Number: AL18-001
Date: 4 January 2018
Purpose
The purpose of this alert is to bring attention to side-channel vulnerabilities, which affect many modern computer processors. There are three known variants of this issue. Variant 1: CVE-2017-5753, Variant 2: CVE-2017-5715, Variant 3: CVE-2017-5754. Variants 1 and 2 are referred to as Spectre. Variant 3 is referred to as Meltdown.
Assessment
These hardware vulnerabilities work on personal computers, mobile devices, and in the cloud. Every Intel processor which implements out-of-order execution is potentially affected by Meltdown. Spectre affects Intel, AMD and ARM processors.
Both Meltdown and Spectre use side-channel to obtain the information from the accessed memory location, termed “Kernel-memory-leaking”. While Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory, Spectre tricks other applications into accessing arbitrary locations in their memory. Leaked information could include passwords stored in a password manager or browser, personal photos, emails, instant messages and documents.
The exploitation does not leave any traces and it is unlikely that the intrusion would be detected. However, the antivirus may detect malware used in the intrusion. There has not been a confirmation of any active exploitation at this time.
Suggested Action
CCIRC recommends consulting the operating system vendor or system manufacturer for specific risk mitigation advice. It is recommended to apply software and firmware updates as soon as they are available. In case of unsuccessful mitigation organizations may consider a replacement of CPU hardware.
References:
- https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
- https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities
- https://www.kb.cert.org/vuls/id/584653
- https://spectreattack.com
- https://meltdownattack.com/
- https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002#
CVE References: