Patching Appliances for Meltdown/Spectre

Summary

InsightVM and Nexpose appliances, including physical appliances, the virtual appliance OVA, and Amazon/Azure cloud images are potentially vulnerable to Meltdown/Spectre until OS security updates have been applied and the appliance is rebooted.

Most appliances will auto-install patches, but you must manually reboot your appliances to fully apply the patch. On some recent virtual appliances, you will need to issue a command to patch and then reboot.

This document covers how to verify patches have been applied, and manually install if necessary.

Verify Patches

To verify patches are applied, check the kernel version running on the appliance. Since some appliances run Ubuntu 14.04 and some run Ubuntu 16.04, use the table below to determine the updated kernel version.

OS Version

Kernel Version

14.04

>= 3.13.0-139

16.04

>= 4.4.0-109

NOTE

Canonical Ltd has set Ubuntu version 12.04 to End-Of-Life. Security maintenance support for this version will cease according to the timeline shown in this Ubuntu release cycle article:

https://ubuntu.com/about/release-cycle

Customers with a physical appliance running Ubuntu 12.04 can contact their Customer Success Manager to discuss options for a new physical appliance.

To determine OS and kernel versions:

  1. SSH into the appliance
  2. Determine the OS version:
1
lsb_release -r
  1. Verify kernel patches are applied:
1
uname -r

If patches are not applied, check that packages are installed with:

1
dpkg -l | grep linux-image

You may see multiple kernel versions installed. If at least one version matches the kernel version in the table above, you only need to reboot to apply the latest kernel. Otherwise, continue to the Install Patches section.

Install Patches

In some cases, patches may not auto-install. Recent virtual appliances were shipped with a setting that prevented updating the kernel. It’s also possible networking issues prevent auto-downloading patches.

To install the patch:

Hardware Appliances

Virtual / Cloud Appliances

  1. SSH into the appliance
    2. Install the latest kernel update:
    <br/>apt-get update<br/>apt-get install linux-generic<br/>
    3. Reboot the appliance
    4. Verify the kernel is applied:
    <br/>uname -r<br/>
    Compare the reported version to the table in the previous section.
  1. SSH into the appliance
    2. Install the latest kernel update:
    <br/>apt-get update<br/>apt-get install linux-virtual<br/>
    3. Reboot the appliance
    4. Verify the kernel is applied:
    <br/>uname -r<br/>
    Compare the reported version to the table in the previous section.

Amazon AWS AMIs and Microsoft Azure Virtual Machine Images

Customers running a Rapid7 appliance on AWS or Azure are already protected from instance-to-instance concerns, see:

https://aws.amazon.com/security/security-bulletins/AWS-2018-013/https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

All Rapid7 cloud appliances are configured to auto-install OS patches if connected to the internet. You can reboot instances using the AWS or Azure control panel to apply the patches, or follow the instructions in the previous section to reboot via SSH.

We are working to publish updated images to the Azure and AWS marketplaces so you may redeploy a new AMI or Azure Virtual Machine image, if you choose to do so. The publishing process can take up to a few weeks. Version 6.5.1 will be the first version patched for Meltdown/Spectre.

AWS Pre-authorized Scan Engine AMI

The pre-authorized Scan Engine AMI is a hardened image with no ingress access allowed per the terms of AWS’ pre-authorized scanning program. Because you cannot SSH into the pre-authorized AMI, it is currently not possible to confirm the updated kernel was successfully applied. The image only runs processes associated with the Scan Engine and thus is at a lower risk of process-to-process concerns.

You may reboot the pre-authorized engine via the AWS EC2 console to apply patches. Once version 6.5.1 of the AMI is released to the Marketplace, you may choose to redeploy the Scan Engine.