Tag Archives: firmware

Vendors Respond to Foreshadow (L1TF) Vulnerabilities

Yesterday, academic and security researchers publically disclosed (defined) 3 new vulnerabilities affecting Intel CPUs (AMD and ARM are not affected).

What are these new vulnerabilities and what can they allow an attacker to do?
The first vulnerability known as Foreshadow or CVE-2018-3615 is used to extract data from an Intel SGX (Software Guard Extensions)(defined) secure enclave (area) by creating a shadow copy of the SGX protected data but that copy does not have the protection of SGX and can be read/accessed by the attacker. The attacker can also re-direct speculative execution into copying further private/sensitive into the shadow copied area while at the same time making it appear that area is genuine and thus has the same protection as the real SGX protected data.

The second vulnerability (part of a wider Foreshadow Next Generation (NG) group of two variants) known as CVE-2018-3620 allows the reading of data copied into the level 1 cache (defined) of a CPU (defined) when that data is in use by a computer operating system e.g. Red Hat Linux, Apple macOS or Microsoft Windows.

The third vulnerability is the second and final variant of the Foreshadow NG group known as CVE-2018-3646.  This affects virtualised environments. If a CPU thread (defined) being directed by an attacker is able to read the level 1 cache of a CPU that is also shared by another thread by a victim user (within another virtualised environment but using the same physical CPU) while that request will be blocked; if the information the attacker is looking to steal is in the level 1 cache they may still get a glimpse of this information.

How can I protect myself from these new vulnerabilities?
For the first and second vulnerabilities; the microcode (defined)/firmware (defined) updates made available earlier this year coupled with the newly released updates for operating systems linked to below will mitigate these two issues.

====================

For the third vulnerability; affecting virtualised (defined) environments there are operating system updates and microcode/firmware updates available that will occasionally clear the contents of the level 1 cache meaning that when the attacker attempts to read it they will not receive any benefit from doing so. Partially removing the usefulness of the cache will have a performance impact from a few percent up to 15 percent in the worst case scenario.

However to completely mitigate this third vulnerability a capability known as Core Scheduling needs to be leveraged. This ensures that only trusted/non attacker controlled virtual machines have access to the same thread (this capability is already available in some virtual machine (hypervisor)(defined) environments).

However in some environments if it cannot be guaranteed that all virtual machines are trustworthy the disabling of Intel Hyper Threading (this means that only 1 thread will work per CPU core)(otherwise known as simultaneous multi-threading (SMT)(defined)) may be necessary and will more significantly impact performance than just the level 1 cache clearing.

In summary for this third vulnerability; depending upon the virtualised environment you are using and the trustworthiness of the virtual machines you are using will determine how many of the these extra security measure you will need to take.

To be clear I am NOT advocating that Intel Hyper Threading/SMT be disabled EN MASSE for security reasons. As per the advice in the linked to advisories (below)(specifically Intel and VMware) ; you MAY wish to disable Intel Hyper Threading/SMT to mitigate the third vulnerability (CVE-2018-3646) depending upon the environment your virtualised machines are operating.

This Ars Technica article explains it very well: “if two virtual machines share a physical core, then the virtual machine using one logical core can potentially spy on the virtual machine using the other logical core. One option here is to disable hyperthreading on virtual-machine hosts. The other alternative is to ensure that virtual machines are bound to physical cores such that they don’t share.”

====================

Please find below links to vendor responses on these vulnerabilities as well as videos that can help in understanding these vulnerabilities:

Thank you.

====================

Foreshadow Vulnerability Official Website:
https://foreshadowattack.eu/

Intel’s Blog Post:
https://newsroom.intel.com/editorials/protecting-our-customers-through-lifecycle-security-threats/

Intel’s FAQ Page:
https://www.intel.com/content/www/us/en/architecture-and-technology/l1tf.html

Intel’s Security Advisory:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

Intel’s Software Developer Guidance:
https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault

Red Hat’s Security Advisory:
https://access.redhat.com/security/vulnerabilities/L1TF

Linux Kernel Patch:
https://lore.kernel.org/patchwork/patch/974303/

Oracle’s Security Advisory:
https://blogs.oracle.com/oraclesecurity/intel-l1tf

Amazon Web Services’ Security Advisory:
https://aws.amazon.com/security/security-bulletins/AWS-2018-019/

Google Cloud Security’s Blog Post:
https://cloud.google.com/blog/products/gcp/protecting-against-the-new-l1tf-speculative-vulnerabilities

Microsoft Windows Azure’s Guidance:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/mitigate-se

Microsoft’s Windows Security Advisory (high level details):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018

Microsoft’s Technical Analysis of the Foreshadow Vulnerabilities:
https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/

VMware Security Advisories:
https://www.vmware.com/security/advisories/VMSA-2018-0020.html

https://www.vmware.com/security/advisories/VMSA-2018-0021.html
====================

Videos:
Foreshadow Video (explains the first vulnerability very well):
https://www.youtube.com/watch?v=ynB1inl4G3c

Intel’s Video (explains all 3 vulnerabilities):
https://www.youtube.com/watch?v=n_pa2AisRUs

Demonstration of the Foreshadow attack:
https://www.youtube.com/watch?v=8ZF6kX6z7pM

Red Hat’s Video (explains all 3 vulnerabilities):
https://www.youtube.com/watch?v=kBOsVt0iXE4

Red Hat’s In-depth video of the 3 vulnerabilities:
https://www.youtube.com/watch?v=kqg8_KH2OIQ

====================

MikroTik Routers Exploited to Generate Cryptocurrency

In early August security researchers discovered a large malware campaign under way taking advantage of a now patched vulnerability within MikroTik routers.

Why should this threat be considered important?
This attack is underway since while a patch for an exploit for the Winbox component of the RouterOS being open was patched in one day (on the 23rd of April); there are many users who have not installed this update. The number is estimated to be in the hundreds of thousands including internet service provider (ISP) routers). Once exploited the vulnerability allows an attacker to gain remote administrative (high privilege) access to an affected router. Initially this attack originated in Brazil but has since been extended to over 200k devices worldwide (with a second attack). It’s unclear if its by the same perpetrator as the first attack.

Proof of concept (defined) code made available on GitHub has been modified by unknown attackers to add to all traffic passing through a vulnerable MikroTik router a copy of the Coinhive library along with the relevant Coinhive key to benefit a single attacker by means of cryptocurrency mining (an excellent introduction article to BitCoin and cryptocurrency). This attack isn’t just affecting MikroTik routers; Simon Kenin from Trustwave’s SpiderLabs division found that traffic going to and from a MikroTik router was affected e.g. if a website was hosted behind an affected router it would also be impacted.

More recently the attacker has altered his/her approach to adding the Coinhive script to the error pages of the routers rather than the more noticeable approach described above. That altered approach affects more than 170k routers. These error pages can potentially be accessed millions of time per day earning the attacker funds for each page served. With approximately 1.7 million of these routers online around the world there is the potential for this to get worse.

How can I protect myself from this vulnerability?
If you own/administer a MikroTik router or know someone who does, please ensure that any such devices are using the most recent firmware available from this link. Further advice after upgrading the firmware is also provided by MikroTik at the above link.

Thank you.

VPNFilter: Overview and removal

====================
Update: 24th October 2018:
====================
Researchers from Cisco’s Talos team have discovered further capabilities of this malware. As detailed below the 3rd stage of the malware features:

Provides plugins for the RAT (defined below in the original post) to extend its functionality.

However, the team was able to determine the following extra capabilities:

  1. Packet sniffing (obtain information from passing data packets (defined) on a network connection)
  2. JavaScript (defined) injection used to deliver exploit (a small piece of software used to trigger a known vulnerability to the advantage of an attacker) to a compromised device (most likely a router).
  3. Encrypted tunnelling (defined) to hide data the malware steals as well as the existing command and control data traffic.
  4. Creating network maps (defined)
  5. Remote connection/administration via SSH (Secure Shell)(defined)
  6. Port forwarding (defined)
  7. Create SOCK5 (defined) proxies (defined)
  8. DDoS (defined)

The good news about this malware is that from the Talos team’s research it does not appear that any malware samples remain active. However; they caution it is not possible to assume that this malware has finished its malicious actions and the possibility of its return remains.

Thank you.

====================
Update: 20th June 2018:
====================
If you would prefer a video or a podcast of how to remove this malware from your router, this Sophos blog post provides links to both. The video is hosted on Facebook but a Facebook account isn’t required to view it. Sophos also provide an archive of previous videos on the same Facebook page.

