Skip to main content

The impact of Meltdown and Spectre CPU exploits on Bitdefender GravityZone users

Find out more information on how the latest CPU hardware vulnerabilities to side-channel attacks are affecting Bitdefender GravityZone users.

Last revised: 22 January 2018 11:15am GMT

Overview

Modern CPU hardware implementations from the last decade have been found vulnerable to side-channel attacks. Through a CPU architecture design flaw, links can be established between user and kernel memory pages, allowing attackers to obtain access to sensitive information. The two advanced attacks are now known as Meltdown and Spectre.

Impact

As a result, security patches and statements have been released by major industry players. These security patches come with new hardware and software requirements that may break the compatibility with specialized applications such as security products.

Solution

To mitigate any negative effects, Bitdefender ensures performance and compatibility evaluations between its GravityZone business products and the recent security patches.

Engineering teams covering all Bitdefender GravityZone components will release the compatibility updates through automatic updates commencing 8 January 2018. At the moment, evaluation tests with the security patches are still being run as they are made available by their vendors.

As there may be new developments in this security case, this section will be updated with new information pertaining to the approved security patches and GravityZone solutions and its related components:

  • GravityZone Endpoint Security for Windows - Version 6.2.28.973 (Fast Ring) compatible with January 3rd Microsoft security patches was released on Monday the 8th of January at 10am GMT. The Slow Ring version was also released on Tuesday the 9th of January at 5am GMT. No action is required from users before or during the Bitdefender Endpoint update. This update automatically delivered a specific registry key that enabled the Windows security update in question. You can carry on with regular OS updates after version 6.2.28.973 installation is completed.

Note

To change the Update Ring:

  1. Go to Policies in GravityZone console.

  2. Select the policy in question and go to the Update tab.

  3. Choose Fast Ring from the Update Ring drop-down menu.

  • Endpoint Security by Bitdefender Version 5.3.34.489 was released on the 9th of January at 6:00am GMT.

  • GravityZone Bitdefender Endpoint Security Tools – Version 4.0.0.177215 is compatible with Mac 10.13.2 that mitigated the Meltdown vulnerability.

  • GravityZone Endpoint Security for Linux – compatibility tests are currently being run on Linux distributions that published security patches: RedHat, SUSE, Fedora, Debian, Oracle Linux and CentOS. As patches become available for other supported Distributions we will include them in our compatibility tests.

  • GravityZone Security for Virtualized Environments:

    • NSX Guest Introspection Integrated – this is an agentless solution, there are no Bitdefender components running within the guest VMs. Please consider the VMware security advisory as well when planning to upgrade your infrastructure.

    • Multi-Platform – Bitdefender Endpoint Security Tools for Windows Version 6.2.28.973 was released on Monday the 8th of January at 10am GMT following the same update release model as above.

  • Aditional compatibility tests are currently being run for:

    • GravityZone Hypervisor Introspection

    • GravityZone Security for Exchange

    • GravityZone Security for Mobile

  • As soon as the Ubuntu Security Team releases security patches for Ubuntu 16.04, Bitdefender will start its compatibility and performance tests for GravityZone virtual appliances. The GravityZone virtual appliance is powering the following GravityZone solutions:

    • GravityZone Business Security

    • GravityZone Advanced Business Security

    • GravityZone Elite Security (HD)

    • GravityZone Ultra Security (XDR)

    • GravityZone Enterprise Security

    • GravityZone for Service Providers (XSP)

    • Cloud Security for MSP

    • GravityZone Full Disk Encryption

    • GravityZone Patch Management

    • Security for Amazon Web Services

Updates:

9 January 6:00pm GMT

Check the following Microsoft advisory for additional details regarding the Windows Servers security patch process. Bitdefender is currently following this guideline to assess the compatibility with its Business products. Since its impact on the server infrastructure may differ widely, a specific time frame for a compatibility resolution is unavailable at the moment.

9 January 7:00pm GMT

GravityZone Security for Mobile is now compatible with the latest Android 8.1 and iOS 11.2.2 security patches.

11 January 10:10am GMT

Bitdefender has started the compatibility and performance tests with latest security patches from Ubuntu Security Team. Since the performance impact on its GravityZone virtual appliances may differ widely, a specific time frame for a compatibility resolution is unavailable at the moment.

15 January 9:40pm GMT

Bitdefender has finished the compatibility and performance tests for Bitdefender Endpoint Security for Linux version 6.2.20.47 with the latest security patches delivered by the supported Linux distributions. No issues were identified.

19 January 1:00pm GMT

Bitdefender has finished the compatibility and performance tests for Bitdefender Hypervisor Introspection (HVI). Security Server version 6.1.62.5920 is compatible with Windows and Linux guests patched against Spectre and Meltdown vulnerabilities.

Security Server (Multi-Platform/HVI) has been updated with security patches against Meltdown and Spectre vulnerabilities.

22 January 11:15am GMT

Security Server for VMware NSX has been updated with security patches against Meltdown and Spectre vulnerabilities.

References

Find out more information about the impact of these vulnerabilities:

Project Zero: Meltdown and Spectre exploits.

The Register: Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign.

Microsoft: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities.