Skip to content

Latest commit

 

History

History
391 lines (324 loc) · 43.4 KB

README.md

File metadata and controls

391 lines (324 loc) · 43.4 KB

meltdownspectre-patches

Summary of the patch status for Meltdown / Spectre

What?

Meltdown and Spectre are hardware design vulnerabilities in all modern CPUs based on speculative execution. Background infos:

The bug is in the hardware, but mitigations in operating systems are possible and are getting shipped now. I'm collecting notes on the patch status in various software products. This will change rapidly and may contain errors. If you have better info please send pull requests.

Spectre & Meltdown Checkers

(Use at your own risk)

  • Linux: Stéphane Lesimple put together a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs.
  • Linux: Red Hat Check Script - get the latest version from the diagnose tab of the main Red Hat vulnerability article.
  • Linux: Debian Spectre-Meltdown Checker - Spectre & Meltdown vulnerability/mitigation checker available in stretch-backports.
  • Microsoft Windows: See the Windows section in this document containing the link to the official Powershell script.

PoCs

  • In a recent tweet, Moritz Lipp (Graz University of Technology) has announced the release of their PoC implementations for Meltdown.
  • In a recent tweet, Jann Horn (Google's Project Zero) has announced that the PoC code referenced in their recent blogpost about CPUs is now public.
  • The LSDS group at Imperial College London has published sample code demonstrating a Spectre-like attack against an Intel SGX enclave.
  • Dag-Erling Smørgrav published a Meltdown PoC for FreeBSD.

Linux upstream kernel

Kernel Page Table Isolation is a mitigation in the Linux Kernel, originally named KAISER.

Noteworthy:

minipli patches

minipli is an unofficial fork of the former grsecurity patches (original grsecurity is no longer publicly available). minipli is based on the longterm kernel 4.9, which supports KPTI since 4.9.75, yet the patchset isn't ported yet.

Android

Windows

Update - Tue 9 Jan 09:00 UTC

Microsoft has reports of some customers with AMD devices getting into an unbootable state after installing this KB. To prevent this issue, Microsoft will temporarily pause Windows OS updates to devices with impacted AMD processors (older CPUs, eg. Athlon and Sempron) at this time. Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible. If you have experienced an unbootable state or for more information see KB4073707. For AMD specific information please contact AMD.

Update - Sat 27 Jan

Apple

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown.

Update Mon 8 Jan 18:00 UTC

Apple has released security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715):

Update - Sun 7 Jan 2018, 9:00 UTC

Based on the Apple's response posted here, Meltdown (CVE-2017-5754) is currently only addressed in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Apple cannot say at this time if there will be updates to OS versions prior to the ones listed in their article at this time. The same can be said for Spectre (CVE-2017-5753 and CVE-2017-5715) and any updates for Safari. This means that at this given time there are NO patches for 10.11.x (El Capitan) or 10.12.x (Sierra).

Linux distributions

FreeBSD

Virtualization

Browsers

Update Mon 8 Jan 2018, 13:00 UTC

Tencent's Xuanwu Lab has released a web-based tool that can detect whether your browser is vulnerable to Spectre Attack and can be easily exploited. Official tweet: https://twitter.com/XuanwuLab/status/950345917013504001

Cloud Providers

Chip Manufacturers / HW Vendors

CERTs

CPU microcode

Update - Wed 17 Jan 8:30 UTC

Red Hat is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware. Red Hat is no longer providing microcode to address Spectre variant 2, due to instabilities that are causing systems to not boot. More details can be found in this article (subscription required).

Update - Tue 9 Jan 21:50 UTC

Latest Intel microcode update (released 1/8/2018) is 20180108. According to its release notes:

-- Updates upon 20171117 release --
IVT C0		(06-3e-04:ed) 428->42a
SKL-U/Y D0	(06-4e-03:c0) ba->c2
BDW-U/Y E/F	(06-3d-04:c0) 25->28
HSW-ULT Cx/Dx	(06-45-01:72) 20->21
Crystalwell Cx	(06-46-01:32) 17->18
BDW-H E/G	(06-47-01:22) 17->1b
HSX-EX E0	(06-3f-04:80) 0f->10
SKL-H/S R0	(06-5e-03:36) ba->c2
HSW Cx/Dx	(06-3c-03:32) 22->23
HSX C0		(06-3f-02:6f) 3a->3b
BDX-DE V0/V1	(06-56-02:10) 0f->14
BDX-DE V2	(06-56-03:10) 700000d->7000011
KBL-U/Y H0	(06-8e-09:c0) 62->80
KBL Y0 / CFL D0	(06-8e-0a:c0) 70->80
KBL-H/S B0	(06-9e-09:2a) 5e->80
CFL U0		(06-9e-0a:22) 70->80
CFL B0		(06-9e-0b:02) 72->80
SKX H0		(06-55-04:b7) 2000035->200003c
GLK B0		(06-7a-01:01) 1e->22

Update - Thu 4 Jan 2018, 15:30 UTC

It seems that the new Intel’s microcode archive (2017-12-15) provided with the latest Red Hat’s microcode_ctl update includes three new files: 06-3f-02, 06-4f-01, 06-55-04.

Based on what we know:

  1. it adds one new CPUID and two MSR for the variant of Spectre that uses indirect branches
  2. it forces LFENCE to terminate the execution of all previous instructions, thus having the desired effect for the variant of Spectre that uses conditional branches (out-of-bounds-bypass)

Those IDs belong to the following processor microarchitectures: Haswell, Broadwell, Skylake (official reference)

Update - Thu 4 Jan 2018, 16:30 UTC

Regarding AMD's microcode update: it seems to be only for EPYC (maybe Ryzen, not sure!) and it only adds one of the two MSRs (IA32_PRED_CMD). It uses a different bit than Intel's in the CPUID. It is also for Spectre with indirect branches. Previous microprocessors resolved it with a chicken bit. Please note that the same solution implemented at kernel level works for both Intel and AMD.

Update - Fri 5 Jan 2018, 03:35 UTC

Debian Project package maintainers released an updated version of the "intel-microcode" package (version 2017-12-15) for the Sid (unstable) branch olny. Upon inspection, it seems to contain the same microcode additions observed in the Red Hat microcode_ctl update of Thu 4 Jan 2018, 15:30 UTC. The package in compatible with all Debian-based distributions that support post-boot microcode updates.

Antiviruses

Some Antiviruses do things that break when installing the Windows patches, therefore Microsoft doesn't automatically install the patches on those systems.

Vendor overview: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

RDBMS

NOSQL

Embedded Devices

Compilers