Specific guidance is intended to focus on products and solutions commonly found in government and industry spaces. This page exists to gather vendor resources in one spot so public and private entities can collaborate on our shared need to secure computing infrastructure.
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
- 1. Attack Vector Minimization
- 2. Patching Priority
- 3. Operating Systems
- 3.1 Windows
- 3.2 Red Hat Enterprise Linux (RHEL)
- 3.3 Other Linux Distributions
- 3.4 MacOS
- 4. Hypervisors
- 4.1 Citrix
- 4.2 Microsoft Hyper-V
- 4.3 VMware
- 4.4 Xen Project
- 5. Hardware
- 6. General Information
Most exploits against Spectre, Meltdown, MDS, and other side-channel vulnerabilities originate from malicious code locally executed on a machine or virtual machine. Some variants require administrative privileges while others can be executed as user level, browser-downloaded JavaScript code. Machines that execute arbitrary code -- i.e. non-whitelisted user applications and scripts -- are at greatest risk. Side-channel attacks are likely to reveal credentials that enable lateral movement within an infrastructure.
To minimize attack vectors, consider the following solutions:
- Application whitelisting applies a "known-good" filter to executable software on an endpoint. Chance of malicious code execution is significantly reduced.
- Trusted scripts applies a "known-good" filter to executable scripts. System utilities, user utilities, and web browser scripts may all be corralled by scripting restrictions. Alternatively, consider disabling user scripts entirely.
- Audit new software and firmware before introduction to an infrastructure. Perform malware scans and check provided code and documentation to the extent possible. Validate that the hash of received binaries matches the hash of what the software and firmware vendors intended to provide.
- Separate network infrastructures where appropriate to limit the lateral movement of attackers. Physical and virtual solutions can prevent unfettered access to sensitive resources.
General guidance for prioritizing patching:
- Prioritize patching software applications, such as browsers first, as they are the easiest to patch, have the least amount of issues with performance and compatibility, and the most likely widespread attack vector.
- Prioritize installing operating system patches on desktop, laptops, and tablets -- especially systems that travel or leave the office environment. Compatibility issues with operating system patches have been largely resolved by the OS vendors and performance issues are much less on desktops since they typically do not have IO intensive workloads like servers (file storage arrays, email servers, database servers) where the majority of the performance issues are excertbated. Attacks via email, Office documents, PDFs, are the second most likely widespread attack vector.
- Prioritize patching servers that do NOT have IO intensive workloads (no file storage arrays, no email servers, no database servers). Some organizations may want to wait on patching any servers until more performance data is available or more localized testing has been performed to determine if the risk of remaining unpatched is warranted for the performance trade offs. Attack surface reduction may be an acceptable alternative to performance-impacting patches depending on mission and use case.
- Microsoft's MDS advisory
- Microsoft's Spectre and Meltdown advisory
- Windows endpoint patching and configuration guidance
- Windows C++ developer and coding guidance
- Get-SpeculationControlSettings PowerShell script for checking an endpoint's vulnerability to multiple side-channel exploits
Microsoft provides patches through the Windows Update service. Windows Update normally automatically selects appropriate security patches.
