You may not know that most of the world’s computer processors are vulnerable to the Meltdown and Spectre vulnerabilities. What are Meltdown and Spectre, and what should you do to protect your server? In this article, we’ll take a look at these vulnerabilities, and talk about the major hardware vendors that are affected. Most importantly, we’ll explain the steps you should take on your Windows and Linux servers to secure your data.
Let’s dive in!
What are the Meltdown and Spectre Vulnerabilities?
Meltdown and Spectre are critical vulnerabilities in computer processors. They permit programs to leak information as they run, making that information available to hackers. Modern computer systems are set up so that programs can’t access data from other programs unless the user specifically allows that to happen. The Meltdown and Spectre vulnerabilities make it possible for an attacker to access program data without the user’s permission (and usually without the user’s knowledge). This means that an attacker could potentially access your personal photos, email, any passwords you’ve stored in your browser’s password manager, instant messages, corporate documents, tax returns, and more.
Meltdown permits any application to gain access to the entire system memory. Operating system patches and firmware updates are required to mitigate this vulnerability.
Why is it called Meltdown?
This vulnerability “melts” security boundaries that are in place to protect your sensitive information.
Spectre, on the other hand, permits one application to force another application to access some portion of its memory. This vulnerability is harder to exploit than Meltdown, but also harder to mitigate.
Why is it called Spectre?
The name is based on the process that is the root cause of the vulnerability, “speculative execution”. (Also, because it’s difficult to fix and will haunt us for some time!)
Which hardware vendors are affected?
Intel’s core architecture and AMD processors are the most widely affected. However, there are 131+ affected vendors for these vulnerabilities.
Which devices are affected by Meltdown?
Desktop, laptop, and cloud computers are all affected by Meltdown. Every Intel processor made after 1995 that uses speculative execution is potentially affected, with the exception of Intel Itanium and Atom. Itanium and Atom processors made after 2013 are not affected by Meltdown.
Which devices are affected by Spectre?
Spectre affects desktops, laptops, cloud servers, and smartphones. All modern processors can be affected by the Spectre vulnerability. Spectre has been confirmed on Intel, AMD, and ARM processors.
How to protect your Windows server from the Meltdown and Spectre vulnerabilities?
it’s important to check to see if your windows system is vulnerable. If it is, you’ll need to take action. We’ve made it easy for you by giving you step-by-step instructions.
How to check to see if your Windows server is protected against these vulnerabilities?
- Log in to your server and run Windows PowerShell as an administrator and run the following command:
Install-Module SpeculationControl
- Type “Y” and press Enter to enable NuGet provider.
- Type “Y” and press Enter if you are asked if you want to install a package from an untrusted source – this is fine!
- Run the following command to save the current execution policy.
$SaveExecutionPolicy = Get-ExecutionPolicy
- Run the following command to ensure you can import the module in the next step.
Set-ExecutionPolicy RemoteSigned -Scope Currentuser
- Type “Y” and press Enter to confirm the execution policy change.
- Run the following command to import SpeculationControl module.
Import-Module SpeculationControl
- Finally, run the following command to make sure your device has the necessary updates.
Get-SpeculationControlSettings
You’ll be able to see if your server is still vulnerable to the Meltdown and Spectre security flaws. This screenshot shows a Windows system that is not protected.
How to protect your Windows server from these vulnerabilities?
Microsoft has worked with CPU vendors and released important security updates. You will need to:
- Install all security updates.
- Apply an applicable firmware update from the OEM device manufacturer.
When you check for Windows Updates, you may not get the security updates released in January 2018. In order to get these updates, you will need to add the following registry key on your virtual server:
Key=“HKEY_LOCAL_MACHINE” Subkey=“SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” Value=”cadca5fe-87d3-4b96-b7fb-a231484277cc”
Type=“REG_DWORD”
Data=“0x00000000”
Once you’ve added this registry key, reboot your server. After your system starts up again, check for the updates. Install all new updates and reboot the server again.
You’ll also need to make sure that you have following security patches installed:
Windows Server, version 1709 (Server Core Installation) – 4056892
Windows Server 2016 – 4056890
Windows Server 2012 R2 – 4056898
Windows Server 2008 R2 – 4056897
If you still see that these patches are not installed, you can download them from the links mentioned on the update code.
Once you have updated the system and applied required firmware updates from the OEM device manufacturer, run the following commands again from the Windows PowerShell to make sure that your server is safe:
$SaveExecutionPolicy = Get-ExecutionPolicy Set-ExecutionPolicy RemoteSigned -Scope Currentuser Import-Module SpeculationControl Get-SpeculationControlSettings Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
You’re out of the danger zone now! This screenshot shows a Windows system that’s protected from the Specter and Meltdown vulnerabilities.
How to protect a Linux server from the Meltdown and Spectre vulnerabilities?
Because these vulnerabilities are hardware-based, almost all Linux systems are affected by them. Many Linux distributions have released software updates that mitigate Meltdown and Spectre by disabling or working around the processor behavior that leads to the vulnerabilities. Linux systems are not yet fully patched.
Below is the list of Linux distributions that have released kernel updates with partial mitigation:
- CentOS 7: kernel 3.10.0-693.11.6
- CentOS 6: kernel 2.6.32-696.18.7
- Fedora 27: kernel 4.14.11-300
- Fedora 26: kernel 4.14.11-200
- Ubuntu 17.10: kernel 4.13.0-25-generic
- Ubuntu 16.04: kernel 4.4.0-109-generic
- Ubuntu 14.04: kernel 3.13.0-139-generic
- Debian 9: kernel 4.9.0-5-amd64
- Debian 8: kernel 3.16.0-5-amd64
- Debian 7: kernel 3.2.0-5-amd64
- Fedora 27 Atomic: kernel 4.14.11-300.fc27.x86_64
- CoreOS: kernel 4.14.11-coreos
If the kernel version is updated to at least the version mentioned above, then some updates have been applied. The FreeBSD distribution, as of January 12th, 2018, has still not released any kernel updates. Ubuntu 17.04 is reaching EOL (End Of Life) on January 13th, 2018, and it will not receive any updates.
Below are the steps you can take to check and fix Spectre and Meltdown vulnerabilities in CentOS 7.x.
To check for vulnerabilities, run the commands below:
- To check the current OS version.
lsb_release -d - To check the current kernel version.
uname -a - To check if the system is vulnerable or not.
cd /tmp
wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
sudo sh spectre-meltdown-checker.sh
The screenshot above is the output from CentOS 7.x when it is not patched with the fix for the Meltdown/Spectre vulnerabilities.
- You’ll need to run the commands below to install the new patch.
sudo yum update - The main reason for the yum update is that we need to update the kernel version. Once the patches are installed, reboot using the command below.
reboot - Once your computer starts up again, you can check again for the vulnerability using the command below.
sudo sh spectre-meltdown-checker.sh
You can see that this screenshot shows NOT VULNERABLE for Spectre Variant 1 and Meltdown.
Conclusion
Meltdown and Spectre are critical vulnerabilities. They continue to be exploited, and the overall impact of their damage is yet to be established.
We highly recommend keeping your systems patched with the latest operating system and the latest firmware updates released by vendors.
