Meltdown and Spectre Kernel Vulnerabilities
A security issue affecting Intel, AMD and ARM processors has been announced. In this Knowledge Base article, we would like to provide information and guidance on how to protect servers running GBS iQ.Suite.
The vulnerability allows attackers to read and extract memory information, greatly increasing the risk of stolen data and identities. The vulnerability is known as Meltdown, Spectre, KPTI, KAISER or F**CKWIT. Microsoft, Linux and other platforms provided patches on January 3, 2018. Exploitation of the vulnerability requires execution of malicious code.
Microsoft is working closely with antivirus vendors to ensure that all customers receive the January security update as soon as possible, which pertains to security vendor endpoint products but not to the OEM AV scan engines implemented in iQ.Suite.
Windows server-based computers (physical or virtual) must receive the Windows security updates that were published and provided on January 3, 2018 and are available under Windows Updates. Available updates are listed under the following link:
Security updates for iQ.Suite servers
Procedure for Windows Server
The security updates from January 2018 (or thereafter), which are inteded to protect from the aforementioned security vulnerabilities, are not automatically installed by the antivirus engines integrated in iQ.Suite.
The following registration key must be installed in order to install the updates:
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Currently, Microsoft is providing security updates for Windows Server 2016, Windows Server 2012R2, Windows Server 2008R2. These updates have been tested.
GBS has reviewed and tested the Windows updates in regard to iQ.Suite and can verify compatibility.
The registry key must be set manually.
The integrated OEM AV scanners (Engine, Pattern) in iQ.Suite will run with or without the security updates.
GBS is currently reviewing the kernel updates for Linux and other operating systems on which iQ.Suite for Domino is run. We will add all necessary information here.
Linux - Security Patches
The current security patches for kernel 4.4 have been tested. No problems were identified in interplay with iQ.Suite.
AIX - Security Patches
- Firmware patches should be available in the second week of 2018.
- Operating system patches available third week of 2018.
Questions & answers
Is the patch supported by OEM AV Scanner Sophos, Avira, Kaspersky and McAfee?
- The security updates were tested in regard to the GBS iQ.Suite versions and the respective OEM Scan Engine. No problems were observed.
Is the registry key set automatically by AV software?
- The registry key is not set automatically by the OEM scan engine (in iQ.Suite).
What effects do the CPU patches have on performance?
- Effects on performance vary and cannot be absolutely quantified. According to reports, the updates may reduce performance, increasing the importance of assessing the impact in specific, individual environments.
Pertinent information will be added to this document as it becomes available.
WebCrypt Pro Appliance:
Official Statement of SEPPmail regarding WebCrypt Appliance:
Spectre: CVE-2017-5753, CVE-2017-5715
The execution of all kinds of these attacks is based on allowed execution of attackers code on the CPU, exploiting speculative execution of CPUs in order to read out unauthorised information. This can be utilised across guest-host limitations in virtualisations allowing one single compromised VM to serves as attack vector to all other VMs of the host. Avoiding this kind of attacks is very complex and can lead to noticeable performance reductions within the scope of 10-30%.
Meldown concerns specifically Intel CPUs, which is exactly the case with our hardware. Spectre is targeting all the new CPU architectures (Intel, AMD, ARM). It can be assumed that all SEPPmail hardware appliances are affected by this vulnerability. But as we are talking about a local attack, the exploitation of a hardware appliance is not possible without further attack vectors.
Especially virtual deployments are at risk where an appliance is vulnerable to attacks by other VMs or by the host himself using Meltdown and Spectre. We strongly recommend to install all available hypervisor and operating system patches for the virtualisation used. A migration to hardware for better protection is an option too, when no patches are available.
The vulnerability is known since the beginning of January but there has been transmitted no information to the OpenBSD operating system in the last Embargo period and therefore no patches are available at the moment. It is likely that the period of development and testing may span many weeks or even months. Furthermore there are no others patches available yet offering full protection against all attacks (especially Spectre). It is also possible that the 3 known attacks represent scattered examples of an unknown category of attacks.
For this reason there is no patch timeline for SEPPmail available at the moment.
Last updated: 17 January 2018