MSP: Managing Vendors During Spectre and Meltdown

At Think|Stack, we have a un-official “Preferred Vendors” list. These are tools and products we utilize in our client’s networks that we have a lot of experience with. We know all the little nuances on how to get them to all play nice together to ensure a smooth customer experience.

Being the dynamic company that we are, we inherit responsibilities from our client’s networks that veer from our Preferred Vendors list. This could be due the requirement to support a legacy system, on-going support contracts, or simply they prefer a product not on our Preferred Vendor list. None the less, we are always open to handling diverse ecosystems and pride ourselves on the dynamic service that we can offer.

With that being said, we have ALOT of items to keep an eye on when it comes to mitigating the Meltdown/Spectre threat.

Below is a on-going list of vendor communications we have received over the past week. I am happy to say that nearly all of the vendors on our un-official Preferred Vendors list have delivered communications about updates to their products to mitigate the threat against Meltdown/Spectre.

Perimeter (Firewalls)

Both Foritnet and Sonicwall have updated their Intrusion Prevention Systems to block against suspicious Java Script code that could be performing the exploit. This is comforting to know given the fact this is believed to be the easiest vector for exploit.

Fortinet Fortinet Advisory On New Spectre and Meltdown Vulnerabilities

Sonicwall Meltdown and Spectre Vulnerabilities: A SonicWall Alert

Anti-Virus

Deep within the fine print of Microsoft’s advisory, there is a registry key dependency that is required to ensure that the Anti-Virus product works with Microsoft’s new patches . Both Sophos and ESET were quick to ensure that their products were updated to generate this required registry key.

Sophos 128053: Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre)

ESET ESET Customer Advisory 2018–001: Spectre and Meltdown Vulnerabilities Discovereds

Operating Systems

Given the fact 98% of the operating systems that we manage are Microsoft Windows, we have had a heavy focus on developing a strategy for patching these systems.

Microsoft released patches on January 4th but did not make them available to the Windows Updates service until January 9th. To expedite this deployment, we have been developing custom scripts to run across our client machines to apply these patches prior to January 9th.

Patching systems is only part of the battle. System Admins must ensure that they are creating registry keys to activate the mitigations. These code blocks to add the registry keys are are written in Powershell.

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” -Name “FeatureSettingsOverride” -PropertyType DWORD -Force -Value “0” | Out-Null
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” -Name “FeatureSettingsOverrideMask” -PropertyType DWORD -Force -Value “3” | Out-Null

This key may be required for Virtual Machine Live Migrations within Hyper-V.

New-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” -Name “MinVmVersionForCpuBasedMitigations” -PropertyType String -Force -Value “0” | Out-Null

Microsoft Security Advisory 180002: Guidance to mitigate speculative execution side-channel vulnerabilities

Ubuntu https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Apple iOS & MacOS Apple Security Updates

Android OS Android Security Bulletin — January 2018

HyperVisors/Hardware/Cloud

The benefits of cloud computing were once again put on display at the announcement of this vulnerability.

Once Intel became aware of this vulnerability approximately 6 months ago, they gave Amazon Web Services, Microsoft Azure, and Google Cloud Platform a significant head start on addressing this vulnerability. Each cloud vendor was quick to announce a large percentage of their equipment, if not all, has been mitigated against the threat.

This eased the workload for us a bit but we are still responsible for on-premise hardware. VMware has released patches for their ESXi platform. Dell is quickly releasing firmware for a number of their server models. Models such as R730 already have new firmware out in production.

AWS AWS-2018–013: Processor Speculative Execution Research Disclosure

Dell Clients SLN308587 — Microprocessor Side-Channel Attacks (CVE-2017–5715, CVE-2017–5753, CVE-2017–5754): Impact on Dell products

Dell Servers SLN308588 — Microprocessor Side-Channel Attacks (CVE-2017–5715, CVE-2017–5753, CVE-2017–5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)

VMware NEW VMSA VMSA-2018–0002 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution

Web Browsers

It is believed that web browsers host the easiest vector for attack. Since Java Script (code used on a number of websites) runs on the client’s machine. It is possible that malicious code could be injected into webpages/advertisements that could perform this attack. Browser developers are aware of this and have released updates to their products to combat this. Microsoft IE, Microsoft Edge, and Mozilla Firefox each have updates available.

Google Chrome is expected to release a patch on 1/23. In the meantime, ensure that “Full Site Isolation” is enabled by entering the following:

chrome://flags/#enable-site-per-process into your address bar.

Google Chrome https://support.google.com/faqs/answer/7622138

Mozilla Mozilla Foundation Security Advisory 2018–01: Speculative execution side-channel attack (“Spectre”)

MS Internet Explorer/Edge https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/

Final Thoughts

Even though at the moment we are only speaking about Meltdown and Spectre, this is the practice we employ with all major vulnerabilities.

What alot of people do not realize is that we are constantly remediating vulnerabilities on networks that do not make headlines. We do this through a variety of strategies. Network segmentation, updating/patching devices, hardening configurations, or removing old equipment. We hope that this constant remediation work will reduce the impact in the event that a vulnerability is ever managed to be exposed.

Needless to say, we’ve had a busy week at Think|Stack and it is far from over. I am thankful to have some highly skilled and dedicated Engineers in my corner to push our way through this.