Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
[LAST UPDATED August 7th 2018 - 11:27 UTC]
This article describes the implications, for Sophos customers, of the Kernel memory leak issues being discussed in the media, and which are addressed in patches that were released ahead of schedule by Microsoft on 03 Jan 2018, as well as by patches to Apple and Linux. This article will continue to be updated when new information becomes available.
The following sections are covered:
The vulnerability involves a kernel memory leak known by names such as KPTI, KAISER and F**CKWIT. Additionally new research published on 03 Jan 2018 provides details of exploits that utilize this vulnerability, known as Meltdown and Spectre. The Sophos Naked Security blog has posted more details on this issue here.
On 03 Jan 2018 Microsoft released a Security Advisory (ADV180002) which includes advice on this vulnerability and links to security updates.
The Microsoft article advises you contact your Anti-Virus vendor to confirm that their software is compatible with the patch and also sets a specific registry key.
Sophos has completed testing of installing the patch and setting the registry key and can confirm no compatibility issues were seen. We will begin to automatically add the registry key in updates to the following Sophos Endpoint/Server products starting 05 Jan 2018:
IMPORTANT: For server operating systems, Microsoft states "Customers have to enable mitigations to help protect against speculative execution side-channel vulnerabilities". To enable the mitigations Microsoft customers need to enable three additional registry keys, these may cause performance issues and will not be set by Anti-Virus vendors. For more information see: Windows Server guidance to protect against speculative execution side-channel vulnerabilities.
NOTE: For Sophos Central customers currently enrolled in the Early Access Program (EAP) please see this article: Meltdown and Spectre – The chip bugs and Intercept X Early Access Program
For customers running Sophos Intercept X and/or Sophos Device Encryption only (ie without Sophos Anti-Virus), alongside a 3rd party Anti-Virus product. Please contact the 3rd party Anti-Virus vendor to check their compatibility with the Microsoft patch and if they have set the required registry key.
For customers who wish to confirm the Sophos update has been applied please see this article: Kernel memory issue affecting multiple OS: How to confirm you have the Sophos update.
Sophos Central customers using Controlled Updates will not receive the Sophos update that automatically sets the registry key. If you require the Microsoft patch using Windows Update, you can choose to Resume Automatic Updating to receive the Sophos update that sets the registry key, or manually apply the registry key via your own method (eg GPO, Script, Regedit).
Sophos Enterprise Control (SEC) customers using Fixed Extended subscriptions prior to 10.7.6 will not receive the Sophos update that automatically sets the registry key. If you require the Microsoft patch using Windows Update, you can choose to move to a subscription that does contain the update, or manually apply the registry key via your own method (eg GPO, Script, Regedit).
NOTE: Sophos has tested the compatibility of our products with the Microsoft patch, however you may be running 3rd party software that is not compatible with the patch. We recommend contacting your 3rd party vendors to confirm their compatibility.
Customers wishing to apply the patch now, ahead of the Sophos update can set the registry key manually as described in the Microsoft article: ADV180002. Alternatively you can manually download and apply the patch without the registry key.
Please note that Microsoft states "you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.". For more information see Microsoft article: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities. We recommend that you test any firmware updates before deploying to your live environment.
Listed below are Sophos network security products that utilize CPUs known to be vulnerable to these issues.
These products require no patches or fixes for these CVE vulnerabilities based on the assessment that access to the appliance OS to load external code is restricted, therefore malicious code cannot be executed. We recommend to follow best practices to protect the access of privileged accounts.
At present there are three vulnerabilities linked to the kernel memory leak issue, these are:
Currently there are no known malicious threats exploiting these vulnerabilities. Sophos has released protection to help protect against this happening in the future. This protection will continue to be updated.
Sophos XG Firewall and Cyberoam IPS signatures have been added to protect against the specific CVE's and sample code outlined in the Spectre and Meltdown whitepapers, and we will continue to update the IPS patterns as new variants are discovered, however we still recommend patches be applied to all affected systems as soon as they are available.
To ensure you have the latest protection please see this article: Sophos products: How to check if the product is up to date
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.