.com/3316
Samsung Pending
Fujitsu http://www.fujitsu.com/global/support/products/software/security/products-f/jvn-93823979e.html 
LG Pending
Panasonic https://pc-dl.panasonic.co.jp/itn/vuln/g18-001.html
Toshiba https://support.toshiba.com/support/viewContentDetail?contentId=4015952
Huawei Pending
Xiaomi Pending

Server OEMs

Vendor Info Article
HPE Security Advisory http://h22208.www2.hpe.com/eginfolib/securityalerts/SCAM/Side_Channel_Analysis_Method.html
Dell Security Advisory http://www.dell.com/support/article/us/en/04/sln308588/
Lenovo Security Advisory https://support.lenovo.com/us/en/solutions/len-18282
Huawei Security Advisory http://www.huawei.com/au/psirt/security-notices/huawei-sn-20180104-01-intel-en
Fujitsu Security Advisory http://www.fujitsu.com/global/support/products/software/security/products-f/jvn-93823979e.html
Cisco Security Advisory https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
IBM Blog https://www.ibm.com/blogs/psirt/potential-cpu-security-issue/

Other OEMs

Vendor Info Article
F5 Security Advisory https://support.f5.com/csp/article/K91229003
Fortinet Security Advisory https://fortiguard.com/psirt/FG-IR-18-002
Juniper Security Advisory https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10842&actp=METADATA
NetApp Security Advisory https://security.netapp.com/advisory/ntap-20180104-0001/
Raspberry Pi Blog https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/

Cloud Providers

Vendor Article
AWS https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
Digital Ocean https://blog.digitalocean.com/a-message-about-intel-security-findings/
Google https://blog.google/topics/google-cloud/what-google-cloud-g-suite-and-chrome-customers-need-know-about-industry-wide-cpu-vulnerability/
IBM https://www.ibm.com/blogs/psirt/potential-cpu-security-issue/
Linode https://blog.linode.com/2018/01/03/cpu-vulnerabilities-meltdown-spectre/
OVH https://www.ovh.co.uk/news/articles/a2570.meltdown-spectre-bug-x86-64-cpu-ovh-fully-mobilised
Rackspace https://blog.rackspace.com/rackspace-is-tracking-vulnerabilities-affecting-processors-by-intel-amd-and-arm
Scaleway / Online.net https://blog.online.net/2018/01/03/important-note-about-the-security-flaw-impacting-arm-intel-hardware/

Virtualization

Vendor Info Article
Citrix https://support.citrix.com/article/CTX231399
VMWare https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Xen Advisory https://xenbits.xen.org/xsa/advisory-254.html
Xen FAQ https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/

Operating Systems

Vendor Info Article
Apple Apple Overview https://support.apple.com/en-us/HT208394
Apple High Sierra Update https://support.apple.com/en-us/HT208397
CentOS Security Advisory https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html
Debian https://security-tracker.debian.org/tracker/CVE-2017-5754
Fedora https://fedoramagazine.org/protect-fedora-system-meltdown/
Qubes https://www.qubes-os.org/news/2018/01/04/xsa-254-meltdown-spectre/
RedHat Security Advisory https://access.redhat.com/errata/RHSA-2018:0010
RedHat https://access.redhat.com/security/vulnerabilities/speculativeexecution
Suse https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/
Suse CVE-2017-5753 https://www.suse.com/security/cve/CVE-2017-5753/
Suse CVE-2017-5715 https://www.suse.com/security/cve/CVE-2017-5715/
Suse CVE-2017-5754 https://www.suse.com/security/cve/CVE-2017-5754/
Ubuntu KB https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
Ubuntu CVE-2017-5715 https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html
Ubuntu CVE-2017-5753 https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html
Ubuntu CVE-2017-5754 https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html
Wind River Security Advisory https://www.windriver.com/security/announcements/meltdown-spectre/

Browsers

Vendor Info Article
Google Chrome Security Info https://www.chromium.org/Home/chromium-security/ssca
Mozilla Firefox Blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
Apple Safari Security Info https://support.apple.com/en-us/HT208403
WebKit Rendering Engine Info https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/

