A comprehensive guide to the Meltdown and Spectre vulnerabilities (regularly updated)

Version 35

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x

    This article is regularly updated with information regarding these vulnerabilities

     

    metlddownspectredave.jpg

     

    This document serves to be a reference to assist with the following:

     

     

    Overview of the Meltdown and Spectre vulnerabilities

    For a further overview of both the Meltdown and Spectre vulnerabilities please see the following Ivanti Blog Post: https://www.ivanti.com/blog/meltdown-spectre-need-know/

     

    Meltdown - CVE Notice # CVE-2017-5754                 More information from the National Vulnerability Database: NVD - CVE-2017-5754

    Spectre Variant 1 - CVE Notice # CVE-2017-5753    More information from the National Vulnerability Database: NVD - CVE-2017-5753

    Spectre Variant 2 - CVE Notice # CVE-2017-5715    More information from the National Vulnerability Database: NVD - CVE-2017-5715

     

    These CVE and NVD entries contain lists of advisories, solutions, and tools regarding these vulnerabilities. CVE is a reference method for publicly known IT vulnerabilities and exposures.

     

    Meltdown and Spectre are vulnerabilities that affect various computer processors including Intel x86 processors and some ARM-based processors.  Due to this, we will cover how to mitigate this through the features of Ivanti EPM.  Meltdown affects a very large range of computers, cell phones, tablets, etc.  Thus this touches some of the systems that you manage with Ivanti EPM.  (Examples are servers, desktops, cell phones and other mobile devices)  In January of 2018, it was disclosed along with another exploit called "Spectre" with which it shares some but not all characteristics.  Meltdown patches may introduce some amount of performance loss, however, it is not as high as initially reported.   On January 18th, 2018 unwanted reboots and other stability issues were reported due to patches applied for the mitigation of these vulnerabilities.  Due to this newer updates have been released.   All updates will be addressed later in the document underneath the OS Updates section.

     

     

    OS Updates

    Windows Updates

     

    Changes to expect in the Ivanti Content:

     

    • With the Ivanti Content release on 04/25/2018, we will be removing detection only patches for machines that do not have the AV registry entry as per the Microsoft article referenced below and will be offering the patches in this document to applicable machines.

    We highly suggest all customers review these issues here:  https://support.microsoft.com/en-us/help/4072699

     

    Quote: We are lifting the AV compatibility check for Windows security updates for supported Windows 7 SP1 and Windows 8.1 devices via Windows Update. We continue to require that AV software be compatible, and in cases where there are known issues of AV driver compatibility, we will block those devices from updates to avoid any issues. We recommend customers check with their AV provider on compatibility of their installed AV software product.

     

    This section describes available Patch and Compliance definitions that can be delivered through the EPM Patch and Compliance tool.

    If your patches are not installing and you expect them to be, it may be due to a registry key that Microsoft requires to be present prior to installing the patches.  This protects against potential incompatibility with Anti-malware software that may cause blue screen crashes.  

    For more information see About Antivirus products and the Meltdown and Spectre security vulnerabilities

     

    New 01/29/2018  Important update for all operating systems

    Due to instability that Intel discovered can be caused by the the Spectre Variant 2 patches, the  OS Vendors, Browser Vendors, and Hardware Vendors will be issuing newer updates.   This means that you can install the patches and risk instability, or not install the patches and be vulnerable for the Spectre Variant 2 exploit. Intel has not identified any known exploits of this vulnerability at this time.

    Due to this, you will need to choose whether to disable installation (or roll back) mitigation of the Spectre 2 variant patch, or you will choose to enable installation of these patches.  You do not need to disable or enable any of the definitions for the patches, you simply need to choose whether to repair for MSNS18-01-4078130_INTL which DISABLES installing the specific patches, or choose to repair IVA18-001_INTL which ENABLES installing the specific patches.  (Remove one or the other from your Scan group accordingly)

    Microsoft news about this patch release: https://support.microsoft.com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2 .

     

    Article from Intel: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

     

    To disable installing patches that were to mitigate the Spectre Variant 2 fixes

    Note: If you choose to install the following patch, make sure you are not scanning for and repairing IVA18-001_INTL as they are essentially opposites and will cause reboots loops due to constant detection and repair.

    Ivanti IDMicrosoft KB #Ivanti Publish Date
    MSNS18-01-4078130_INTLKB407813001/29/2018

     

    To enable installing patches that mitigate the Spectre Variant 2 fixes

    Note: If you choose to install the following patch of IVA18-001, make sure you are not scanning for and repairing MSNS18-01-4078130_INTL as they are essentially opposites and will cause reboots loops due to constant detection and repair.

    Ivanti IDMicrosoft KB #Ivanti Publish Date
    IVA18-001_INTL
    4072698
    01/29/2018

     

    This article contains the latest information on Windows Patches available to mitigate these issues:

     

    Ivanti Patch News Bulletin: Microsoft has Released its Security Bulletins for February 2018

     

    Patches are often superceded by another newer patch that contains additional fixes or migitates problems with prior patches.  It is expected that most if not all of these patches will be superceded, likely in the near future as Intel and Microsoft acquire more information about the issue.

    It is important to keep your definitions cleaned up so you are only scanning and repairing the latest patches.

