URGENT Information Security Advisory - Meltdown and Spectre Vulnerabilities
The UCLA IT Security Office is informing campus units of several high profile, significant vulnerabilities that involve both a hardware level flaw, and a general design flaw in application data protection involving “speculative execution” – a process that optimizes execution of instructions in modern processors (newer than 1995) to improve performance. As a result, applications which should not have direct memory access to data belonging to other applications on the same processing platform are potentially able to access that data. The identified vulnerabilities have been designated as follows:
- Spectre: CVE-2017-5753 and CVE-2017-5715
- Meltdown: CVE-2017-5754
The Spectre vulnerability is a hardware level flaw involving modern processors in general – not just Intel, but AMD, and even some ARM type processors as well.
The Meltdown vulnerability is Intel processor specific and breaks the processor level application memory isolation/protection capabilities of modern Intel processors – making memory and data access to restricted information available to other applications running on the same processor.
Mitigation of “Spectre” and “Meltdown” is expected to result in significant impacts to IT environments world-wide, and UCLA Campus computing environments are no exception. Specifically, UCLA mitigation will involve significant patch management to alleviate the vulnerabilities themselves, including the potential need for additional computer resource allocations to maintain present levels of application performance.
Many operating system vendors have software security patches available that address one or both vulnerabilities:
- MS Windows — Microsoft has issued an out-of-band patch update for Windows 10. Other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018. The Windows 10 Fall Creators Update, labelled KB4056892,which brings the OS Build up to 16299.192 has already been patched for these vulnerabilities. All Windows 10 OS builds prior to 16299.192 are vulnerable. https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
- MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations
- Linux — Many Linux kernel developers have released patches by implementing kernel page-table isolation (KPTI) to move the kernel into entirely separate memory address space.
- Android on Pixel and Nexus — Google has released security patches for Pixel/Nexus device users as part of the Android January security patch update. Other android device users have to wait for their respective device manufacturers to release a compatible security update.
Anticipated Impact to UCLA Campus IT Operations
Patch management: All computing platforms, servers, workstations, and mobile devices such as tablets, laptops, and mobile phones will require patches to be applied to alleviate these vulnerabilities. Significant resources may be needed to accomplish this prior to the potential for new “in-the-wild” attacks created by leveraging these vulnerabilities. Patches should be applied as quickly as practical to limit the number of Internet facing devices which could be vulnerable to inevitable malicious exploits which could result in a data leakage/breach.
Browser settings: Since the most likely vector for any attacks will involve web browsers and visits to websites containing malicious/exploit code, you should consider enabling site isolation processes in web browsers if the browser already supports this function.
Google Chrome: Supports site isolation capabilities in Version 63. These capabilities should be considered to protect the processes running on end-user devices from the possibility of data protection leakage via the browser. Google Chrome has a workaround available presently that can be applied to all builds of the Chrome 63 browser until the next update to Chrome on January 23, 2017 as follows: https://support.google.com/faqs/answer/7622138. Enterprise policies are also available to turn on Site Isolation for all sites, or just those in a specified list. Learn more about Site Isolation by policy. https://support.google.com/chrome/a/answer/7581529
MS Edge and IE 11: Patched in the January 3rd Windows 10 patch – other OS’s to follow on January 9th.
Firefox: Will be updated for Version 57, update is forthcoming and will auto update.
Processing performance: Since these patches may have a significant impact on the processing capabilities of many modern processors, re-leveling or adding additional compute resources may be required to maintain the present level of compute performance on server platforms.
The IT Security Office recommends reviewing the bulletins and applying the various security updates as soon as practical. Please contact us if you have any questions regarding this announcement.