Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown, Spectre and ZombieLoad)

[LAST UPDATED August 7th 2018 – 11:27 UTC]

This article describes the implications, for Sophos customers, of the Kernel memory leak issues being discussed in the media, and which are addressed in patches that were released ahead of schedule by Microsoft on 03 Jan 2018, as well as by patches to Apple and Linux. This article will continue to be updated when new information becomes available.

The following sections are covered:

The vulnerability involves a kernel memory leak known by names such as KPTI, KAISER and F**CKWIT. Additionally new research published on 03 Jan 2018 provides details of exploits that utilize this vulnerability, known as Meltdown and Spectre. The Sophos Naked Security blog has posted more details on this issue here.

  • For Microsoft products the vulnerabilities are addressed in patches that were released ahead of schedule by Microsoft on 03 Jan 2018, see security advisory ADV180002 for details.
  • For Apple products see the following statement: About speculative execution vulnerabilities in ARM-based and Intel CPUs
  • Patches are available for Linux systems, we advise you to speak to your Linux Kernel vendor for more information.

Sophos Endpoint customers

On 03 Jan 2018 Microsoft released a Security Advisory (ADV180002) which includes advice on this vulnerability and links to security updates.

The Microsoft article advises you contact your Anti-Virus vendor to confirm that their software is compatible with the patch and also sets a specific registry key.

Sophos has completed testing of installing the patch and setting the registry key and can confirm no compatibility issues were seen. We will begin to automatically add the registry key in updates to the following Sophos Endpoint/Server products starting 05 Jan 2018:

  • Sophos Central Endpoints/Servers
  • Sophos Enterprise Console Endpoints/Servers
    • Preview subscription
    • Recommended subscription
    • Previous Recommended subscription
  • Sophos Endpoint Standalone
  • Sophos Virtual Environment (SVE)
  • UTM Managed Endpoints
  • Sophos Home

IMPORTANT: For server operating systems, Microsoft states “Customers have to enable mitigations to help protect against speculative execution side-channel vulnerabilities”. To enable the mitigations Microsoft customers need to enable three additional registry keys, these may cause performance issues and will not be set by Anti-Virus vendors. For more information see: Windows Server guidance to protect against speculative execution side-channel vulnerabilities.

NOTE: For Sophos Central customers currently enrolled in the Early Access Program (EAP) please see this article: Meltdown and Spectre – The chip bugs and Intercept X Early Access Program

For customers running Sophos Intercept X and/or Sophos Device Encryption only (ie without Sophos Anti-Virus), alongside a 3rd party Anti-Virus product. Please contact the 3rd party Anti-Virus vendor to check their compatibility with the Microsoft patch and if they have set the required registry key.

How to check if you have had the Sophos update

For customers who wish to confirm the Sophos update has been applied please see this article: Kernel memory issue affecting multiple OS: How to confirm you have the Sophos update.

Sophos Central customers using Controlled Updates will not receive the Sophos update that automatically sets the registry key. If you require the Microsoft patch using Windows Update, you can choose to Resume Automatic Updating to receive the Sophos update that sets the registry key, or manually apply the registry key via your own method (eg GPO, Script, Regedit).

Sophos Enterprise Control (SEC) customers using Fixed Extended subscriptions prior to 10.7.6 will not receive the Sophos update that automatically sets the registry key. If you require the Microsoft patch using Windows Update, you can choose to move to a subscription that does contain the update, or manually apply the registry key via your own method (eg GPO, Script, Regedit).

NOTE: Sophos has tested the compatibility of our products with the Microsoft patch, however you may be running 3rd party software that is not compatible with the patch. We recommend contacting your 3rd party vendors to confirm their compatibility.

Customers wishing to apply the patch now, ahead of the Sophos update can set the registry key manually as described in the Microsoft article: ADV180002. Alternatively you can manually download and apply the patch without the registry key.

Please note that Microsoft states “you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.”. For more information see Microsoft article: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities. We recommend that you test any firmware updates before deploying to your live environment.

Sophos Network customers

Listed below are Sophos network security products that utilize CPUs known to be vulnerable to these issues.

  • Sophos XG Firewall (Sophos Firewall OS) 16.5 and 17 (XG Series)
  • Sophos UTM (SG series) 9.5
  • Sophos Firewall Manager (SFM) 16.5
  • Sophos Web Appliance (SWA) 4.3.4
  • Sophos iView 3.0.1.1
  • Sophos Email Appliance (SEA)
  • Sophos RED
  • Cyberoam OS 10.6.6
  • Cyberoam Central Console 02.04.0 build 249
  • Cyberoam iView 0.1.2.8

These products require no patches or fixes for these CVE vulnerabilities based on the assessment that access to the appliance OS to load external code is restricted, therefore malicious code cannot be executed. We recommend to follow best practices to protect the access of privileged accounts.

At present there are three vulnerabilities linked to the kernel memory leak issue, these are:

Currently there are no known malicious threats exploiting these vulnerabilities. Sophos has released protection to help protect against this happening in the future. This protection will continue to be updated.

Threat name Sophos IDE Protection availability
Publication started Publication finished
Mal/Spectre-B zbot-lvw.ide 2018-01-05 00:20 UTC 2018-01-05 02:23 UTC
Mal/Spectre-C
zbot-lvw.ide 2018-01-05 00:20 UTC 2018-01-05 02:23 UTC
Mal/Spectre-D
zbot-lvw.ide 2018-01-05 00:20 UTC 2018-01-05 02:23 UTC
Mal/Spectre-E
netwi-md.ide 2018-01-05 06:58 UTC 2018-01-05 09:00 UTC
OSX/Spectre-B netwi-md.ide 2018-01-05 06:58 UTC 2018-01-05 09:00 UTC
Mal/Spectre-A age-axyx.ide 2018-01-05 18:31 UTC
2018-01-05 20:34 UTC
JS/Spectre-A pdfu-dwf.ide
2018-01-06 07:35 UTC
2018-01-06 09:37 UTC
Mal/Meltdown-A msilk-al.ide
2018-01-06 12:33 UTC
2018-01-06 14:36 UTC
Mal/Meltdown-B msilk-al.ide
2018-01-06 12:33 UTC
2018-01-06 14:36 UTC
Mal/Meltdown-C inje-cyk.ide 2018-01-09 07:05 UTC
2018-01-09 09:08 UTC
Mal/Meltdown-D delf-gmj.ide
2018-01-10 04:57 UTC
2018-01-10 07:00 UTC

Sophos XG Firewall and Cyberoam IPS signatures have been added to protect against the specific CVE’s and sample code outlined in the Spectre and Meltdown whitepapers, and we will continue to update the IPS patterns as new variants are discovered, however we still recommend patches be applied to all affected systems as soon as they are available.

To ensure you have the latest protection please see this article: Sophos products: How to check if the product is up to date

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Leave a Reply