Mobile Devices

Vendor Info Article
Android https://source.android.com/security/bulletin/2018-01-01
Apple iOS 11.2.2 https://support.apple.com/en-us/HT208401

Databases

Vendor Article
Postgresql https://www.postgresql.org/message-id/[email protected]
Oracle Pending
MySQL Pending

Antivirus

(Hat tip to Kevin Beaumont: https://twitter.com/GossiTheDog/status/948889660780175360 (Direct GDocs Link: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true))

Vendor Article
Ahnlab http://www.ahnlab.com/kr/site/support/notice/noticeView.do?boardSeq=50125159
Avast https://forum.avast.com/index.php?topic=212648.msg1439270#msg1439270
AVG https://support.avg.com/answers#!/feedtype=SINGLE_QUESTION_DETAIL&dc=All&criteria=ALLQUESTIONS&id=9060N000000TrmmQAC
Avira https://blog.avira.com/avira-compatible-with-the-new-microsoft-meltdown-update/ 
BitDefender (Consumer) https://www.bitdefender.com/consumer/support/answer/9033/?icid=overlayccom_all_pagesmicrosoft_security_update_01_2018
BitDefender (Enterprise) https://www.bitdefender.com/support/understanding-the-impact-of-meltdown-and-spectre-cpu-exploits-on-bitdefender-gravityzone-users-2072.html
CarbonBlack https://www.carbonblack.com/2018/01/05/carbon-black-solutions-currently-compatible-major-os-vendor-patches-meltdown-spectre/
Cisco https://supportforums.cisco.com/t5/sourcefire-documents/cisco-amp-for-endpoints-compatibility-with-windows-security/ta-p/3306874 
Crowdstrike https://twitter.com/CrowdStrike/status/948920096709337089
Cylance https://www.cylance.com/en_us/blog/cylance-not-impacted-by-meltdown-or-spectre-vulnerabilities.html
Cyren https://kb.cyren.com/av-support/index.php?/Knowledgebase/Article/View/429/0/important—hotfix-2018-01-for-f-prot-and-csam 
Emsisoft https://blog.emsisoft.com/2018/01/04/chip-vulnerabilities-and-emsisoft-what-you-need-to-know/
Endgame https://www.endgame.com/blog/executive-blog/endgame-compatible-spectremeltdown-patches
ESET https://www.eset.com/us/about/newsroom/corporate-blog-list/corporate-blog/meltdown-spectre-how-to-protect-yourself-from-these-cpu-security-flaws
FireEye https://www.fireeye.com/blog/products-and-services/2018/01/fireeye-endpoint-security-agent-compatible-with-meltdown-update.html 
Fortinet http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD40946&sliceId=1&docTypeID=DT_KCARTICLE_1_1
F-Secure https://safeandsavvy.f-secure.com/2018/01/04/meltdown-and-spectre-two-things-you-need-to-know/
G Data https://www.gdatasoftware.com/blog/2018/01/30322-spectre-meltdown 
Kaspersky https://support.kaspersky.com/14042
MalwareBytes https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/
McAfee (Consumer) http://service.mcafee.com/webcenter/portal/cp/home/articleview?locale=&articleId=TS102769
McAfee (Enterprise) https://kc.mcafee.com/corporate/index?page=content&id=KB90167 
Nyotron https://nyotron.com/chipocalypse/ 
Palo Alto https://live.paloaltonetworks.com/t5/Customer-Advisories/Information-about-Meltdown-and-Spectre-findings/ta-p/193878/jump-to/first-unread-message
Panda https://www.pandasecurity.com/uk/support/card?id=100059
SentinelOne https://www.sentinelone.com/blog/sentinelone-compatible-meltdown-spectre-fixes/ 
Sophos https://community.sophos.com/kb/en-us/128053 
Symantec https://support.symantec.com/en_US/article.TECH248545.html 
TotalDefense https://www.totaldefense.com/ 
Trend Micro (Consumer) https://esupport.trendmicro.com/en-us/home/pages/technical-support/1118996.aspx
Trend Micro (Enterprise) https://success.trendmicro.com/solution/1119183-important-information-for-trend-micro-solutions-and-microsoft-january-2018-security-updates 
VIPRE https://businesssupport.vipre.com/support/solutions/articles/1000258536 
Webroot https://community.webroot.com/t5/Announcements/Microsoft-Patch-Release-Wednesday-January-3-2018/m-p/310146 

