-
Title
Meltdown and Spectre (CPU Vulnerability) -
Description
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
-
Resolution
Meltdown and Spectre are hardware-level vulnerabilities. As such, every operating system is susceptible. The KACE products - Systems Management Appliance (SMA) and Systems Deployment Appliance (SDA) - both run FreeBSD on Dell hardware platforms. FreeBSD does not yet have a patch available or an ETA for the fix, but since the SMA and SDA are closed-source appliance-based systems, there is no perceived risk from the KACE appliances at this time. Vendor patches will be added to the patch feed (provided by our patch vendor) as they are released and tested. This process usually takes 1-2 days, but may vary according to the vendor patch. Vendor specific information/resources are listed below:
Vendor Specific Information & Resources
Official Release: https://meltdownattack.com/
Dell Official Response: http://www.dell.com/support/article/us/en/04/sln308588
Google: https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
----------
KACE Agent Supported Operating Systems
FreeBSD: https://www.freebsd.org/news/newsflash.html#event20180104:01
Microsoft: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002
* NOTE: Microsoft Windows patches were added to the patch feed on 1/5/18. A list of the patches in the January 2018 out-of-band release is attached to this article (Microsoft_OOB_Jan2018.txt).
* NOTE: Microsoft Windows patches will only be detected missing on systems with the existence of a registry value written by anti-virus vendors to avoid BSOD or worse issues. More information is available here.
* IT Ninja Blog: Spectre & Meltdown Analysis using KScripting with TextReturn
Apple: https://support.apple.com/en-us/HT208331
RedHat: https://access.redhat.com/security/vulnerabilities/speculativeexecution
Ubuntu: https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities
SuSE: https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/
----------
KACE Supported Virtualization Platforms
VMware: https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html
-
Attachments