Security Vulnerability: Speculative execution side-channel attacks or Meltdown and Spectre.

Security Vulnerability: Speculative execution side-channel attacks or Meltdown and Spectre.

Security Vulnerability: Speculative execution side-channel attacks or Meltdown and Spectre.

2018-01-09T16:26:40+00:00 Jan 9th, 2018|Security & Technology Updates|

CTComp has been following a developing story in the tech world and we wanted to share with you what we know so far.

Researchers have discovered a security vulnerability that affects nearly all modern processors and operating systems. These vulnerabilities are known as “speculative execution side-channel attacks” but you might see them referred to in the news as “Meltdown” and “Spectre.” The root of the issue is that when successfully exploited, one application on a system might be able to access the memory of another application on the system, and therefore potentially be able to expose sensitive information. More technical information about Meltdown and Spectre can be found here: https://meltdownattack.com and Intel’s response to the research discoveries can be found here: https://newsroom.intel.com/news/intel-responds-to-security-research-findings

VMWare has released patches for ESXi versions 5.5, 6.0, and 6.5 to address the Spectre vulnerabilities; ESXi is not vulnerable to the Meltdown attack. https://www.vmware.com/ca/security/advisories/VMSA-2018-0002.html

If you would like CTComp to assist with installing these updates to your VMWare hosts, please send an email to service@ctcomp.com to create a support ticket with your request. If you have a Yearly Updates agreement covering your ESXi hosts, we can apply this patch, as well as any other available updates (including new HPE firmware), for your 2018 Yearly Updates at no charge. Please note, however, that any future requests for patches/upgrades to your VMWare hosts in 2018 will be billed hourly at your Master Agreement rate.

Microsoft has also released their January 2018 Security Updates ahead of the normal schedule to include patches that help protect Windows client and server operating systems from the Meltdown and Spectre vulnerabilities. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

CTComp Patch Management customers will have the January 2018 Security Updates installed automatically to covered and supported systems during their normal patch window before the end of this month. The January 2018 Security Update rollup from Microsoft includes a new AntiVirus software compatibility check before the update can be installed. Current versions of all CTComp-supported AntiVirus software (Webroot; Kaspersky; Symantec Endpoint Protection; Trend Micro OfficeScan, ServerProtect, WFBS, & Deep Security) are all compatible with the Microsoft January 2018 Security Updates. However, not all of these software packages are currently able to set the necessary registry key automatically to allow the Microsoft patch to install. These software vendors are working to release AV engine/software updates that do set this registry key, as quickly as possible. Should the Microsoft January 2018 Security Updates fail to install onto a managed system due to the AntiVirus compatibility check, or any other reason, we will be alerted by our patching system and will follow-up with a service ticket to investigate and remediate.

Since full protection from these vulnerabilities requires not just operating system, but firmware updates as well, Hewlett Packard Enterprise has released new firmware for the Gen9 and Gen10 series of servers. https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03805en_us

For Yearly Updates customers, this firmware update will be installed to covered and supported systems during your 2018 Yearly Updates project at no charge. If you are not a Yearly Updates customer and/or would like CTComp’s assistance with installing this new firmware out-of-band from your 2018 Yearly Updates, please send an email to service@ctcomp.com to create a support ticket with your request, and please note that time to install these updates will be billed hourly.

The full extent of the Meltdown and Spectre vulnerabilities is still unfolding, and software and hardware manufacturers are releasing new information daily. As we continue to extract the information that we feel is important for our customers to know, we will share it with you.