Meltdown and Spectre vulnerabilities

(Version française ici)

1. Summary

Meltdown and Spectre vulnerabilities, unlike other well publicized ones like Wannacry or Heartbleed, find their weakness in the way how processors handle operating systems and application instructions. This is why these vulnerabilities encompass virtually all processor architectures (Intel, AMD, ARM) are not tied to a specific OS (Windows, Mac, Linux). This is thus a serious issue because it has implications for the entire EPFL IT ecosystem.

Meltdown (CVE-2017-5754)

This vulnerability impacts every Intel processor, except Itanium and Atom (before 2013).

Spectre (CVE-2017-5715 / CVE-2017-5753)

These vulnerabilities impact Intel, AMD and ARM architectures. (More to come soon).

2. Issues

Although these announcements have been released at the same time and both concern the core functionality of processors, the underlying vulnerabilities are not addressed indistinctly by the same patches. That being said, most of the companies target the issues together in their Knowledge Bases, which increases the incident response complexity.

Depending on the operating system (and its version), some patches can mitigate all 3 variants, but partially and must therefore be completed by firmware updates. Unfortunately, we have to underline the fact that every OS/processor binome doesn't have an all-encompassing solution addressing all three variants.

Updating chipset being potentially harmful for hardware integrity, we recommend to carefully follow the instructions provided by chipset manufacturers and software editors.

3. Software patches availability

3.1 Operating systems

3.1.1 Microsoft Windows

NB : availability and installation of Microsoft patches are dependent on their compatibility with antivirus installed on the OS.

Server and 7/8.1/10 with official Mcafee AV are now fully compatible. AD enrolled systems have all received a specific registry key on the 10th of January 2018 through GPO, while the others received it through ePO agent on the 17th of January 2018.

Server and 7/8.1/10 with a third party AV are not all managed by VPSI update operations : it is thus mandatory to check if the antivirus is known by Microsoft on this list, and then check its compatibility here.

There is a vulnerability check tool for Meltdown/Spectre issued by Microsoft here (detailed configuration and output analysis here). Another one (non official), easier to use, is found here.

3.1.2 Apple MacOS

Apple provides patches for El Capitan, Sierra and High Sierra. Full security bulletin here.

3.1.3 UNIX/Linux

Most of recently updated Linux kernels are immune (backporting of patches in older versions).

A vulnerability check tool for Meltdown/Spectre can be found here.

3.2 Virtualization

3.3 Smartphones and tablets

3.4 Browsers

4. Firmware patches availability

(2018-01-23) Some computers based on the 4th and 5th generations of Intel CPUs (a.k.a. Haswell and Broadwell) seem to exhibit stability issues (unwanted reboots) after the BIOS/microcode update. We urge you not to try and flash the BIOS for the time being and we'll keep this page updated.

Given the diversity of the manufacturers, the complexity of the procedures as well as the inherent risks of updating firmware, we cannot provide step by step guides. You can find hereafter links to major manufacturers whose machines are present in large numbers on campus.

Intel documentation for all manufacturers here.

5. Step by step guide