PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
[LAST UPDATED Jan 10th 2018 - 17:27 UTC]
This article describes the implications, for Sophos customers, of the Kernel memory leak issues being discussed in the media, and which are addressed in patches that were released ahead of schedule by Microsoft on 03 Jan 2018, as well as by patches to Apple and Linux. This article will continue to be updated when new information becomes available.
The following sections are covered:
The vulnerability involves a kernel memory leak known by names such as KPTI, KAISER and F**CKWIT. Additionally new research published on 03 Jan 2018 provides details of exploits that utilize this vulnerability, known as Meltdown and Spectre. The Sophos Naked Security blog has posted more details on this issue here.
On 03 Jan 2018 Microsoft released a Security Advisory (ADV180002) which includes advice on this vulnerability and links to security updates.
The Microsoft article advises you contact your Anti-Virus vendor to confirm that their software is compatible with the patch and also sets a specific registry key.
Sophos has completed testing of installing the patch and setting the registry key and can confirm no compatibility issues were seen. We will begin to automatically add the registry key in updates to the following Sophos Endpoint/Server products starting 05 Jan 2018:
IMPORTANT: For server operating systems, Microsoft states "Customers have to enable mitigations to help protect against speculative execution side-channel vulnerabilities". To enable the mitigations Microsoft customers need to enable three additional registry keys, these may cause performance issues and will not be set by Anti-Virus vendors. For more information see: Windows Server guidance to protect against speculative execution side-channel vulnerabilities.
NOTE: For Sophos Central customers currently enrolled in the Early Access Program (EAP) please see this article: Meltdown and Spectre – The chip bugs and Intercept X Early Access Program
For customers running Sophos Intercept X and/or Sophos Device Encryption only (ie without Sophos Anti-Virus), alongside a 3rd party Anti-Virus product. Please contact the 3rd party Anti-Virus vendor to check their compatibility with the Microsoft patch and if they have set the required registry key.
For customers who wish to confirm the Sophos update has been applied please see this article: Kernel memory issue affecting multiple OS: How to confirm you have the Sophos update.
Sophos Central customers using Controlled Updates will not receive the Sophos update that automatically sets the registry key. If you require the Microsoft patch using Windows Update, you can choose to Resume Automatic Updating to receive the Sophos update that sets the registry key, or manually apply the registry key via your own method (eg GPO, Script, Regedit).
Sophos Enterprise Control (SEC) customers using Fixed Extended subscriptions will not receive the Sophos update that automatically sets the registry key. If you require the Microsoft patch using Windows Update, you can choose to move to a subscription that does contain the update, or manually apply the registry key via your own method (eg GPO, Script, Regedit).
NOTE: Sophos has tested the compatibility of our products with the Microsoft patch, however you may be running 3rd party software that is not compatible with the patch. We recommend contacting your 3rd party vendors to confirm their compatibility.
Customers wishing to apply the patch now, ahead of the Sophos update can set the registry key manually as described in the Microsoft article: ADV180002. Alternatively you can manually download and apply the patch without the registry key.
Please note that Microsoft states "you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.". For more information see Microsoft article: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities. We recommend that you test any firmware updates before deploying to your live environment.
A number of Sophos network security products utilise CPUs that are known to be vulnerable to these issues. While the CPU may be affected, a hacker would first need to compromise the network product using another vulnerability and inject customised attack code to exploit these vulnerabilities. But even in this case, no significant additional malicious gain can be obtained. Sophos uses hardened, customized operating system kernels in all network security products, forming part of a closed system where custom code cannot execute. This greatly reduces the potential exposure and risk to customers. Sophos takes security seriously and is performing all of the necessary analysis this vulnerability deserves.
Sophos is currently investigating the kernel updates for Linux and other operating systems (as they are being made available by the vendors) that are the basis of the firmware of our network security appliances. If required, any necessary fixes (updated firmware, BIOS updates or equivalent images, etc.) will be made available to the latest versions of the network security products or applied before a product is shipped.
Sophos strongly recommends that if you are running a prior release of XG Firewall (SFOS), Sophos UTM, or Cyberoam OS you should upgrade to the latest version to take advantage of all the latest features, performance, stability and security enhancements. For all Sophos network security products, please apply the latest Maintenance Releases as and when they become available.
The following products have been confirmed as not vulnerable to these vulnerabilities and do not require any actions:
Special note on virtual environments
If you are running a Sophos network product in a virtual environment, please ensure that you apply all appropriate fixes/patches to the virtual host, in addition to any necessary fixes to the Sophos product.
At present there are three vulnerabilities linked to the kernel memory leak issue, these are:
Currently there are no known malicious threats exploiting these vulnerabilities. Sophos has released protection to help protect against this happening in the future. This protection will continue to be updated.
Sophos XG Firewall and Cyberoam IPS signatures have been added to protect against the specific CVE's and sample code outlined in the Spectre and Meltdown whitepapers, and we will continue to update the IPS patterns as new variants are discovered, however we still recommend patches be applied to all affected systems as soon as they are available.
To ensure you have the latest protection please see this article: Sophos products: How to check if the product is up to date
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.