zurück zum Artikel

Hersteller von Hard- und Software sind von den Sicherheitslücken Meltdown und Spectre gleichermaßen betroffen. Eine Linkübersicht zu Stellungnahmen, weiterführenden Informationen und Update-Hinweisen.

Eine Vielzahl moderner und älterer Prozessoren sind aufgrund ihrer Hardware-Architektur für die Angriffsszenarien Meltdown und Spectre [1] anfällig (Analyse: So funktionieren Meltdown und Spectre [2]). Schließen lassen sich die Lücken vorerst lediglich über Änderungen an der Software, also an den Programmcodes von Betriebssystemen wie Windows, macOS, Linux, Android und iOS sowie über Patches für einzelne Anwendungen wie etwa Firefox. Daher ist es für Nutzer essentiell, ihre Betriebssysteme immer sofort mit den neuesten Updates zu versorgen und auch Anwendungen so schnell wie möglich zu aktualisieren.

CPU-Sicherheitslücken Meltdown und Spectre

Die in Prozessoren entdeckten Sicherheitslücken Meltdown und Spectre treffen die Prozessorhersteller ins Mark - vor allem Intel. Aus den Lücken ergeben sich mehr als ein Dutzend Angriffsmöglichkeiten - ein Security-Supergau.

• FAQ: Was ist passiert, bin ich betroffen, wie kann ich mich schützen? [3]
• Webinar: Meltdown & Spectre verstehen - was Unternehmen jetzt wissen müssen [4]
• Meltdown und Spectre im Überblick: Grundlagen, Auswirkungen und Praxistipps [5]
• Die Sicherheitshinweise und Updates von Hardware- und Software-Herstellern [6]
• Analyse zur Prozessorlücke: Meltdown und Spectre sind ein Security-Supergau [7]
• Berichte und Nachrichten zu Meltdown & Spectre [8]

Im folgenden finden Sie Links zu aktuellen Informationen und Sicherheitshinweisen von Hardware- und Software-Anbietern zum Thema Meltdown und Spectre. Die Übersicht wird ständig aktualisiert, über aktuelle Hinweise zu neuen Stellungnahmen im Forum sind wir unseren Lesern dankbar.

Informationsseiten und Updates

Acer

Meltdown and Spectre security vulnerabilities [9]

Amazon

Processor Speculative Execution Research Disclosure [10]

AMD

An Update on AMD Processor Security [11]

Android

Android Security Bulletin—January 2018 [12]

AVM

Meltdown und Spectre – keine Angriffsmöglichkeit bei AVM-Produkten [13]

Apple

About speculative execution vulnerabilities in ARM-based and Intel CPUs [14]

ARM

Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism [15]

Asrock

Latest BIOS Update [16]

Asus

ASUS Motherboards Microcode Update for Speculative Execution [17]

Bitdefender

Understanding the impact of Meltdown and Spectre CPU exploits on Bitdefender GravityZone users [18]

Brocade

Brocade Security Advisory ID: BSA-2018- 522 [19]

CA Technologies

Addressing the Spectre and Meltdown Vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) for the API Management Product Suite [20]

Chromium Project

Actions Required to Mitigate Speculative Side-Channel Attack Techniques [21]

CentOS

CentOS Information for VU#584653 [22]

CERT Software Engineering Institute Carnegie Mellon University

Vulnerability Note VU#584653: CPU hardware vulnerable to side-channel attacks [23]

Check Point

Check Point Response to Meltdown and Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) [24]

Cisco

CPU Side-Channel Information Disclosure Vulnerabilities [25]

Citrix

Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 [26]

Debian

Debian Security Advisory: DSA-4078-1 linux -- security update [27]

CVE-2017-5754: Security Tracker [28]

Dell

Meltdown and Spectre Vulnerabilities [29]

Dell EMC (Dell Enterprise Servers, Storage and Networking)

Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products [30]

Fedora

Protect your Fedora system against Meltdown [31]

FireEye

FireEye Notice for CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 [32]

Fortinet

CPU hardware vulnerable to Meltdown and Spectre attacks [33]

FreeBSD

4. Januar: Due to the fundamental nature of the attacks, no estimate is yet available for the publication date of patches. [34]

8. Januar: Response to Meltdown and Spectre [35]

17. Februar: Revision 329462 [36]

Fujitsu

CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) [37]

Side-Channel Analysis Method: Spectre & Meltdown Security Review [38]

G DATA

"Spectre" und "Meltdown" - Forscher entdecken schwere Sicherheitslücken in Prozessoren [39]

Gigabyte

GIGABYTE Safeguards Users From Speculative Execution Vulnerability [40]

BIOS update for Side Channel Analysis Security issue Mitigations [41]

