Spectre & Meltdown: Important Vulnerability Advisory
Spectre
Release Date (01-03-18) CVE-2017-5753 & CVE-2017-5715
Meltdown
Release Date (01-03-18) CVE-2017-5754
Affected Products
Spectre - All modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, the researchers have verified Spectre on Intel, AMD, and ARM processors.
Meltdown - Every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013)
Vulnerability Details
According to the researchers at Project Zero:1“We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 [1].So far, there are three known variants of the issue:Variant 1: bounds check bypass (CVE-2017-5753)Variant 2: branch target injection (CVE-2017-5715)Variant 3: rogue data cache load (CVE-2017-5754)Before the issues described here were publicly disclosed, Daniel Gruss, Moritz Lipp, Yuval Yarom, Paul Kocher, Daniel Genkin, Michael Schwarz, Mike Hamburg, Stefan Mangard, Thomas Prescher and Werner Haas also reported them; their [writeups/blogposts/paper drafts] are at:Spectre (variants 1 and 2)Meltdown (variant 3)
Impact
If your system is affected, the documented proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system. As of the release of this information, this exploit has not been abused in the wild.
Remediation
Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update. Other users have to wait for their device manufacturers to release a compatible security update.
Defensive Mitigations
There are currently no defensive mitigations or appropriate logging/alerting available at this time.
NetWorks Group Managed Service Customers running affected products will be contacted to allow each customer to arrange for an upgrade of the managed device.All other customers running an affected product should plan to implement any recommended remediations and/or defensive mitigations as soon as possible to address the issues in this advisory.If you have questions regarding this notice, please call us at 734-827-1400, option 3 or email support@networksgroup.com
Subscribe to get new content! Never miss a security update from the team.
Security news, tips, webinars, and more straight to your inbox.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