Thank you.

====================
Update: 6th June 2018:
====================
The Cisco Talos team have provided an updated list of known affected routers. I have added these to the list below with “(new)” indicating a new device on the existing list. I have also updated the malware removal advice to provide easier to follow steps.

Thank you.

====================
Original Post:
====================
In late May; a strain of malware known as VPNFilter affecting routers from the vendors listed below was publicly disclosed by the Cisco Talos team:

Affected vendors:
Asus RT-AC66U (new)
Asus RT-N10 (new)
Asus RT-N10E (new)
Asus RT-N10U (new)
Asus RT-N56U (new)
Asus RT-N66U (new)
D-Link DES-1210-08P (new)
D-Link DIR-300 (new)
D-Link DIR-300A (new)
D-Link DSR-250N (new)
D-Link DSR-500N (new)
D-Link DSR-1000 (new)
D-Link DSR-1000N (new)
Huawei HG8245 (new)
Linksys E1200
Linksys E2500
Linksys E3000 (new)
Linksys E3200 (new)
Linksys E4200 (new)
Linksys RV082 (new)
Linksys WRVS4400N
Mikrotik CCR1009 (new)
Mikrotik Cloud Core Router (CCR) CCR1016
Mikrotik CCR1036
Mikrotik CCR1072
Mikrotik CRS109 (new)
Mikrotik CRS112 (new)
Mikrotik CRS125 (new)
Mikrotik RB411 (new)
Mikrotik RB450 (new)
Mikrotik RB750 (new)
Mikrotik RB911 (new)
Mikrotik RB921 (new)
Mikrotik RB941 (new)
Mikrotik RB951 (new)
Mikrotik RB952 (new)
Mikrotik RB960 (new)
Mikrotik RB962 (new)
Mikrotik RB1100 (new)
Mikrotik RB1200 (new)
Mikrotik RB2011 (new)
Mikrotik RB3011 (new)
Mikrotik RB Groove (new)
Mikrotik RB Omnitik (new)
Mikrotik STX5 (new)
Netgear DG834 (new)
Netgear DGN1000 (new)
Netgear DGN2200
Netgear DGN3500 (new)
Netgear FVS318N (new)
Netgear MBRN3000 (new)
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
Netgear WNR2200 (new)
Netgear WNR4000 (new)
Netgear WNDR3700 (new)
Netgear WNDR4000 (new)
Netgear WNDR4300 (new)
Netgear WNDR4300-TN (new)
Netgear UTM50 (new)
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
TP-Link TL-WR741ND (new)
TP-Link TL-WR841N (new)
Ubiquiti NSM2 (new)
Ubiquiti PBE M5 (new)
UPVEL Unknown Models* (new)
ZTE ZXHN H108N (new)

Why should this malware be considered important?
The authors (thought to be a group funded by a nation state) of this malware are using it to hijack vulnerable routers (500,000 are known to have been compromised across 54 countries) for possible use in cyberattacks against the Ukraine. Indeed, the malware more recently began seeking out Ukrainian routers specifically. The Ukrainian Secret Service issued a security alert on this on the 23rd of May.

The malware has the ability to do so by utilising previously publicly disclosed (defined) vulnerabilities to gain access and persistence (namely remaining present after the router is powered off and back on) within these routers. Last week the FBI took control of this botnet and are now working to clean up the affected devices.

The malware is very sophisticated and can persist within a router even if the router is powered off and back on (becoming the second malware to have this ability, the first being the Hide and Seek botnet). The malware is made up of 3 stages:

Stage 1: Is responsible for the persistence (mentioned above).
Stage 2: Providing the capabilities of a remote access Trojan (RAT)(defined)
Stage 3: Provides plugins for the RAT to extend it’s functionality.

The malware also has the capability to do the following:

  1. Wipe the firmware (see Aside below for a definition) of routers rendering them useless
  2. Inspect the data traffic passing through the router (with the possible intention of obtaining credentials passing over the wire to gain access to sensitive networks)
  3. Attempt to locate ICS/SCADA devices (defined) on the same network as the router by seeking out port 502 traffic, namely the Modbus protocol (defined) with the option of deploying further malware
  4. Communicate via the Tor network (definition in the Aside below).

