Safety instructions for Meltdown and Spectre

The vulnerabilities Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), which affect processors from multiple vendors, can allow normal users and programs running in user space access to kernel memory.^[1]^[2]^[3] This allows unprivileged users to read arbitrary data in main memory. This includes passwords, private keys, certificates and all other sensitive information. The vulnerabilities can be addressed in part by OS-specific kernel updates, but not for all operating systems updates are available yet. Firmware updates (microcode updates) are also required for affected systems.

We will update this article as soon as new information becomes available.

Security Vulnerabilities

In addition to the security researchers who have discovered the gaps, Google,^[4] Intel and AMD have also provided information that we summarize here.

These are a total of three vulnerabilities:

Variant 1: bounds check bypass (CVE-2017-5753), (Spectre)
Variant 2: branch target injection (CVE-2017-5715), (INTEL-SA-00088), (Spectre)
Variant 3: rogue data cache load (CVE-2017-5754), (Meltdown)

The vulnerabilities allow programs that run with normal restricted rights in the so-called user space to access protected areas of the working memory (kernel memory).

FAQs

In the following FAQs we summarize the most important questions and answers to the three security vulnerabilities:

Am I affected by these vulnerabilities?
Yes, very likely. Nearly all servers and PCs with x86 processors from Intel or AMD are affected by the vulnerability. Most smartphones with ARM chips are also affected.
How can the vulnerabilities be exploited by potential attackers?
The vulnerabilities can only be exploited if a potential attacker has the ability to execute code on an affected system. In this case, however, a visit to a website with defective JavaScript code could be sufficient to retrieve information from your PC, for example.
Can I protect myself with security updates for my operating system?
Partly yes. Updates for Windows, Linux, MacOS and other operating systems can reduce the security vulnerabilities. For information about the availability of these updates, see below. In addition to these software updates, firmware/microcode/BIOS updates are required, too.
Can the problems be solved with firmware updates for the processors alone?
Although it depends on the specific design of a processor whether and which of the three vulnerabilities can be exploited, no firmware (microcode) updates for processors are known to date that could close the vulnerabilities without the use of operating system patches.

Affected systems

At least processors from the following manufacturers are affected by these vulnerabilities:

Vendor	Affected CPUs	Variant 1 (CVE-2017-5753) (Spectre)	Variant 2 (CVE-2017-5715) (Spectre)	Variant 3 (CVE-2017-5754) (Meltdown)	Vendor information
AMD	Ryzen and Epyc, others will follow.	Yes	Yes^[5]	(not affected)^[6]	[1]
ARM	Cortex Series	Depending on the CPU, see manufacturer's information for details.			[2]
Intel	CPUs with Out-Of-Order Execution (CPUs since 1995, except Itanium and Intel Atom before 2013)	Yes (see INTEL-OSS-10002)	Yes (see INTEL-SA-00088)	Yes (see INTEL-OSS-10003)	[3]

Problem solving

The problem can be solved at least partially by completely isolating the kernel memory from the user process. This isolation can lead to performance losses.^[7]^[8] Intel has published benchmark results for Meltdown/Spectre, with performance losses of up to 10 percent. Even higher for SSD systems.^[9]

BIOS updates

To close the vulnerability, Intel CPUs require microcode updates in addition to operating system updates.^[10] Since a CPU itself has no permanent memory, the microcode is stored on the mainboard together with the BIOS/UEFI firmware code.^[11]^[12]^[13]

The article BIOS security updates shows available UEFI firmware/BIOS security updates for Thomas-Krenn motherboards.

Other Hardware

Reactions from other hardware manufacturers to the topic of Meltdown and Spectre:

NetApp: Processor Speculated Execution Vulnerabilities in NetApp Products (security.netapp.com)
Nvidia: Security Bulletin: NVIDIA GPU Display Driver Security Updates for Speculative Side Channels (nvidia.custhelp.com)
Synology NAS: Synology-SA-18:01 Meltdown and Spectre Attacks (synology.com)
Open-E: Statement on Meltdown and Spectre vulnerabilities

Security updates for operating systems

The following patch information is currently available:

