Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance. #nsacyber
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
guidance
verification
CONTRIBUTING.md
DISCLAIMER.md
LICENSE.md
LICENSE.spdx
README.md

README.md

Spectre and Meltdown Guidance

Table of Contents

  1. About this Repository
  2. General Guidance
  3. Affected Processors
  4. Additional Processor Flaw Guidance
    1. SpectrePrime and MeltdownPrime
    2. SgxPectre
    3. Total Meltdown
    4. BranchScope
    5. Ryzenfall, Chimera, Fallout, and Masterkey
  5. License
  6. Contributing
  7. Disclaimer

About This Repository

This repository provides content for aiding DoD administrators in verifying systems have applied and enabled mitigations for Spectre and Meltdown. The repository is a companion to a forthcoming Information Assurance Advisory Updated Guidance for Spectre and Meltdown Vulnerabilities Affecting Modern Processors. This advisory will be an update to the previously issued advisory Vulnerabilties Affecting Modern Processors.

General Guidance

Vulnerabilities affecting modern Intel, AMD, Arm, and IBM processors have been disclosed.

Marketing Name Variant Technical Name CVE Requires OS patches Requires firmware patches Requires application patches Requires configuration changes
Spectre 1 Bounds Check Bypass CVE-2017-5753 Yes No Yes Yes, for some applications
Spectre 1.1 Write Bounds Bypass CVE-2018-3693 TBD TBD No TBD
Spectre 1.2 Protected Memory Range Read Bypass CVE-2018-3693 TBD TBD No TBD
Spectre 2 Branch Target Injection CVE-2017-5715 Yes Yes No Yes, for some operating systems and work roles
Meltdown 3 Rogue Data Cache Load CVE-2017-5754 Yes No No Yes, for some operating systems
Meltdown 3.1 Rogue Register Load CVE-2018-3640 Yes No No Yes, for some operating systems
SpectreNG 4 Bounds Check Bypass CVE-2018-3639 Yes Yes No No
SgxPectre Enclave Branch Target Injection Yes No Yes No. Devs update SGX SDK.
SpecreRSB Return Stack Poisoning TBD TBD TBD TBD
NetSpectre Network-attached Cache Siphon TBD TDB No Yes, firewall configuration updates

Mitigations fall under a common number of themes:

  • Installing application specific patches and in some cases configuring the application.
  • Installing operating system patches and in some cases configuring the operating system.
  • Installing firmware patches that contain processor microcode updates.

General guidance for prioritizing patching:

  1. Prioritize patching applications, such as browsers first, as they are the easiest to patch, have the least amount of issues with performance and compatibility, and the most likely widespread attack vector.
  2. Prioritize installing operating system patches on desktop, laptops, and tablets. Compatibility issues with operating system patches have been largely resolved by the OS vendors and performance issues are much less on desktops since they typically do not have IO intensive workloads like servers (file storage arrays, email servers, database servers) where the majority of the performance issues are excertbated. Attacks via email, Office documents, PDFs, are the second most likely widespread attack vector.
  3. Prioritize patching servers that do NOT have IO intensive workloads (no file storage arrays, no email servers, no database servers). Some organizations may want to wait on patching any servers until more performance data is available or more localized testing has been performed to determine if the risk of remaining unpatched is warranted for the performance trade offs.
  4. Do not install firmware patches until processor manufacturers (Intel, AMD, IBM, Arm, etc) and OEMs (Dell, Dell EMC, HP Inc, HP Enterprise, etc) have signaled the new firmware patches are ready.

The main areas of interest in the repository are:

  • Guidance - Operating system and application specific guidance. Currently only for Windows and Linux.
  • Verification - Operating and application specific verification of mitigations. Currently only for Windows.

The files in this repository can be downloaded as a zip file here.

Affected Processors

Below is a list of known affected processors as documented by Intel, AMD, Arm, and IBM. It is likely that more processors than documented below are affected.