How can I protect my devices from this malware?
The FBI are asking anyone who suspects their internet router to be infected to first reboot it (turn on and off the router). This will cause an infected device to check-in with the now under FBI control C&C (command and control, C2 (defined) server to provide them with a better overview of the numbers of infected devices.

To completely remove the malware; reset the device to factory defaults (this won’t harm a non-infected either but please ensure you have the necessary settings to hand to re-input them into the router, your internet service provider (ISP) will be able to help with this). This will remove stage 1 of the malware (stage 2 and 3 are removed by turning the router on an off).

To prevent re-infection: Cisco Talos’ team recommendations are available from this link. Moreover the US CERT provide recommendations here and here. Symantec’s recommendations are provided here (especially for Mikrotik and QNAP devices).

Further advisories from router manufacturers are as follows (their advice should supersede any other advice for your router model since they know their own devices the best):

Linksys
MiktroTik
Netgear
QNAP
TP-Link

Further recommendations from Sophos are:

  • Check with your vendor or ISP to find out how to get your router to do a firmware update.
  • Turn off remote administration unless you really need it
  • Choose strong password(s) for your router
  • Use HTTPS website where you can

A very useful and easy to follow step by step walk through of removing this malware by BleepingComputer is available from this link with useful guidance for multiple router models.

Thank you.

=======================
References:
New VPNFilter malware targets at least 500K networking devices worldwide : Cisco Talos team
=======================

=======================
Aside:
What is firmware?
Firmware is semi-permanent embedded software code that allows a device to carry out its function by having the low-level hardware carry out useful sequences of events.

What is The Onion Router (Tor)?
The Onion Router (Tor) is an open source (defined) project with the goal of protecting your privacy by passing your web browsing activity through a series of anonymous relies spread across the internet. These relays act like proxy servers which encrypt and randomly pass the traffic they receive from relay to relay.

This web of proxies is sometimes referred to as the Dark web (a portion of the internet only accessible using the Tor network). This makes tracing the source of the source almost impossible.
=======================

Vendors Respond to Spectre NG Vulnerabilities

====================
Update: 24th July 2018
====================
I have updated the list of vendor responses below to include further Red Hat versions and CentOS:

Red Hat Enterprise Linux 7:
https://access.redhat.com/errata/RHSA-2018:1629

CentOS 6:
https://lists.centos.org/pipermail/centos-announce/2018-July/022968.html

CentOS 7:
https://lists.centos.org/pipermail/centos-announce/2018-May/022843.html
====================

====================
Update: 19th June 2018
====================
Last Wednesday, the security news and troubleshooting website BleepingComputer published a table detailing the complete list of updates required to mitigate the Meltdown, Spectre and SpectreNG (also known as Spectre variant 4) vulnerabilities for all recent versions of Windows. This is very useful because I realise my previous blog post on Meltdown and Spectre was at times hard to follow (it has a lot of info within it).

As of Tuesday, 12th June Microsoft have released updates to address SpectreNG. While you can install these updates Microsoft have advised their security protections will not be enabled unless you choose to do so. This is due to the lower risk of SpectreNG and also given that enabling the security enhancements of these updates can lead to a performance penalty of up to 8% (as I detailed below).

Microsoft provide step by step advice and guidance if you wish to enable these updates within this security advisory. It is likely other OS vendors will take a similar approach e.g. Red Hat may also choose to distribute these updates but not enable them so as to work around the performance penalty.

For more information on the semi-related Intel Lazy Floating point vulnerability, please see my separate post.

Thank you.

====================
Original Post
====================
On Monday more details of these vulnerabilities were made available by affected vendors among them Red Hat, Google, Intel, IBM and Microsoft. There are two new vulnerabilities named:

Rogue System Register Read (Spectre Variant 3a) (CVE-2018-3640)

Speculative Store Bypass (SSB) (Spectre Variant 4) (CVE-2018-3639)

Why should these vulnerabilities be considered important?

Rogue System Register Read cannot be leveraged by an external attacker; they must instead log onto a vulnerable system and carry out further steps to exploit it. Once exploited the attacker may be able to obtain sensitive information by reading system parameters via side-channel analysis.

For Windows; successful exploitation of this vulnerability will bypass Kernel Address Space Layout Randomization (KASLR) protections. I have talked about ASLR (defined) before but provides this link more detail on kernel ASLR.