OS	Version	Security update
Debian GNU/Linux		Fix for CVE-2017-5754 (Meltdown) for Wheezy, Jessie, Stretch and Sid available, more updates under way (see [4], [5], [6])
FreeBSD		Fix for CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre Variant 2) under way (see [7], [8] and [9])
Linux vanilla Kernel	4.14	4.14.11^[14] (Solution for CVE-2017-5754 (Meltdown) through Kernel page-table isolation^[15]) 4.14.14^[16] (Solution for CVE-2017-5715 (Spectre Variant 2, through retpoline) 4.14.18^[17] (Solution for CVE-2017-5753 (Spectre Variant 1, through Array index speculation blocker) and CVE-2017-5715 (Spectre Variant 2, via new processor flags IBRS, STIBP und IBPB)
Linux vanilla Kernel	4.15	4.15-rc6^[18] (Solution for CVE-2017-5754 (Meltdown) through Kernel page-table isolation) 4.15.2^[19] (Solutions for CVE-2017-5753 (Spectre Variant 1, through Array index speculation blocker) and CVE-2017-5715 (Spectre Variant 2, via new processor flags IBRS, STIBP und IBPB)
Microsoft Windows	Windows Server 2008 R2, 2012 R2, 2016 Windows 10	Updates available (see [10] and [11])^[20]^[21] Update disables protection against Spectre Variant 2^[22]
Proxmox ([12])	Proxmox VE 5.x	pve-kernel (4.13.13-34)
Proxmox ([12])	Proxmox VE 4.x	pve-kernel (4.4.98-102)
Red Hat Enterprise Linux	RHEL 5, 6, 7	Kernel-Updates available, libvirt/qemu-kvm/... under way (see [13])
SUSE ([14])	SLES 11, 12	Kernel updates for SLES 12 SP1/SP2/SP3, SLES 12 GA and SLES 11 SP4 available Kernel updates for SLES 11 SP3 partly available (see [15], [16], [17])
Ubuntu Linux		Updates available (see [18] and [19])
VMware	ESXi 5.5, 6.0, 6.5	Updates available (VMSA-2018-0002, 2.1, 04, 04.1, 4.2)
Xen	(all versions)	Updates under way ([20], [21])
Xenserver ([22])	7.0, 7.1 LTSR CU1, 7.2, 7.3	Updates for CVE-2017-5715 available (Citrix XenServer Multiple Security Updates, 7.0, 7.1, 7.2, 7.3)

(Table last updated on 09.02.2018 at 15:25h)

References

↑ Meltdown and Spectre - Bugs in modern computers leak passwords and sensitive data (meltdownattack.com)
↑ Today's CPU vulnerability: what you need to know (security.googleblog.com, 03.01.2018)
↑ 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign (www.theregister.co.uk, 02.01.2018): [...] At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory. Suffice to say, this is not great. The kernel's memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data. [...]
↑ Project Zero: Reading privileged memory with a side-channel (googleprojectzero.blogspot.com, 03.01.2018)
↑ AMD Processor Security (amd.com, 11.01.2018) AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week. We expect to make updates available for our previous generation products over the coming weeks.
↑ (PATCH) x86/cpu, x86/pti: Do not enable PTI on AMD processors (lkml.org, 26.12.2017): AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. [...]
↑ KAISER: hiding the kernel from user space (lwn.net, 15.11.2017): Since the beginning, Linux has mapped the kernel's memory into the address space of every running process. There are solid performance reasons for doing this, and the processor's memory-management unit can ordinarily be trusted to prevent user space from accessing that memory. More recently, though, some more subtle security issues related to this mapping have come to light, leading to the rapid development of a new patch set that ends this longstanding practice for the x86 architecture. [...] KAISER will affect performance for anything that does system calls or interrupts: everything. Just the new instructions (CR3 manipulation) add a few hundred cycles to a syscall or interrupt. Most workloads that we have run show single-digit regressions. 5% is a good round number for what is typical. The worst we have seen is a roughly 30% regression on a loopback networking test that did a ton of syscalls and context switches.
↑ Initial Benchmarks Of The Performance Impact Resulting From Linux's x86 Security Changes (www.phoronix.com, 02.01.2018)
↑ Intel-Benchmarks zu Meltdown/Spectre: Performance sackt um bis zu 10 Prozent ab, SSD-I/O deutlich mehr (heise.de, 11.01.2017)
↑ Facts about The New Security Research Findings and Intel Products (www.intel.com): We have begun providing software and firmware updates to mitigate these exploits. End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any updates as soon as they are available.
↑ Security Vulnerabilities Regarding Side Channel Speculative Execution and Indirect Branch Prediction Information Disclosure (www.supermicro.com)
↑ ASUS Motherboards Microcode Update for Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method (asus.com)
↑ ASUS Servers and Workstations Microcode Update for Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method (asus.com)
↑ ChangeLog-4.14.11 (cdn.kernel.org) [...] x86/mm/pti: Add Kconfig [...] Finally allow CONFIG_PAGE_TABLE_ISOLATION to be enabled. [...]
↑ Kernel page-table isolation (en.wikipedia.org)
↑ ChangeLog-4.14.14 (cdn.kernel.org)
↑ ChangeLog-4.14.18 (cdn.kernel.org)
↑ Linux 4.15-rc6 (lwn.net)
↑ ChangeLog-4.15.2
↑ Gravierende Prozessor-Sicherheitslücke: Nicht nur Intel-CPUs betroffen, erste Details und Updates (heise.de, 04.01.2018) [...] Außerdem will Microsoft wohl noch am heutigen Donnerstag ein Security-Update für Windows veröffentlichen. [...]
↑ Windows 17035 Kernel ASLR/VA Isolation In Practice (like Linux KAISER) (twitter.com)
↑ Update to Disable Mitigation against Spectre, Variant 2 (support.microsoft.com)