Google

Google’s Mitigations Against CPU Speculative Execution Attack Methods [42]

Hitachi Vantara (Hitachi Data Systems)

Hitachi Vantara Statement Regarding Spectre and Meltdown Vulnerabilities [43]

(konkrete Informationen erst nach Login zugänglich)

Huawei

CPU Vulnerabilities 'Meltdown' and 'Spectre' [44]

HP

Security Bulletin [45]

HPE

HPESBHF03805 rev.2 - Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure [46]

IBM

Potential CPU Security Issue [47] (eventuell auch IBM Z)

Potential Impact on Processors in the POWER family [48]

IBM Storage [49]

IGEL

IGEL arbeitet an Schutz vor Meltdown und Spectre [50]

Intel

Intel Responds to Security Research Findings [51]

Intel Issues Updates to Protect Systems from Security Exploits [52]

INTEL-SA-00088: Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method [53]

BIOS-Update 0065 für Intel NUC6i3SYH, NUC6i3SYK, NUC6i5SYH, NUC6i5SYK [54]

Linux Processor Microcode Data File Version 20180108 [55]

Intel Security Issue Update: Initial Performance Data Results for Client Systems [56]

Intel-SA-00088 for Intel NUC, Intel Compute Stick, and Intel Compute Card [57]

Lancom

Spectre und Meltdown: LANCOM Geräte sind nicht betroffen [58]

Lenovo

Lenovo Security Advisory: LEN-18282: Reading Privileged Memory with a Side Channel [59]

Linux Foundation

x86/kpti: Kernel Page Table Isolation (was KAISER [60]

McAfee

Meltdown and Spectre – McAfee Product Compatibility Update [61]

Microsoft

January 3, 2018—KB4056892 (OS Build 16299.192) [62]

Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities [63]

Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems [64]

Hyper-V: Protecting guest virtual machines from CVE-2017-5715 (branch target injection) [65]

Surface Guidance to protect against speculative execution side-channel vulnerabilities [66]

Microsoft Edge

Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer [67]

Microsoft Azure

Securing Azure customers from CPU vulnerability [68]

Microsoft SQL Server

SQL Server guidance to protect against speculative execution side-channel vulnerabilities [69]

Microsoft Windows Server

Windows Server guidance to protect against speculative execution side-channel vulnerabilities [70]

Mozilla

Mitigations landing for new class of timing attack [71]

MSI

BIOS-Updates für Mainboards mit Z370 [72]

NetApp

Processor Speculated Execution Vulnerabilities in NetApp Products [73]

Netgear

Security Advisory for Speculative Code Execution (Spectre and Meltdown) on Some ReadyNAS and ReadyDATA Storage Systems, PSV-2018-0005 [74]

Nvidia

Nvidia's response to speculative side channels CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 [75]

Gepatchte Treiber: Security Bulletin NVIDIA GPU Display Driver Security Updates for Speculative Side Channels [76]

OpenBSD

OpenBSD 6.2 Errata, 009: SECURITY FIX: March 1, 2018 [77]

Oracle

CVE-2017-5715 (Oracle Linux version 6, 7, Oracle VM version 3.4, qemu-kvm) [78]

Panasonic

Security information of vulnerability by Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method [79]

Proxmox

Meltdown and Spectre Linux Kernel fixes [80]

QEMU

QEMU and the Spectre and Meltdown attacks [81]

QNAP

Security Advisory for Meltdown and Spectre Vulnerabilities [82]

Quanta QCT

Intel Security Advisory update [83]

Raspberry Pi

WHY RASPBERRY PI ISN’T VULNERABLE TO SPECTRE OR MELTDOWN [84]

Redhat

Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 [85]

Shuttle

Sicherheitstechnische Informationen zu "Meltdown" und "Spectre" (Update) [86]

Sophos

Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) [87]

Supermicro

Security Vulnerabilities Regarding Side Channel Speculative Execution and Indirect Branch Prediction Information Disclosure [88]

SUSE

SUSE Addresses Meltdown and Spectre Vulnerabilities [89]

Symantec

Security Vulnerabilities Regarding Side Channel Speculative Execution and Indirect Branch Prediction Information Disclosure (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) [90]

Synology

Synology-SA-18:01 Meltdown and Spectre Attacks [91]

Telekom

Open Telekom Cloud arbeitet an Lösung für Prozessor-Problem [92]

Open Telekom Cloud Security Advisory about Processor Speculation Leaks [93]

Thomas-Krenn

Sicherheitshinweise zu Meltdown und Spectre [94]

Toshiba

Intel, AMD & Microsoft Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method Security Vulnerabilities [95]

Trend Micro

Important Information for Trend Micro Solutions and Microsoft January 2018 Security Updates [96]

