On 3td Janury 2018, 3 new vulnerabilities have been identified, named “Meltdown” & “Spectre“, with the following CVE:
- Variant 1: bounds check bypass (CVE-2017-2753) – Spectre
- Variant 2: branch target injection (CVE-2017-5715) – Spectre
- Variant 3: rogue data cache load (CVE-2017-5754) – Meltdown
Following is a link to official website where it’s possible to find every information and vulnerability details:
- Spectre & Meltdown: https://spectreattack.com/
The discovered vulnerabilities allow to a potential malware to gain access to information processed by CPU, without having direct access to it; this is possible because these vulnerabilities allow reading permission to all data inside memory.
This means that potential malware can get hold of sensible data used by other host applications, such as passwords, documents, emails, etc…
Thiese vulnerabilities impact most modern CPUs present on market, included Intel Processors, ADM and ARM.
Actually there is no information concerning threats that use this vulnerability, even though some scripts are available online which demonstrate the effectiveness of the attack:
Following a scheme with the main differences between these 2 vulnerabilities:
HOW TO DEFEND YOURSELF
Nowadays key vendors have released patches and security bulletins to solve detected vulnerabilities:
- Microsoft Windows has released patches for its systems pointing out to verify the compatibility of its antivirus system with them:
- https://social.technet.microsoft.com/wiki/contents/articles/51021.mitgations-for-speculative-execution-side-channel-vulnerabilities-meltdown-spectre.aspx
- To verify antivirus compatibility, refer to this document:
- Android is releasing updates for different system components
- For Linux OS distributions are releasing patch ad hoc:
- RedHat has released patches for all versions up to 7.2
- Debian team is working for releasing patches:
- Suse is releasing patches for his systems from SLES 11 SP3 version
- Vmware has annouced that for guest OS updates to work, is required to also update ESXi and vCenter Server. For ESXi version 5.5 Spectre isn’t patchable, a Vmware farm upgrade is required
- Apple has released patches for iOS 11.2 systems, mcOS 10.13.2 and and tvOS 11.2 and is working to develop solutions for other systems
- IBM will release a patch for POWER 7+, POWER 8 and POWER 9 systems on 9th January. On the same day also a patch for SO Linux will release, while for AIX, a patch will be released on 12nd January
- Intel producer has provided to OS vendors software and firware updates in order to mitigate exploit; these are alredy available in patches aforementioned. Intel is also working to protect remaining systems not alredy updated
REFERENCES
- https://googleprojectzero.blogspot.it/2018/01/reading-privileged-memory-with-side.html
- https://spectreattack.com/
- https://meltdownattack.com/
- https://www.bleepingcomputer.com/news/microsoft/how-to-check-and-update-windows-systems-for-the-meltdown-and-spectre-cpu-flaws/
- https://cxsecurity.com/issue/WLB-2018010039
- https://social.technet.microsoft.com/wiki/contents/articles/51021.mitgations-for-speculative-execution-side-channel-vulnerabilities-meltdown-spectre.aspx
You must be logged in to post a comment.