Meltdown and Spectre vulnerabilities

 

(Version française ici)

What's going on ?

Meltdown and Spectre vulnerabilities, unlike other well publicized ones like Wannacry or Heartbleed, find their weakness in the way how processors handle operating systems and application instructions. This is why these vulnerabilities encompass virtually all processor architectures (Intel, AMD, ARM) are not tied to a specific OS (Windows, Mac, Linux). This is thus a serious issue because it has implications for the entire EPFL IT ecosystem.

Meltdown (CVE-2017-5754)

Spectre (CVE-2017-5715 / CVE-2017-5753)

Issues

Although these announcements have been released at the same time and both concern the core functionality of processors, the underlying vulnerabilities are not addressed indistinctly by the same patches. That being said, most of the companies target the issues together in their Knowledge Bases, which increases the incident response complexity.

Spectre patches consist not only of software patches, but also hardware (chipset update). Meltdown patches are only software, for now. Updating chipset being potentially harmful for hardware integrity, we recommend not to proceed yet.

Quick reference

NB : do not patch any AMD infrastructure.

Windows - in AD    
7/8.1/10  Go Fix for .reg file deployed through GPO -> Windows Update OK
Server  Go Fix for .reg file deployed through GPO -> Windows Update OK
Windows - not AD    
7/8.1/10 No Go Waiting for Mcafee .reg file fix
Server No Go Waiting for Mcafee .reg file fix
Mac    
High Sierra (10.13.2) Go Immune version
Sierra (10.12.6) Go Upgrade to High Sierra if HW and business compatible
El Capitan (10.11.6) Go Upgrade to High Sierra if HW and business compatible
UNIX/Linux    
Red Hat Go Check if kernel is already immune (script here)
Debian Go Check if kernel is already immune (script here)
Ubuntu Go Check if kernel is already immune (script here)
SUSE Go Check if kernel is already immune (script here)

Current situation

Microsoft Windows

 

 

Apple MacOS

NB : the information hereafter is valid only if you have installed the latest updates. More details in the KB : https://support.apple.com/en-us/HT208394

UNIX/Linux

Virtualization

Smartphones and tablets

Browsers