Google Project Zero’s Jann Horn and Microsoft’s Ken Johnson first reported Speculative Store Bypass. It can possibly be used by attacker externally (from the internet). I use the term “possibly” since the mitigations added to web browsers following Spectre variant 2 earlier this year will make it more difficult for an attacker to do so. Indeed, Intel rates the risk as “moderate.” This is a more serious vulnerability which may allow an attacker access to read privileged memory areas. An example would be a script running in one browser tab being able to read data from another browser tab.

Red Hat have made available a video more clearly explaining the Speculative Store Bypass (SSB) vulnerability.

How can I protect myself from these vulnerabilities?
At this time microcode updates are being developed by Red Hat, AMD, ARM, Intel, IBM and Microsoft. The affected products from many popular vendors are available from the following links. These vulnerabilities will not be addressed via software fixes but hardware fixes instead.

It is recommended to follow the best practice advice for these vulnerabilities as per the US-CERT namely:

1. Please refer to and monitor the links below for the updates from affected vendors.
2. Test these updates before deploying them widely
3. Ensure the performance impact (anticipated to be between 2 – 8%) is acceptable for the systems you manage/use.

These updates will ship with the mitigations disabled and if appropriate/acceptable for an affected system; the protection (along with its performance impact) can be enabled.

These updates are scheduled to be made available before the end of May. Cloud vendors (e.g. Amazon AWS, Microsoft Azure etc.) will also update their systems once the performance impact is determined and if deemed acceptable.

Thank you.

====================
AMD:
https://www.amd.com/en/corporate/security-updates

ARM:
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel

IBM:
https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Intel:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Microsoft (full impact yet to be determined):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180013

Red Hat:
https://access.redhat.com/security/cve/cve-2018-3639

Oracle:
https://blogs.oracle.com/oraclesecurity/processor-vulnerabilities-cve-2018-3640-and-cve-2018-3639

SUSE:
https://www.suse.com/de-de/support/kb/doc/?id=7022937

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4

VMware ESXI, Fusion/Fusion Pro, Workstation/Workstation Pro and vCenter Server:
https://www.vmware.com/security/advisories/VMSA-2018-0012.html

https://kb.vmware.com/s/article/54951

https://kb.vmware.com/s/article/55111
====================

Details of Spectre Next Generation (NG) Vulnerabilities Emerging

====================
Update: 23rd May 2018:
====================
Please refer to the new blog post I have added to document and provide information on these new vulnerabilities.

Thank you.

====================
Original Post:
====================
Separate to my previous in-depth discussion of the Meltdown and Spectre vulnerabilities; I located this news article announcing the discovery of new vulnerabilities affecting Intel CPUs (and possibly ARM CPUs too). Few details are available; apart from that the vulnerabilities also affect Intel’s SGX (Software Guard Extensions)(defined) instructions and can be exploited within a virtual machine (defined) to gain access to the host (physical system).

It is likely further microcode updates from Microsoft and firmware update from Intel will be made available in the coming weeks. It is unknown if these new vulnerabilities dubbed Spectre Next Generation (NG) will be as serious as the original Meltdown and Spectre (Variants 1 and 2) disclosed in January.

On a related note (and discussed in another post); Microsoft resolved a regression in their Windows 10 Meltdown patch that was found by Windows Internals and security researcher Alex Ionescu. The fix was already included in Windows 10 Version 1803 (the April Update) and was provided to Version 1709 this month.

Thank you.

Responding to the Meltdown and Spectre Vulnerabilities

=======================
Please scroll down for more updates to this original post.
=======================
====================
Update: 23rd May 2018:
====================
For information on the Spectre NG vulnerabilities please refer to this new blog post

Thank you.

=======================
Original Post:
=======================
Earlier in January updates for Linux, Apple and Windows were made available to work towards addressing the 3 security vulnerabilities collectively known as Meltdown and Spectre.

Why should these vulnerabilities be considered important?
I’ll provide a brief summary of the two categories of vulnerabilities:

Meltdown (CVE-2017-5754): This is the name of the vulnerability discovered that when exploited by an attacker could allow an application running with standard privileges (not root or elevated privileges) to read memory only intended for access by the kernel.

