CPU Vulnerability – Spectre/Meltdown "Speculative Execution"

SIL, 09/01/2018

On 03/01/2018, Google’s Project Zero team announced vulnerabilities on Intel, AMD and ARM processors due to a feature called “speculative execution”, discovered during their security tests. Oracle and IBM also conducted their test regarding this security vulnerability. It is important to note that these vulnerabilities have not been exploited in the public domain. Processor, OS and virtualisation vendors have released updates to mitigate the vulnerabilities. 

SIL is working with our clients and industry partners on this issue. We recommend applying the latest patches relevant to your infrastructure. Below information describes the vulnerability, the potential issues and includes links to download patches from Vendors.

 

Understanding the Vulnerability – Google Project Zero

Google’s Project Zero team identified vulnerabilities on the ‘speculative execution’ feature of processors. According to Intel, Speculative Execution is an optimisation technique to improve CPU performance. The concept is that instructions are executed ahead of knowing that they are required.

During lab tests, Google Project Zero team they have discovered that three causes that can allow leak information “out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.” 

Variant One - Bounds Check Bypass
Variant Two- Branch Target Injection
Variant Three - Rogue Data Cache Load

The full report on: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

 

What it means for my organisation

The described threat has not been seen in the public domain i.e. there was no attack. The research described was performed in a controlled, dedicated lab environment by a highly knowledgeable team with detailed, non-public information about the processors targeted.

Even if chances of attacks resulting out of this are minimal, we recommend updating to latest patches that apply to your hardware and OS. The following notes from different processor manufacturers and software vendors provide more information and links to various patches.

Intel

Intel is working closely with its software partners, AMD and ARM, to design mitigations for these methods. According to Intel, patches for 90% of recent Intel processors will be available as early as this week. 

Vulnerability info: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr 
Announcement for patch: https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/  

 

AMD

AMD is not affected by Variant Three. AMD points out that the described threat has not been seen in the public domain and that the test was performed by a highly knowledgeable team with detailed, non-public information about the processors targeted. 

Variant One - Resolved by software/OS updates,

Variants Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.

Variant Three does not apply because of architecture difference.
Link: http://www.amd.com/en/corporate/speculative-execution

 

ARM

According to ARM Holdings, the majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism. For those that are impacted, Linux kernel updates are recommended on https://developer.arm.com/support/security-update

 

Oracle

Oracle has revealed that its first critical patch update for 2018 includes fixes for the widespread Meltdown and Spectre CPU speculative-execution flaws.
Link: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

 

IBM – Power 7+, Power8, Power9

According to IBM, this vulnerability doesn’t allow an external unauthorized party to gain access to a machine, but it could allow a party that has access to the system to access unauthorized data. 

IBM announced Firmware patches for POWER7+, POWER8 and POWER9 platforms will be available on January 9. IBM will provide further communication on supported generations prior to POWER7+, including firmware patches and availability. Linux operating systems patches will start to become available on January 9.  AIX and IBM operating system patches will start to become available February 12.
Link: https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

 

Microsoft

Microsoft has released Windows Updates. However, we caution cross-checking with other software vendors (such as antivirus) before proceeding. 

 

Red Hat

Updates are available for Linux kernel, virtualization-related components, and/or in combination with a microcode update.  QEMU has also issued patches for KVM hypervisors.
Link: https://access.redhat.com/security/vulnerabilities/speculativeexecution  

 

VMware – vSphere ESXi

Since virtual environments are impacted, where a guest VM can exploit the vulnerabilities, major virtualisation vendors have issued patches. Updates are available for ESXi 5.5, 6.0 and 6.5 as well as other VMware software.
Link: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

 

Symantec – Endpoint Protection

Symantec published updates for its Endpoint Protection products for Windows. To receive this update, the users can run Symantec Live Update.

 

Palo Alto Networks 

Palo Alto Networks recommends upgrading appliances to the latest version of application and threat content updates. 

 

Conclusion

The described threat has not been seen in the public domain. Fixes are already available for some processors and all major operating systems. SIL recommends you apply the latest patches that are relevant to your infrastructure. Feel free to contact SIL for further information and any other information that you may need.