Alexa metrics

Spectre and Meltdown Updates

5 January 2018 by Al McCloud

Updates

23 January

Intel has recommended that ALL patch deployment is ceased until further notice because of an issue causing unnecessary reboots. 

In a statement, Intel said:

“We recommend that OEMs, Cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions on the below platforms, as they may introduce higher than expected reboots and other unpredictable system behaviour.“

Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel Corporation said “we will make a final release available once that testing has been completed.”

UKFast will continue to update the blog as new information is made available. Intel has more information on this update in their newsroom.


What is the vulnerability?

Two connected processor vulnerabilities were recently announced named Meltdown and Spectre.

Every system is potentially affected, from consumer tech to cloud infrastructure.

Meltdown is a hardware vulnerability which allows for unauthorised access to privileged memory. The fix requires moving the kernel to a separate virtual address space from user processes. It affects Intel processors.

Patches are being released periodically for this issue. These can be found below.

It is commonly paired with the Spectre vulnerability, which affects a large range of x86 processors including Intel, AMD, and ARM.


What is being done?

Our experts are working on updates which should cause minimal disruption to normal services.

Software specific updates are as follows:

 Linux

All the major Linux distributions have patches available below. You can run an update through your package manager and restart your server to install the patch.

UKFast customers with a Physical Business Continuity Platform (BCP) Linux solution will need to have their reboots performed manually by the UKFast support team. This is due to additional modules that need to be installed after the reboot takes place and could lead to instability on the platform. We are contacting our customers to arrange an appropriate time for this to take place.

Windows

Windows Meltdown Flow Chart

Windows Meltdown Flow Chart

Windows Server patches are available below. You can manually install these updates now by following instructions on UKFast Docs: Windows server client guide, or wait for the next update.

If you plan to manually install the patch, please be aware that there are known compatibility problems with some anti-virus vendors. You can check with your anti-virus provider and with Microsoft, which has provided further information about compatibility on its own support pages.

If you find that your anti-virus provider is not compatible with the patch, it will not be available to download from automatic updates, and will not automatically install during the next update. Please contact your anti-virus product vendor for more information.

UKFast Windows Server clients using McAfee do not have to make changes to the registry to fix meltdown vulnerabilities, UKFast are in the process of rolling out these updates.  This means that clients following our update schedule and with no anti-virus installed or McAfee Anti-Virus installed will get the patches through an automatic update.

Installing the patch isn’t enough to enabled mitigation from the meltdown vulnerability and Microsoft require two registry keys to be changed, after the update is installed. We are working on automating this, so it can be scheduled through the my.ukfast.co.uk site, along with the required reboot.

 

VMWare

VMware products are not vulnerable to Meltdown.

Cisco

Cisco has stated that the majority of their products are closed systems and do not allow customers to run custom code so are not vulnerable.

Even so, the company is currently investigating its products which could be vulnerable: Cisco ASR 1000 Series, 5000 Series Switches, 7000 Series Switches, 9000 Series Switches and UCS B-Series

There is more information from their security center

Are my own devices at risk?

Potentially all devices are at a risk, and our advice is to periodically check for updates from your manufacturer and install as soon as possible. Over the coming weeks all vendors, developers and manufacturers should be issuing updates to protect your devices from any issues.