Spectre (Variant 1: CVE-2017-5753 ; Variant 2: CVE-2017-5715): This is a category of two known vulnerabilities that erode the security boundaries that are present between applications running on a system. Exploitation can allow the gathering of information from applications which could include privileged information e.g. usernames, password and encryption keys etc. This issue can be exploited using a web browser (e.g. Apple Safari, Mozilla Firefox, Google Chrome, Microsoft Edge (or IE) by using it to record the current time at very short intervals. This would be used by an attacker to learn which memory addresses were cached (and which weren’t) allowing the attacker to read data from websites (violating the same-origin policy) or obtain data from the browser.

Browser vendors have responded by reducing the precision of JavaScript timing and making it more unpredictable while other aspects of JavaScript timing (using the SharedArrayBuffer feature) have been disabled.

More in-depth (while still being less technical) descriptions of these issues are available here , here and here.

How can I protect myself from these vulnerabilities?
Since these vulnerabilities are due to the fundamental architecture/design of modern CPUs; it is not possible to fully address them. Instead a combination of software fixes and microcode updates (defined) is more a viable alternative than re-designing the established architecture of modern CPUs.

In-depth lists of updates available from multiple vendors are available here and here. I would suggest glancing at the affected vendors and if you own a device/product from them; checking if you are affected by these vulnerabilities. A list of BIOS (defined) updates from multiple vendors are available here. Google Chrome has a Site Isolation mode that can mitigate these vulnerabilities which will be more comprehensively addressed in Chrome version 64 scheduled for release last this month.

At this time my systems required updates from Google, Mozilla, Microsoft, Apple, VMware, Asus, Lenovo and Nvidia. Many of many existing desktops are unlikely to receive microcode and BIOS updates due to be more than 3 years old. However my Windows 10 laptop has received a BIOS update from the manufacturer.

Are there disadvantages to installing these updates?
While these updates increase security against these vulnerabilities; performance issues and stability issues (Intel and AMD) after the installation of these updates have been reported. These vary in severity but according to Intel and Microsoft the updates will be refined/optimised over time.

Benchmarks (for desktops) made available by TechSpot show negligible impact on most tasks that would stress a CPU (defined). However any work that you perform which makes of large files e.g. databases may be significantly impacted by the performance impact these updates have when accessing files on disk (mechanical and solid state). For laptops the slowdown was felt across almost all workload types. Newer and older silicon were inconsistently impacted. At times even some Intel 8th generation CPUs were impacted more than 5th generation CPUs.

Details of the anticipated performance impact for Linux, Apple macOS (and iOS) and Windows are linked to. Further reports of reduced performance from Intel and Apple devices have also been recorded. Further details of a feature known as PCID (Process-Context Identifiers) within more recent CPUs which will help reduce the performance impact are provided here. For Intel CPUs, 4th generation Core CPUs and later should include it but any CPU manufactured after 2011 should have it (one of my CPUs; a Core i7 2600K has this feature, verified using Sysinternals Coreinfo). A full list of Intel CPUs affected by these vulnerabilities is here.

Conclusion:
With the widely reported stability and performance issues present it is your decision if you install the necessary updates now or wait until further refinements. If you experience issues, please report them to the manufacturers where possible and within online forums if not. More refined updates will only be created if a need to do so is established.

I’m in the process of updating my systems but will benchmark them before and after each updates to determine an impact and make a longer term decision to keep the updates or uninstall them until further versions become available. I’ll update this post as I gather more results.

=======================
Update: 16th January 2018:
=======================
A newly released free utility from Gibson Research (the same website/author as the well-known ShieldsUp firewall tester) named InSpectre can check if your Windows system has been patched against Meltdown and Spectre and can give an indication of how much the performance of your system will be affected by installing and enabling the Windows and/or the BIOS updates.

Please note: I haven’t tried this utility yet but will this weekend (it will help with the tests I’m carrying out (mentioned above). I’ll update this post when I have tried out this utility.

Thanks again.

=======================
Update: 24th January 2018:
=======================
As promised I gathered some early results from a selection of CPUs and the results for all but recent CPUs are evidence they will experience a potentially noticeable performance drop:

====================
CPUs supporting PCID (obtained using Sysinternals Coreinfo):
Intel Core i7 Extreme 980X @ 3.33 GHz
Intel Core i7 2600K @ 3.8 GHz
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ

CPUs supporting INVPCID (obtained using Sysinternals Coreinfo):
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ
====================

Explanations of the purpose and relevance of the PCID and INVPCID CPU instructions are available from this Ars Technica article. The results from InSpectre only show positive results when both PCID and INVPCID are present backing up the observations within the above linked to Ars Technica article (that the updates take advantage of the performance advantages of these instructions when both are present).