Further information

Massive Lücke in Intel-CPUs erfordert umfassende Patches (heise.de/security 03.01.2018)
The mysterious case of the Linux Page Table Isolation patches (pythonsweetness.tumblr.com, 01.01.2018)
Vulnerability Note VU#584653 CPU hardware vulnerable to side-channel attacks (kb.cert.org, 03.01.2018)

Changelog

Version 1.0, 03.01.2018: Initial version with first information based on the articles of heise.de and theregister.co.uk.
Version 2.0, 04.01.2018: Extensive updates have been carried out and initial information on operating system updates completed. References to official Intel statements supplemented, Update Notes for Microsoft Windows added, possibility of required firmware updates supplemented.
Version 2.1,05.01.2018: Updated information on operating system updates, added information on Microcode Update.
Version 2.2, 08.01.2018: Updated information on operating system updates, list of affected motherboards announced for Microcode Update.
Version 3.0, 09.01.2018: Table with motherboards added, updated information on FreeBSD.
Version 3.1, 09.01.2018: Information about further hardware and Proxmox added.
Version 3.4, 10.01.2018: Information about updates for Ubuntu (fix for CVE-2017-5754 available), VMware and Debian updated.
Version 3.5, 11.01.2018: Information about updates for Xenserver updated.
Version 3.6, 11.01.2018: Information about performance benchmark results of Intel systems added.
Version 3.7, 11.01.2018: Information about AMD CPUs and updated information about BIOS Updates (X11DPi-N(T) available, LES Systems added, ASUS Server-Systems updated).
Version 3.8, 15.01.2018: Information about updates for Ubuntu updated (fix for Spectre for Ubuntu 17.10 artful-proposed available).
Version 3.9, 15.01.2018: Information about AMD-based Systems updated.
Version 3.10, 16.01.2018: Updated information about BIOS Updates (ASUS P10S-I available).
Version 3.11, 16.01.2018: Table for AMD-based Systems added.
Version 3.12, 16.01.2018: Information about BIOS Updates updated (ASUS H270M-Plus available).
Version 3.13, 17.01.2018: Updated information about BIOS Updates (ASUS P10S-M available).
Version 3.14, 18.01.2018: Information about BIOS Updates updated (Supermicro X11SSH-F, X11SSH-LN4F and X11SSH-TF available), updated operating system information. For ARM CPUs referred to manufacturer information, information on updates from Ubuntu updated, reaction of Open-E supplemented, information on Skylake BIOS updates supplemented.
Version 4.0, 23.01.2018: Do not install currently available BIOS updates according to the current recommendation of Intel, notes on BIOS downloads added, Microcode check is running.
Version 4.1, 23.01.2018: Extended information on the current Intel recommendation.
Version 4.2, 24.01.2018: Updated information about operating system updates
Version 4.3, 25.01.2018: Updated information on the current Intel recommendation, BIOS updates withdrawn.
Version 4.4, 29.01.2018: Updated information about Windows, update disables protection against Spectre Variant 2
Version 4.5, 09.02.2018: Updated information about Linux Vanilla Kernel, Protection against Spectre Variant 1 and 2 introduced or refined.
Version 4.6, 21.02.2018: Intel has released Microcode for Skylake / Kaby Lake / Coffee Lake to OEMs.
Version 5.0, 28.02.2018: Information about BIOS Updates for AMD EPYC systems updated (Supermicro H11DSi-NT available).
Version 5.1, 08.03.2018: Information about Supermicro X11SPL-F and H11DSi-NT updated.
Version 5.2, 08.03.2018: Hint for Supermicro X11SPL-F no longer valid.
Version 5.3, 13.03.2018: Information about BIOS updates with renewed microcode added, first BIOS at Thomas-Krenn in test.
Version 5.4, 14.03.2018: BIOS update information updated (X11DPi-N and X11DPi-NT available).
Version 5.5, 19.03.2018: BIOS update information updated (X10SRi-F, X10DRi, X10DRL-i and X11DPL-i available).
Version 5.6, 21.03.2018: BIOS update information updated (X10DRG-Q and X10DRi-T available).
Version 5.7, 10.04.2018: BIOS update information updated (P10S-I available).
Version 5.8, 12.04.2018: BIOS update information updated (X11S* Tests scheduled).
Version 5.9, 18.04.2018: BIOS update information updated (X11SSH-F, X11SSH-LN4F und X11SSH-TF available).
Version 5.10, 20.04.2018: BIOS update information updated (X10SLH-F available).
Version 5.11, 16.05.2018: BIOS update information updated (X10DRC-LN4+ available).
Version 5.12, 05.06.2018: BIOS update information updated (LES v3 available).
Version 5.13, 06.06.2018: BIOS update information updated (LES v2, LES LI3Z, LES Network and LES Network+ available).
Version 5.14, 10.07.2018: Tables removed and moved to an additional wiki article, links added.