SaaS

Vendor Article
Salesforce https://help.salesforce.com/articleView?id=Spectre-and-Meltdown-Vulnerabilities&language=en_US&type=1
1Password https://blog.agilebits.com/2018/01/04/same-as-it-ever-was-theres-no-reason-to-melt-down/
Dropbox Pending
BoxHQ Pending

Other

Vendor Info Article
LLVM http://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20180101/513630.html
MITRE CVE-2017-5715 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
MITRE CVE-2017-5753 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
MITRE CVE-2017-5754 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754

CERTS

CERT Info Article
CERT/CC https://www.kb.cert.org/vuls/id/584653
US CERT https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities
US CERT Technical Alert https://www.us-cert.gov/ncas/alerts/TA18-004A
KISA https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=26929
JP CERT http://jvn.jp/vu/JVNVU93823979/
CERT FR https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-001/
The BSI https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/Sicherheitsluecken_in_Prozessoren_04012018.html
NCSC NL Meltdown https://www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/beveiligingsadviezen/NCSC-2018-0010+1.02+Kwetsbaarheid+ontdekt+in+Intel-processoren+Meltdown.html
NCSC NL Spectre https://www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/beveiligingsadviezen/NCSC-2018-0009+1.01+Kwetsbaarheden+in+processoren+ontdekt+Spectre.html
NCSC UK Gudidance https://www.ncsc.gov.uk/guidance/meltdown-and-spectre-guidance
NCSC UK Home Users https://www.ncsc.gov.uk/guidance/home-user-guidance-manage-processor-vulnerabilities-meltdown-and-spectre

Benchmarks & Performance Impacts

Benchmark Tests

Vendor Info Article
Phoronix VM Performance Showing Mixed Impact with Linux 4.15 KPTI Patches https://www.phoronix.com/scan.php?page=article&item=linux-kpti-kvm&num=1
Phoronix Initial Benchmarks of the Performance Impact Resulting From Linux’s x86 Security Changes https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=1
Phoronix Further Analyzing The Intel CPU “x86 PTI Issue” on More Systems https://www.phoronix.com/scan.php?page=article&item=linux-more-x86pti&num=1
Reddit Discussion on Benchmarking https://www.reddit.com/r/Amd/comments/7o0m37/requesting_benchmarks_on_amd_processors_before/
TechSpot Testing Windows 10 Performance Before and After the Meltdown Flaw Emergency Patch https://www.techspot.com/article/1554-meltdown-flaw-cpu-performance-windows/
OSX Reverser Measuring OS X Meltdown Patches Performance https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/

Vendor Performance Assessments

Vendor Info Article
RedHat Performance Impacts – Describing the performance impacts to security patches https://access.redhat.com/articles/3307751
Google Protecting our Google Cloud customers from new vulnerabilities without impacting performance https://www.blog.google/topics/google-cloud/protecting-our-google-cloud-customers-new-vulnerabilities-without-impacting-performance/
Posted by ChrisAM in work, 16 comments

Fourteen Ingredient Cookies

I thought I’d share a cookie recipe I’ve been baking for a few years. My grandma used to make these. It’s a sweet, buttery cookie that crumbles apart. Continue reading →

Posted by ChrisAM in Personal, 1 comment

What I’m Working On

Top of mind:

  • Leaked credential processing
  • Supply chain security (hardware and software)
  • Credential management for internal teams
  • Data privacy
  • General Data Protection Regulation (GDPR)

I’m learning more about Azure Key Vault, storage accounts, and how to get all of those to play nice with Python. I am a PM, not an engineer, so this is a fun learning process for me.

Posted by ChrisAM in work, 0 comments