On Wednesday January 3, 2018, researchers published information about multiple vulnerabilities they discovered in modern computer processors from Intel, AMD, and ARM. These vulnerabilities, dubbed Meltdown and Spectre, allow programs to steal data including passwords and other sensitive data.
These hardware vulnerabilities work on personal computers, mobile devices, and in the cloud. Every Intel processor which implements out-of-order execution is potentially affected by Meltdown. Spectre affects Intel, AMD, and ARM processors.
Both Meltdown and Spectre use a side-channel to obtain the information from the accessed memory location, termed “Kernel-memory-leaking”. While Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory, Spectre tricks other applications into accessing arbitrary locations in their memory. Leaked information could include passwords stored in a password manager or browser, personal photos, emails, instant messages and documents.
The exploitation does not leave any traces and it is unlikely that the intrusion would be detected. However, antivirus systems may detect malware used in the initial intrusion.
There are no known attacks reported in the wild at this time.
- CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre.
- CVE-2017-5754 is the official reference to Meltdown
We have currently rated this issue as HIGH and is subject to change pending further information.
Which systems are affected by Meltdown?
Desktop, laptop, and cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.
Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, laptops, cloud servers, as well as smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, Spectre has been verified on Intel, AMD, and ARM processors.
What We’re Doing
For managed devices, Scalar is working with our technology vendors to identify affected devices and develop a plan for remediation once patches are released.
While no patch is currently available, Scalar recommends keeping your computers up to date with the latest patches upon their release. In addition, you should also check with your device manufacturer for relevant updates. It is recommended to apply software and firmware updates as soon as they are available. In case of unsuccessful mitigation organizations may consider a replacement of CPU hardware.
- [Project Zero – Google] Reading privileged memory with a side-channel
- [Meltdown] Bugs in modern computers leak passwords and sensitive data.
- [Intel] Intel Responds to Security Research Findings
- [Microsoft] Guidance to mitigate speculative execution side-channel vulnerabilities