The results from InSpectre back up these findings by stating that the 980X and 2600K will not deliver high performance protection from Meltdown or Spectre. Since my PCs are mainly used for more CPU intensive tasks (rather than disk intensive) e.g. games and Folding@Home; I still don’t expect too much of a performance decrease. The older CPUs are due for replacement.

You may ask; “why am I so concerned with the performance impact of these updates?” The answer is that significant time and investment has been made into the above systems for them to perform at peak performance for the intended tasks I use them for. Performance and security are both very important to me and I believe there should only be a small trade off in performance for better security.

My next step will be to benchmark the CPU, hard disk and GPU of each system before and after installing each update. I will initially do this for the 6500U and 2600K systems and provide these results. The categories of updates are listed below. I will keep you informed of my findings.

Thank you.
====================
Update 1: Software updates from Microsoft for Meltdown and Spectre
Update 2: Firmware update (where available)
Update 3: Nvidia / AMD GPU driver update
====================

=======================
Update: 13th February 2018:
=======================
Sorry for the long delay (I was travelling again for my work). The above benchmarking is now taking place and I will make the results available as soon as possible. Thanks for your understanding.

=======================
Update: 27th February 2018
=======================
Earlier last week Intel made available further microcode updates for more CPUs. These updates seek to address variant 2 of the Spectre vulnerability (CVE-2017-5715). Updates are now available for the CPUs listed below.

As before, please refer to the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems. Further information for corporate system administrators containing details of the patching process is available within this link (PDF):

  • Kaby Lake (Intel 7th Generation Core CPUs)
  • Coffee Lake (Intel 8th Generation Core CPUs)
  • Further Skylake CPUs (Intel 6th Generation Core CPUs)
  • Intel Core X series (Intel Core i9 CPUs e.g. in the 7900 and 7800 model range)
  • Intel Xeon Scalable (primarily targeted at data centres)
  • Intel Xeon D (primarily targeted at data centres)

Information on patches now available for OpenBSD and FreeBSD are located within the following links:

OpenBSD:
OpenBSD mailing list
The Register: OpenBSD Patch now Available

FreeBSD:
FreeBSD Wiki
Softpedia: Spectre and Meltdown mitigations now available

=======================
Update: 1st April 2018
=======================
As vendors have responded to these vulnerabilities; updates have been released for many products. I will describe these updates in more detail below. Apologies if I have omitted any, this isn’t intentional but the list below should still be useful to you:

=======================
Google ChromeOS:
=======================
Following the release of ChromeOS 64 in February which provided updates against the Meltdown and Spectre vulnerabilities, ChromeOS 65 includes further mitigations against these vulnerabilities including the more efficient Retpoline mitigation for Spectre variant 2.

=======================
Sony Xperia:
=======================
In late February Sony made available updates which include mitigations for Meltdown and Spectre for their Xperia X and Xperia X Compact phones which brings the build number to 34.4.A.2.19

=======================
Microsoft Issues Microcode Updates:
=======================
As previously mentioned when this blog post was first published; updates for the Meltdown and Spectre vulnerabilities are made up of software updates, microcode updates and firmware (BIOS updates) and GPU drivers.

Due to the complexity of updating the firmware of computer systems which is very specific and potentially error prone (if you apply the wrong update to your device it can render it useless, meaning it will need to be repaired/replaced (which is not always possible) Microsoft in early March began to issue microcode driver updates (as VMware describes they can be used as substitutes for firmware updates). Microcode updates have been issued in the past to address CPU reliability issues when used with Windows.

=======================
Intel Firmware Updates:
=======================
As with previous microcode updates issued by Intel in late February; these updates seek to resolve variant 2 of the Spectre vulnerability (CVE-2017-5715).

While Intel has issued these updates; they will be made available separately by the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have. You will have to determine from the updates those vendors issue if they are available for the products that you own.

Unfortunately not all systems will receive these updates e.g. most recent system was assembled in 2014 and has not received any updates from the vendor; the vendor has issued updates on their more recent motherboards. Only my 2016 laptop was updated. This means that for me; replacing the systems gradually is the only means of addressing variant 2 of the Spectre vulnerability.