- MDS patches are part of the May 2019 security updates
- MDS-mitigating microcode updates for Intel CPUs are not yet available and expected summer 2019
- Spectre patches are part of the June and November 2018 security updates and may also require administrator action to enable due to concerns regarding performance impacts
- Meltdown patches are part of the June and November 2018 security updates and may also require administrator action to enable on server systems due to concerns regarding performance impacts
Spectre and Meltdown patches may not be activated when installed because of significant performance penalties or compatibility issues with some implementations of anti-malware solutions. The following registry keys control the behavior of mitigations:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverride
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverrideMask
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\MinVmVersionForCpuBasedMitigations
Use the following variable values to enable mitigations. Registry keys may not exist by default and may need to be added. The tables below select settings most commonly advised to DOD administrators. For the full variation of settings, consult Microsoft's in-depth details in the second half of Windows Server guidance to protect against speculative execution side-channel vulnerabilities. Intel systems only (all variables are REG_DWORD):
| Setting | Spectre, Meltdown, MDS | Spectre, Meltdown | Spectre-only |
|---|---|---|---|
| FeatureSettingsOverride | 8264 | 0 | 8 |
| FeatureSettingsOverrideMask | 3 | 3 | 3 |
| MinVmVersionForCpuBasedMitigations | "1.0" | "1.0" | "1.0" |
AMD systems only (all variables are REG_DWORD) -- Meltdown and MDS are not applicable to AMD:
| Setting | Spectre-only |
|---|---|
| FeatureSettingsOverride | 72 |
| FeatureSettingsOverrideMask | 3 |
| MinVmVersionForCpuBasedMitigations | "1.0" |
Windows operating systems and applications guidance in development:
- Operating system patch compatibility and enabling guidance
- Browser patching and configuration guidance
- Hyper-V hosts configuration guidance
- Red Hat's MDS advisory
- Red Hat's MDS overview
- MDS mitigations in virtual environments
- Red Hat's Spectre and Meltdown overview
- Red Hat's Spectre and Meltdown advisory
- Spectre and Meltdown patch configuration and application guidance
- Spectre and Meltdown detection tool
- Spectre and Meltdown Virtualization-specific guidance
- Ubuntu MDS blog post
- Ubuntu Wiki for MDS
- Ubuntu Spectre and Meltdown blog post
- Ubuntu Spectre and Meltdown patch notice
- Ubuntu Wiki for Spectre and Meltdown
- Side-channel vulnerability detection in Linux guidance
- See the Browser guidance in the Windows section (also applies to Linux)
- Side-channel vulnerability mitigations for multiple Microsoft platforms
- Hyper Clear mitigation
- Configuration changes to mitigate side-channel vulnerabilities
- Server configuration changes to mitigate side-channel vulnerabilities
- MDS advisory
- Hypervisor mitigations for MDS
- Guest mitigations for MDS
- Spectre and Meltdown advisory
- Configuration changes and microcode mitigations for Spectre, Meltdown
- VMware additional guidance on side-channel vulnerabilities
- vSphere configuration guidance
- MDS Guidance
- Spectre and Meltdown administrator guidance
- Spectre and Meltdown Wiki FAQ
- Spectre and Meltdown FAQ
- Dell EMC Server MDS vulnerability advisory
- Spectre and Meltdown patches for Dell EMC products
- Spectre and Meltdown patches for Dell business and consumer products
- Dell Spectre and Meltdown knowledge hub
- Dell Side-Channel vulnerability information hub
- HP Enterprise MDS vulnerability advisory
- HP Consumer MDS vulnerability advisory
- HPE Spectre and Meltdown advisory
- HPE Spectre and Meltdown patches and configuration instructions
- HP Consumer Spectre and Meltdown advisory
- HP Enterprise security vulnerability dashboard
- MDS deep dive
- MDS advisory
- MDS overview
- Side-channel vulnerability information hub
- Side-channel mitigation performance impact analysis
As of May, 2019, NSA recommends disabling Intel Hyper-Threading on all systems handling sensitive data while able to execute arbitrary, user-acquired binaries and scripts. Endpoints with application and script whitelisting solutions may be exempt from MDS mitigations depending on mission need and data handled. Because of the wide variety of named side-channel vulnerabilities and differing impact, sometimes differing per stepping/revision in the same product generation, assume that all Core and Xeon Intel processors are vulnerable to one or more side-channel vulnerabilities.
Ensure that Spectre mitigations are installed and activated on all Intel endpoints. Like MDS, Meltdown may impart a performance impact that can be counteracted with application and user permission lockdown solutions. For information relating to a specific infrastructure, e-mail the NSA Cybersecurity GitHub team at [email protected].
As of May, 2019, NSA recommends installing Spectre mitigations on all AMD endpoints. Meltdown and MDS vulnerabilities do not appear to apply to AMD Zen products. Ensure that AMD-specific Spectre mitigations have been installed and remove erroneously applied Meltdown mitigations -- some early patches may have installed patches not intended for AMD platforms. For information relating to a specific infrastructure, e-mail the NSA Cybersecurity GitHub team at [email protected].
Consult with the vendor of a specific ARM chip for details on side-channel vulnerability mitigations. Multiple vendors, e.g. Samsung and Qualcomm, produce ARM chips with variations that affect their vulnerability, if any.
Informational pages:
- Patches - information on operating system, application, and firmware patches.
- Performance - information from vendors on performance impacts of patches and mitigations.