Ubuntu

Ubuntu Updates for the Meltdown / Spectre Vulnerabilities [97]

Univention

Status of Meltdown and Spectre security issues in UCS [98]

VMware

Meltdown and Spectre: VMware products [99]

VMSA-2018-0002 [100]

VMware Security & Compliance Blog [101]

VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52245) [103]

VMSA-2018-0007 [104]

Wind River Linux

Wind River Security Vulnerability Notice [105]

XEN

Advisory [106]

(mfi [108])

URL dieses Artikels:
https://www.heise.de/-3936141

Links in diesem Artikel:
[1] https://www.heise.de/news/Gravierende-Prozessor-Sicherheitsluecke-Nicht-nur-Intel-CPUs-betroffen-erste-Details-und-Updates-3932573.html
[2] https://www.heise.de/news/Analyse-zur-Prozessorluecke-Meltdown-und-Spectre-sind-ein-Security-Supergau-3935124.html
[3] https://www.heise.de/news/FAQ-zu-Meltdown-und-Spectre-Was-ist-passiert-bin-ich-betroffen-wie-kann-ich-mich-schuetzen-3938146.html
[4] https://www.heise.de/news/Meltdown-Spectre-verstehen-Was-Unternehmen-jetzt-wissen-muessen-3954159.html
[5] https://www.heise.de/news/Meltdown-und-Spectre-im-Ueberblick-Grundlagen-Auswirkungen-und-Praxistipps-3944915.html
[6] https://www.heise.de/news/Meltdown-und-Spectre-Die-Sicherheitshinweise-und-Updates-von-Hardware-und-Software-Herstellern-3936141.html
[7] https://www.heise.de/news/Analyse-zur-Prozessorluecke-Meltdown-und-Spectre-sind-ein-Security-Supergau-3935124.html
[8] https://www.heise.de/thema/Meltdown-und-Spectre
[9] https://us.answers.acer.com/app/answers/detail/a_id/53104
[10] https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
[11] https://www.amd.com/en/corporate/speculative-execution
[12] https://source.android.com/security/bulletin/2018-01-01
[13] https://avm.de/service/aktuelle-sicherheitshinweise/
[14] https://support.apple.com/en-us/HT208394
[15] https://developer.arm.com/support/security-update
[16] http://www.asrock.com/support/index.asp?cat=BIOS
[17] https://www.asus.com/News/V5urzYAT6myCC1o2
[18] https://www.bitdefender.com/support/understanding-the-impact-of-meltdown-and-spectre-cpu-exploits-on-bitdefender-gravityzone-users-2072.html
[19] http://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2018-522.htm
[20] https://support.ca.com/us/knowledge-base-articles.TEC1272616.html
[21] https://www.chromium.org/Home/chromium-security/ssca
[22] https://www.kb.cert.org/vuls/id/TNOY-AUQKJ5
[23] http://www.kb.cert.org/vuls/id/584653
[24] https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122205&partition=General&product=All%22
[25] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
[26] https://support.citrix.com/article/CTX231399
[27] https://www.debian.org/security/2018/dsa-4078
[28] https://security-tracker.debian.org/tracker/CVE-2017-5754
[29] http://www.dell.com/support/article/de/de/debsdt1/sln308587
[30] https://www.dell.com/support/article/us/en/04/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en
[31] https://fedoramagazine.org/protect-fedora-system-meltdown/
[32] https://www.fireeye.com/blog/products-and-services/2018/01/fireeye-notice-for-meltdown-and-spectre-vulnerabilities.html
[33] https://fortiguard.com/psirt/FG-IR-18-002
[34] https://www.freebsd.org/news/newsflash.html
[35] https://lists.freebsd.org/pipermail/freebsd-security/2018-January/009719.html
[36] https://svnweb.freebsd.org/base?view=revision&revision=329462
[37] http://www.fujitsu.com/global/support/products/software/security/products-f/jvn-93823979e.html
[38] http://support.ts.fujitsu.com/content/SideChannelAnalysisMethod.asp
[39] https://www.gdata.de/blog/2018/30323-spectre-meltdown
[40] http://www.gigabyte.eu/Press/News/1586
[41] https://www.gigabyte.com/MicroSite/481/intel-sa-00088.html
[42] https://support.google.com/faqs/answer/7622138
[43] https://knowledge.hds.com/Support_Information/CVE_Security_Notices/Hitachi_Vantara_Statement_Regarding_Spectre_and_Meltdown_Vulnerabilities
[44] http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180106-01-cpu-en
[45] https://support.hp.com/us-en/document/c05869091
[46] https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us
[47] https://www.ibm.com/blogs/psirt/potential-cpu-security-issue/
[48] https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/
[49] https://www.ibm.com/blogs/psirt/ibm-storage-meltdownspectre/
[50] https://www.igel.de/company-news/igel-arbeitet-schutz-vor-meltdown-und-spectre/
[51] https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
[52] https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/