Intel’s updates are for the Broadwell (5th generation CPUs i.e. 5000 series) and Haswell (4th generation CPUs i.e. 4000 series).

=======================
Microsoft Surface Pro:
=======================
Earlier this week Microsoft released firmware updates for their Surface Pro which mitigate the Meltdown and Spectre vulnerabilities. This link provides further details and how to install the updates.

=======================
Microsoft Issues Further Security Update on the 29th March:
=======================
As noted in my separate post; please refer to that post for details of a security update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit that resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of those Windows versions.

=======================
Microsoft Offers Bug Bounty for Meltdown and Spectre vulnerabilities:
=======================
Microsoft have announced bug bounties from $5000 to $250,000 to security researchers who can locate and provide details of exploits for these vulnerabilities upon Windows, Azure and Microsoft Edge.

If such a programme is successful it could prevent another instance of needing to patch further related vulnerabilities after the issues have been publicly disclosed (defined). This is sure to assist the system administrators of large organisations who currently in the process of deploying the existing updates or who may be testing systems on a phased basis to ensure performance is not compromised too much.

Further details are available from this link.

=======================
Update: 6th April 2018
=======================
Earlier this week, Intel issued a further progress update for the deployment of further microcode for their CPUs.

A further 5 families of CPUs have now completed testing and microcode updates are available. These families are:

    • Arrandale
    • Clarkdale
    • Lynnfield
    • Nehalem
    • Westmere

==================
However a further 9 families will not receive such updates for the reasons listed below. Those families are:

      • Micro-architectural characteristics that preclude a practical implementation of features mitigating [Spectre] Variant 2 (CVE-2017-5715)
      • Limited Commercially Available System Software support
      • Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.

==================

      • Bloomfield
      • Clarksfield
      • Gulftown
      • Harpertown Xeon
      • Jasper Forest
      • Penryn
      • SoFIA 3GR
      • Wolfdale
      • Yorkfield

This announcement from Intel means my Intel Core i7 Extreme 980X (from 2010) won’t receive an update. This system isn’t used very much on the internet and so the impact is limited. I am hoping to replace this system in the near future too.

Recommendations:

Please review the updated PDF made available by Intel (I can upload the PDF to this blog if Intel place it behind an account which requires sign in. At this time the PDF link still works).

As before; please monitor the websites for the manufacturer of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems.

Thank you.

==================
BranchScope Vulnerability Disclosed:
In a related story; four security researchers from different universities responsibly disclosed (defined) a new side channel attack affecting Intel CPUs. This attack has the potential to obtain sensitive information from vulnerable systems (a similar result from the existing Meltdown and Spectre vulnerabilities).

Further details of this attack named “BranchScope” are available in this Softpedia article and this paper from the researchers. Within the above article Intel responded to this attack stating that this vulnerability is similar to known side channel and existing software mitigations (defined) are effective against this vulnerability. Their precise wording is provided below.

Thank you.

==================
An Intel spokesperson has provided the following statement:

“We have been working with these researchers and have determined the method they describe is similar to previously known side channel exploits. We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.”
==================

=======================
Update: 13th April 2018
=======================
AMD have issued microcode (defined) updates for Windows 10 Version 1709 to enhance the protection of their customer’s against variant 2 (CVE-2017-5715) of the Spectre vulnerability. Further details of these updates are available within these KB articles: KB4093112 and KB3073119

Thank you.

=======================
Update: 18th May 2018
=======================
Please refer to the beginning of the May and April security update summaries for further updates related to addressing Spectre variant 2 (v2).

 

Blog Post Shout Out: Securing Internet of Things and WiFi

With Internet of Things (IoT) devices becoming part of everyday life properly implementing public key encryption (defined) within them is a critical step that should not be overlooked.

Facilitating the use of such devices is very widespread wireless access which should also be secured as much as possible (especially in corporate environments) so as not to inadvertently provide an easy means of accessing your internal network.

For both of the above technologies I wanted to provide a respectful shout-out to the following blog posts that provides step by step advice on securing wireless networks (includes physical security and hardening guest network access) as well as how public key cryptography should be implemented and used within IoT devices:

9 things to check after installing wireless access points by Eric Geier (Computerworld)
4.5 million web servers have private keys that are publicly known! by Paul Ducklin (Sophos Security)

I hope that you find the above posts/resources useful. Thank you.