I have no doubt that by now you are well aware of last week’s announcements from the security community about new security threats—known as Meltdown and Spectre—that exploit the “speculative execution” feature found in modern processors, including Intel, AMD, and ARM processors. While this is a hardware vulnerability, the major operating system vendors—Microsoft, Apple, SUSE, Red Hat, and other Linux vendors—have all released patches intended to help mitigate the vulnerabilities.
OS Vendor Guidance
In addition to releasing patches, each of these OS vendors released guidance for mitigating the threats on devices running their operating system. We strongly recommend that you review their guidance documents before patching:
Patching Your Devices
After you’ve reviewed the guidance and are ready to apply patches, ZENworks Patch Management is all set to help you.
As of today, all Spectre and Meltdown patches provided by Microsoft, SUSE, Red Hat, and Apple since the announcement last week are in the ZENworks Patch Management feed. And we continue to actively release additional Meltdown and Spectre patches into our content feed as vendors release them and our content team processes them.
There are many strategies you can use in ZENworks Patch Management to ensure that you’re devices are patched. Whatever strategy you use, I recommend that it include the following components, each of which are covered in the remainder of this article:
- Make sure that your ZENworks system includes the most recently released Meltdown and Spectre patches.
- Makes sure that your devices have performed a patch scan since the release of the Meltdown and Specter patches. Otherwise, your patch status will not be accurate.
- Apply the Meltdown and Spectre patches using a method (existing Patch policies, new Patch policies, direct remediation) that is consistent with the mitigation plan you developed after referring to the vendor guidance documents, and that best accomplishes your patching goals within your mitigation timeline.
Make sure patches are available in your system
The ZENworks Patch Management Subscription Service in your system checks for new patches once a day at the time configured in your Subscription Service settings. This means that the Meltdown and Spectre patches should already be available in your system. Here are some ways you can check:
- For Windows and SUSE, go to the Patches page and filter the list to show patches with the following CVE Identifiers: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754CVE-2017-5715 is related to the Meltdown vulnerability while CVE-2017-5753 and CVE-2017-5754 are related to the Spectre vulnerability. Using CVE-2017-5715 as the filter works for both Windows and SUSE patches while CVE-2017-5753 and CVE-2017-5754 works for Windows patches only.
For example, my system shows the following Windows patches for those vulnerabilities. As you can see, I have 3 Windows 10 1709 devices, with 2 of the 3 patched, and one Windows 7 device that has neither of the applicable Meltdown/Spectre patches applied.
- For Red Hat and Apple, go to the Patches page and look at the patches dated in January 2018. Click a patch and review the description to see if it applies to CVE-2017-5715, CVE-2017-5753, or CVE-2017-5754.Here is an example from my system:
Make sure that the patch status for your devices is accurate
In order to ensure that the Patched/Not Patched status is accurate for the Meltdown and Spectre patches, make sure your devices have performed a patch scan since the Meltdown and Spectre patches were added to your system.
When your devices scan for patches is determined by the Vulnerability Detection Schedule.
If you have patch scans configured to occur on device refresh (like the example above), most devices may have already done a patch scan since the Meltdown and Spectre patches were released. If you want to ensure that devices have performed a patch scan, you can use the Device Refresh Quick Task to force devices to refresh.
However, if your patch scans are scheduled to happen on a specific date (or distribute the vulnerability definition on a specific date) and that date has not occurred since the release of the Meltdown and Spectre patches, the patches’ Patched/Not Patched status will not be correct. In this case, you can choose to wait to apply the patches after the scheduled patch scan has occurred, or you can temporarily change the schedule to happen on device refresh. If you decide to do this, you need to:
- Change the Vulnerability Definition Content schedule to Distribute vulnerability definition before scan.
- Change the Vulnerability Check schedule to Check for vulnerabilities on device refresh.
- Use the Subscription Service Settings page (in the Zone Configuration Settings) to initiate a subscription update. This is required so that the DAU patch bundles (used to discover missing patches during the patch scan) are rebuilt with the new schedule settings.
- Once the subscription update is complete, use the Device Refresh Quick Task to force devices to refresh. The refresh will initiate a patch scan using the new DAU patch bundles and then cause the patch results to be rolled up to ZENworks Control Center.
- After you have applied the Meltdown and Spectre patches to your devices, change the schedule back and do another subscription update (or wait for the scheduled daily subscription update).
Once you are comfortable with the accuracy of the Patched/Not Patched status for the Meltdown/Spectre patches that are applicable to the devices in your system, you are ready to patch.
NOTE: As explained in the Microsoft Devices and Servers guidance, Microsoft has identified a compatibility issue with Microsoft’s Windows security updates released in January 2018 (for Meltdown/Spectre) and a small number of antivirus software products. The compatibility issue arises when antivirus applications make unsupported calls into Windows kernel memory. If a device is running one of these incompatible antivirus applications, Microsoft does not allow the Windows security updates (containing the Meltdown/Spectre fixes) to be installed on the device. With ZENworks Patch Management, this means that the security updates will not be applicable to the device, causing the device to be excluded from the Patched/Not Patched count. To resolve this issue on devices so that the Patched/Not patched status is correct and the Meltdown/Spectre patches can be applied, refer to the Microsoft article Windows security updates released January-February, 2018, and antivirus software.
You have several options you can use to apply the patches. Which option you choose could depend on several factors, including how quickly you want to push out the Meltdown and Spectre patches and how much control you want over distributing just those patches without any other patches.
Use existing Patch policies
If you have existing Patch policies that by nature of their rules criteria will include the Meltdown and Spectre patches, you can use these Patch policies and follow your normal patching process.
For example, both the monthly cumulative updates for Windows 10 and Windows 7 include the Meltdown and Spectre patches. If you have a policy that regularly distributes those, you can use that policy.
I strongly suggest, however, that you look at the policy’s Rules page to make sure that the Included Patches list includes the patches you expect. If not, or if you just want to be safe, you should go to the policy’s Summary page and use the Rebuild option which will cause the policy to rebuild and include the patches (provided they meet the rule criteria).
Create Meltdown/Spectre Patch policies
If you don’t want to use your existing Patch policies, you can create new Patch policies that only apply the Meltdown and Spectre patches to devices.
For example, you could create a Windows Patch policy that uses the following Rules criteria, then assign the policy to all of your Windows devices. Only the patches applicable to the device would be installed.
Manually remediate devices
If you don’t want to use Patch policies, you can apply patches by assigning the patches directly to the non-patched devices. This works well if you have a specific patch that you want to push directly to specific devices.
For example, my system has one Windows 10 device that does not have the January 2018 cumulative patch applied.
When I click the number in the Not Patched column, I see the device that is not patched.
I can select the patch, click Action > Deploy Remediation and then follow the wizard steps to deploy the patch to the device. After the patch is deployed, the patch results are returned and I can see the device patched in ZENworks Control Center.
For the most part, OS vendors have been the first to respond with patches to help mitigate the Meltdown and Spectre vulnerabilities. However, you can expect to see various application vendors coming out with patches as needed. For example, Microsoft has already released an update for Internet Explorer 11 for Windows 7 that is tied to the three Meltdown and Spectre CVEs (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754).
Following our standard practice, we will release these patches into the ZENworks Patch Management content feed as they are released by vendors.