    To manage your Patch Content effectively see How To: Manage Superceded Patches in Patch and Compliance Manager

    Note: As of 01/17/2018 for all OS Versions all Windows patches for 32-bit systems do not provide Meltdown mitigations.  This is a Windows Patch issue, not an Ivanti Patch issue.  Microsoft statement on this issue: "Addressing a hardware vulnerability through a software update presents significant challenges, and mitigations for older operating systems require extensive architectural changes. We are working with affected chip manufacturers to determine the best way to provide mitigations for x86 customers. These may be delivered in future updates."

    macOS and iOS updates

     

    Apple included mitigations for macOS 10.13.2 and iOS 11.2 released in December.  It has since followed up with additional mitigations with the just-released Apple macOS Supplemental Update: About speculative execution vulnerabilities in ARM-based and Intel CPUs - Apple Support

     

    Linux and Unix updates

     

    Centos 6

    Ivanti IDType of updateMore Info URLDate Published
    CESA-2018-0093microcode_ctlhttps://access.redhat.com/errata/RHSA-2018:0093
    01/17/2018
    CESA-2018:0013microcode_ctlhttps://access.redhat.com/errata/RHSA-2018:0013
    01/04/2018
    CESA-2018-0061libverthttps://access.redhat.com/errata/RHSA-2018:003001/04/2018
    CESA-2018:0008kernelhttps://access.redhat.com/errata/RHSA-2018:001301/04/2018
    CESA-RHSA-2018:0024qemu-kvmhttps://access.redhat.com/errata/RHSA-2018:0024

    01/04/2018

     

    Centos 7

    Ivanti IDType of updateMore Info URLDate Published
    CESA-2018:0094linux-firmwarehttps://access.redhat.com/errata/RHSA-2018:0094
    01/17/2018
    CESA-2018:0007kernelhttps://access.redhat.com/errata/RHSA-2018:000701/04/2018
    CESA-2018:0014linux-firmwarehttps://access.redhat.com/errata/RHSA-2018:001401/04/2018
    CESA-2018:0012microcode_ctlhttps://access.redhat.com/errata/RHSA-2018:001201/04/2018
    CESA-2018:0029libvirthttps://access.redhat.com/errata/RHSA-2018:002901/04/2018
    CESA-2018:0023qemu-kvmhttps://access.redhat.com/errata/RHSA-2018:002301/04/2018

     

    Redhat Enterprise

    Ivanti IDType of updateMore Info URLDate Published
    RHSA-2018-0093microcode_ctlhttps://access.redhat.com/errata/RHSA-2018:0093
    01/17/2018
    RHSA-2018-0094linux-firmwarehttps://access.redhat.com/errata/RHSA-2018:009401/17/2018
    RHSA-2018-0030libverthttps://access.redhat.com/errata/RHSA-2018:003001/05/2018
    RHSA-2018-0024qemu-kvmhttps://access.redhat.com/errata/RHSA-2018:0024

    01/04/2018

    RHSA-2018-0023qemu-kvmhttps://access.redhat.com/errata/RHSA-2018:002301/04/2018
    RHSA-2018-0012microcode_ctlhttps://access.redhat.com/errata/RHSA-2018:001201/04/2018
    RHSA-2018-0014linux-firmwarehttps://access.redhat.com/errata/RHSA-2018:001401/04/2018
    RHSA-2018-0007kernelhttps://access.redhat.com/errata/RHSA-2018:000701/04/2018
    RHSA-2018-0008kernelhttps://access.redhat.com/errata/RHSA-2018:000801/04/2018
    RHSA-2018-0013microcode_ctlhttps://access.redhat.com/errata/RHSA-2018:001301/04/2018

     

    Ubuntu

    Ivanti IDType of updateMore Info URLDate Published
    USN-3530-1WebKitGTKUSN-3530-1: WebKitGTK+ vulnerabilities | Ubuntu01/11/2018
    USN-3531-1intel-microcodeUSN-3531-1: Intel Microcode update | Ubuntu01/11/2018
    USN-3522-4linux-lts-xeniaUSN-3522-4: Linux kernel (Xenial HWE) regression | Ubuntu01/10/2018
    USN-3523-2linux-hwe, linux-azure, linux-gcp, linux-oemUSN-3523-2: Linux kernel (HWE) vulnerabilities | Ubuntu01/10/2018
    USN-3522-3linux regressionUSN-3522-3: Linux kernel regression | Ubuntu01/10/2018
    USN-3522-2linux-lts-xenial, linux-awsUSN-3522-2: Linux (Xenial HWE) vulnerability | Ubuntu01/09/2018
    USN-3522-1linux, linux-aws, linux-euclid, linux-kvmUSN-3522-1: Linux kernel vulnerability | Ubuntu01/09/2018

     

     

     

    Browser Vulnerabilities

     

    EdgeInternet ExplorerGoogle ChromeFirefoxOpera
    Earliest Recommended VersionVaries per build numberVaries per OS

    64.0.3282.167

    58.0.251.0.2830.26
    Ivanti Patch Definition IDMS18-02-W10_INTLMS18-02-IE_INTLChrome-216_INTLFF18-004_INTL or newerOPERA-155_INTL

     

    BIOS, Firmware and Driver updates

     

    Ivanti EPM Patch and Compliance provides content for several vendor's BIOS and driver updates.  It is recommended to follow the advice of the vendor and to update your systems accordingly.

     

    As a convenience we offer some links to vendor websites relating to this issue:

     

    Dell: Meltdown and Spectre Vulnerabilities | Dell US

    HP: HPSBHF03573 rev. 7 - Side-Channel Analysis Method | HP® Customer Support

    Lenovo: Reading Privileged Memory with a Side Channel

     

    Most vendors have pulled their BIOS updates pending new changes from the CPU vendors. 

    Further Information: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners

    These vendor links are provided for convenience.  They may quickly become outdated and there may be better links provided by the vendor.

     

    Antivirus software and possible compatibility issues with OS patches

     

    See the following article for information specific regarding antivirus compatibility including Ivanti Antivirus: About Antivirus products and the Meltdown and Spectre security vulnerabilities