5:15pm, 8 January 2018
TLP Rating:
Meltdown and Spectre CPU vulnerabilities
Updated at 3.10pm 10 Jan 2018
Researchers have found multiple vulnerabilities in computer processors which may allow attackers to extract information from affected systems, including passwords and other sensitive data.
The technical details of these vulnerabilities can be found at meltdownattack.com External Link and spectreattack.com External Link .
CERT NZ is not currently aware of any attacks that are actively exploiting these vulnerabilities, however proofs of concept to exploit these vulnerabilities have been published. Because of this, we strongly recommend you protect yourself with the advice provided below as soon as practicable.
What's happening
Systems affected
Processors from Intel, AMD, and ARM have been confirmed as being affected by some or all of the discovered vulnerabilities. Due to the complex nature of these vulnerabilities, it is prudent to work on the basis that all computer systems could be affected. As these are hardware vulnerabilities, any device may be affected, from computers to smart phones and tablets, and smart devices such as TVs.
Network devices such as routers, firewalls and WAF’s may also be affected, as well as storage devices such as SAN or NAS. For virtualised systems, it is important to patch both host and guest operating systems.
What this means
All affected systems need to be updated as patches become available to protect against possible attacks, which would likely use these vulnerabilities to steal sensitive information such as passwords.
What to look for
How to tell if you're at risk
If you are using a device which uses a processor from Intel, AMD, or ARM - you may be at risk. This represents the vast majority of end user devices.
What to do
Mitigation
Ensure that all software on all your devices is up to date. Some updates have been released, and more are expected to be released over the coming weeks and months as manufacturers and vendors respond to these vulnerabilities.
In particular, ensure your operating system, anti-virus, and browser are updated. If you have a device which is no longer receiving updates, you should consider upgrading or replacing it, to ensure you can get the latest security updates.
CERT NZ’s advice on End-of-Life Devices
UPDATE: It’s important to check with your anti-virus vendor to see how they are working to mitigate this issue, as Microsoft are requiring anti-virus providers to certify compatibility with security updates. Microsoft have noted: “Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets [a specified registry key]”. Further information can be found on the DoublePulsar site External Link .
For all systems, it’s critical to check with vendors for update guidance. For organisations using Windows Server, CERT NZ recommend that you read Microsoft's guidance External Link and follow the steps provided where applicable.
In order to mitigate these vulnerabilities, it is possible that the performance of some systems may be impacted, however the effects will be dependent on the systems, the patch, the tasks they are used for and their implementation. Where concerns about these impacts arise, CERT NZ recommend referring to the product vendor for advice and practise standard testing and due diligence before deploying patches. Regardless of potential performance impact, the security implications of not patching these vulnerabilities could be severe, and CERT NZ strongly recommends undertaking all appropriate mitigations.
Many vendors have released updates, and others are underway. US CERT is maintaining a list of vendor responses to these vulnerabilities, which can be found at https://www.us-cert.gov/ncas/alerts/TA18-004A External Link .
More information
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.