Manufacturer Processor Family
AMD Ryzen
AMD EPYC
AMD Opteron
AMD Athlon
AMD Turion X2 Ultra
Arm Cortex-R7
Arm Cortex-R8
Arm Cortex-A8
Arm Cortex-A9
Arm Cortex-A15
Arm Cortex-A17
Arm Cortex-A57
Arm Cortex-A72
Arm Cortex-A73
Arm Cortex-A75
IBM POWER7
IBM POWER7+
IBM POWER8
IBM POWER9
Intel Core i3 processor (45nm and 32nm)
Intel Core i5 processor (45nm and 32nm)
Intel Core i7 processor (45nm and 32nm)
Intel Core M processor family (45nm and 32nm)
Intel 2nd generation Core processors
Intel 3rd generation Core processors
Intel 4th generation Core processors
Intel 5th generation Core processors
Intel 6th generation Core processors
Intel 7th generation Core processors
Intel 8th generation Core processors
Intel Core X-series Processor Family for Intel X99 platforms
Intel Core X-series Processor Family for Intel X299 platforms
Intel Xeon processor 3400 series
Intel Xeon processor 3600 series
Intel Xeon processor 5500 series
Intel Xeon processor 5600 series
Intel Xeon processor 6500 series
Intel Xeon processor 7500 series
Intel Xeon Processor E3 Family
Intel Xeon Processor E3 v2 Family
Intel Xeon Processor E3 v3 Family
Intel Xeon Processor E3 v4 Family
Intel Xeon Processor E3 v5 Family
Intel Xeon Processor E3 v6 Family
Intel Xeon Processor E5 Family
Intel Xeon Processor E5 v2 Family
Intel Xeon Processor E5 v3 Family
Intel Xeon Processor E5 v4 Family
Intel Xeon Processor E7 Family
Intel Xeon Processor E7 v2 Family
Intel Xeon Processor E7 v3 Family
Intel Xeon Processor E7 v4 Family
Intel Xeon Processor Scalable Family
Intel Xeon Phi Processor 3200, 5200, 7200 Series
Intel Atom Processor C Series
Intel Atom Processor E Series
Intel Atom Processor A Series
Intel Atom Processor x3 Series
Intel Atom Processor Z Series
Intel Celeron Processor J Series
Intel Celeron Processor N Series
Intel Pentium Processor J Series
Intel Pentium Processor N Series

Additional Processor Flaw Guidance

SpectrePrime and MeltdownPrime

General Guidance is sufficient for mitigating the prime variants of Spectre and Meltdown. Prime variants feature an implementation difference and speculative exploitation across processor core caches.

SgxPectre

SgxPecture (sometimes referred to as SgxSpectre) leverages a race condition built into the Intel SGX SDK. A Spectre variant 2-like branch target injection vulnerability results. The attack affects Intel processors with SGX instructions.

Developers should install SDK updates and recompile SGX applications. All SGX SDKs that are derived from the Intel SDK must be updated. All SGX applications built from Intel-derived SGX SDKs must be recompiled or patched.

Administrators should update SGX-enabled applications and apply OS SGX-related patches.

Total Meltdown

A patching flaw has been identified in Windows 7 and Server 2008 64-bit operating systems. Security fixes intended to mitigate Meltdown may not have been effective. Install Microsoft's March 2018 rollup patches as a solution. Refrence patch KB4088878.

Microsoft Update Catalog

Microsoft Support Advisory

BranchScope

Firmware patches are expected Q2 2018. No further information is available at this time.

Ryzenfall, Chimera, Fallout, Masterkey

Software and firmware patches are expected in Q2 2018. Ryzenfall, Fallout, and Masterkey flaws affect AMD products. Chimera flaws affect ASMedia products with debugging features regardless of processor brand or architecture. The following mitigations are advised:

  1. Revisit security practices involving local machine administrative privileges. Attacks in this category require administrative credentials. Properly safeguarding and limiting the use of such credentials is critical.
  2. Set a UEFI configuration administrator password if not already present.
  3. Investigate UEFI configuration to identify and disable unused devices and ports. Unused SATA controller ports or unused USB controller ports are example candidates for disabling. Tailor the UEFI configuration based on a device's use case.

License

See LICENSE.

Contributing

See CONTRIBUTING

Disclaimer

See DISCLAIMER.