Author: Werner Fischer

Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.

[1] Meltdown and Spectre - Bugs in modern computers leak passwords and sensitive data (meltdownattack.com)

[2] Today's CPU vulnerability: what you need to know (security.googleblog.com, 03.01.2018)

[3] 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign (www.theregister.co.uk, 02.01.2018): [...] At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory. Suffice to say, this is not great. The kernel's memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data. [...]

[4] Project Zero: Reading privileged memory with a side-channel (googleprojectzero.blogspot.com, 03.01.2018)

[amd-5] AMD Processor Security (amd.com, 11.01.2018) AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week. We expect to make updates available for our previous generation products over the coming weeks.

[6] (PATCH) x86/cpu, x86/pti: Do not enable PTI on AMD processors (lkml.org, 26.12.2017): AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. [...]

[7] KAISER: hiding the kernel from user space (lwn.net, 15.11.2017): Since the beginning, Linux has mapped the kernel's memory into the address space of every running process. There are solid performance reasons for doing this, and the processor's memory-management unit can ordinarily be trusted to prevent user space from accessing that memory. More recently, though, some more subtle security issues related to this mapping have come to light, leading to the rapid development of a new patch set that ends this longstanding practice for the x86 architecture. [...] KAISER will affect performance for anything that does system calls or interrupts: everything. Just the new instructions (CR3 manipulation) add a few hundred cycles to a syscall or interrupt. Most workloads that we have run show single-digit regressions. 5% is a good round number for what is typical. The worst we have seen is a roughly 30% regression on a loopback networking test that did a ton of syscalls and context switches.

[8] Initial Benchmarks Of The Performance Impact Resulting From Linux's x86 Security Changes (www.phoronix.com, 02.01.2018)

[9] Intel-Benchmarks zu Meltdown/Spectre: Performance sackt um bis zu 10 Prozent ab, SSD-I/O deutlich mehr (heise.de, 11.01.2017)

[10] Facts about The New Security Research Findings and Intel Products (www.intel.com): We have begun providing software and firmware updates to mitigate these exploits. End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any updates as soon as they are available.

[supermicro-11] Security Vulnerabilities Regarding Side Channel Speculative Execution and Indirect Branch Prediction Information Disclosure (www.supermicro.com)

[12] ASUS Motherboards Microcode Update for Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method (asus.com)

[13] ASUS Servers and Workstations Microcode Update for Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method (asus.com)

[14] ChangeLog-4.14.11 (cdn.kernel.org) [...] x86/mm/pti: Add Kconfig [...] Finally allow CONFIG_PAGE_TABLE_ISOLATION to be enabled. [...]

[15] Kernel page-table isolation (en.wikipedia.org)

[16] ChangeLog-4.14.14 (cdn.kernel.org)

[17] ChangeLog-4.14.18 (cdn.kernel.org)

[18] Linux 4.15-rc6 (lwn.net)

[19] ChangeLog-4.15.2

[20] Gravierende Prozessor-Sicherheitslücke: Nicht nur Intel-CPUs betroffen, erste Details und Updates (heise.de, 04.01.2018) [...] Außerdem will Microsoft wohl noch am heutigen Donnerstag ein Security-Update für Windows veröffentlichen. [...]

[21] Windows 17035 Kernel ASLR/VA Isolation In Practice (like Linux KAISER) (twitter.com)

[22] Update to Disable Mitigation against Spectre, Variant 2 (support.microsoft.com)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]