[53] https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
[54] https://downloadcenter.intel.com/de/download/27422/NUCs-BIOS-Update-SYSKLi35-86A-?product=89190
[55] https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=52214
[56] https://newsroom.intel.com/editorials/intel-security-issue-update-initial-performance-data-results-client-systems/
[57] https://www.intel.com/content/www/us/en/support/articles/000026620/mini-pcs.html
[58] https://www.lancom-systems.de/service-support/soforthilfe/allgemeine-sicherheitshinweise/
[59] https://support.lenovo.com/de/en/solutions/len-18282
[60] https://lkml.org/lkml/2017/12/4/709
[61] https://kc.mcafee.com/corporate/index?page=content&id=KB90167
[62] https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
[63] https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
[64] https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
[65] https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/cve-2017-5715-and-hyper-v-vms
[66] https://support.microsoft.com/en-us/help/4073065/surface-guidance-to-protect-against-speculative-execution-side-channel
[67] https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/#Rohm8y8BJcfgKBoG.97
[68] https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
[69] https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server
[70] https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
[71] https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
[72] http://www.rbt-pressroom.eu/de/pressbox/updates-schliessen-moegliche-sicherheitsluecken-in-der-aktuellen-intel-microcode-version/
[73] https://security.netapp.com/advisory/ntap-20180104-0001/
[74] https://kb.netgear.com/000053240/Security-Advisory-for-Speculative-Code-Execution-Spectre-and-Meltdown-on-Some-ReadyNAS-and-ReadyDATA-Storage-Systems-PSV-2018-0005
[75] https://forums.geforce.com/default/topic/1033210/nvidias-response-to-speculative-side-channels-cve-2017-5753-cve-2017-5715-and-cve-2017-5754/
[76] http://nvidia.custhelp.com/app/answers/detail/a_id/4611/~/security-bulletin%3A-nvidia-gpu-display-driver-security-updates-for-speculative
[77] https://www.openbsd.org/errata62.html
[78] https://linux.oracle.com/cve/CVE-2017-5715.html
[79] https://pc-dl.panasonic.co.jp/itn/vuln/g18-001.html
[80] https://forum.proxmox.com/threads/meltdown-and-spectre-linux-kernel-fixes.39110/
[81] https://www.qemu.org/2018/01/04/spectre/
[82] https://www.qnap.com/de-de/security-advisory/nas-201801-08
[83] https://www.qct.io/Press-Releases/index/PR/Server/Intel-SA-00088
[84] https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/
[85] https://access.redhat.com/security/vulnerabilities/speculativeexecution?sc_cid=701f2000000tsLNAAY&
[86] http://www.shuttle.eu/de/news/view/sicherheitstechnische-informationen-zu-meltdown-und-spectre-update/86fc24644d/29/
[87] https://community.sophos.com/kb/en-us/128053
[88] https://www.supermicro.com/support/security_Intel-SA-00088.cfm
[89] https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/
[90] https://support.symantec.com/en_US/article.INFO4793.html
[91] https://www.synology.com/de-de/support/security/Synology_SA_18_01
[92] https://cloud.telekom.de/blog/prozessorproblem/
[93] https://imagefactory.otc.t-systems.com/Blog-Review/SpecExLeak/
[94] https://www.thomas-krenn.com/de/wiki/Sicherheitshinweise_zu_Meltdown_und_Spectre
[95] https://support.toshiba.com/support/viewContentDetail?contentId=4015952
[96] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1118996.aspx
[97] https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/
[98] https://help.univention.com/t/status-of-meltdown-and-spectre-security-issues-in-ucs/7678
[99] https://vinfrastructure.it/2018/01/meltdown-spectre-vmware-patches/
[100] https://www.vmware.com/security/advisories/VMSA-2018-0002.html
[101] https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html
[102] https://kb.vmware.com/s/article/52264
[103] https://kb.vmware.com/s/article/52245
[104] https://www.vmware.com/security/advisories/VMSA-2018-0007.html
[105] https://knowledge.windriver.com/en-us/000_Products/000/010/050/010/000_Wind_River_Security_Vulnerability_Notice%3A__Linux_Kernel_Meltdown_and_Spectre_Break_(Side-Channel_Attacks)_-_CVE-2017-5754_CVE-2017-5753_CVE-2017-5715
[106] https://xenbits.xen.org/xsa/advisory-254.html
[107] https://www.heise.de/Datenschutzerklaerung-der-Heise-Medien-GmbH-Co-KG-4860.html
[108] mailto:mfi@heise.de

Copyright © 2018 Heise Medien