What was yesterday’s Intel kerfuffle is now showing how wide a CPU design flaw stretches. In addition to Intel, microprocessors from AMD and Arm are also vulnerable to multiple information disclosure vulnerabilities. The flaws affect almost every CPU released since 1995, according to Google’s Project Zero. The Meltdown and Spectre hardware bugs allow normal user programs, such as JavaScript in web browsers, to steal data processed on a machine. Exploiting these vulnerabilities could disclose sensitive data including passwords, personal information, communications and more.

Read the first blog: Intel Vulnerability at Processor Chip Level Will Affect Performance

Three CVEs have been assigned to the associated flaws:

Spectre

  • CVE-2017-5753: Multiple vendors’ CPUs local memory read vulnerability due to bounds–check bypass
  • CVE-2017-5715: Multiple vendors’ CPUs local Memory read vulnerability due to branch target injection vulnerability

Meltdown

  • CVE-2017-5754: Multiple vendors’ CPUs local memory read vulnerability due to rogue data cache load

Meltdown only affects Intel processors; the Arm Cortex–A75 is also affected, but is not yet available. Spectre impacts Intel, AMD and Arm.

All CVEs carry a CVSS score of 6.5, a medium severity.

However, Skybox the remediation of these vulnerabilities should be prioritized based on the context of your unique environment, and not based on CVSS scores alone.

Learn more about threat–centric vulnerability management from Skybox.

 

Patches for Meltdown and Spectre

Several vendors have already released patches for Meltdown and Spectre, with others expected to patch their systems soon. We will publish patch updates at Skybox Vulnerability Center as they become available.

  • Microsoft has issued an out–of–band security update to supported versions of Windows, Internet Explorer, Edge and SQL Server, despite its regular Patch Tuesday being right around the corner. Windows 10 machines should have been automatically updated, but there may be an issue of certain incompatible antivirus systems preventing the update from taking effect.
  • Apple has released macOS High Sierra 10.13.2 on December 21, 2017, which should at least partially protect against the CPU vulnerabilities.
  • Red Hat has has released a long list of patches, affecting multiple OS versions. For a full list of available and pending updates, click here.
  • VMware has released updates to prevent information disclosure between virtual machines on the same host due to the Spectre vulnerabilities. These products are not affected by Meltdown as “ESXi does not run untrusted user mode code, and Workstation and Fusion rely on the protection that the underlying operating system provides.”
  • Google Project Zero was among the independent teams who discovered the Meltdown and Spectre flaws and appear to have been poised to release patches. A Google support page has been set up to outline what products are affected and available fixes. Google Chrome update and Chrome OS are not released yet.
  • Amazon has said, “All but a small single–digit percentage of instances across the Amazon EC2 fleet are already protected.” For EC2 Windows, AMIs will be updated in line with the Microsoft patches.
  • Other Linux distributions, including CentoOS andAmazon Linux are already available.

Meltdown and Spectre Threat Level

Exploiting these vulnerabilities requires an authenticated local attacker: that is, an attacker who has access to the local machine and running an application in user-mode.

These vulnerabilities have multiple, fully functional exploit code samples available online, but there is still no indication that this threat is exploited in the wild.

Skybox will continue to release updated information regarding these vulnerabilities and associated threats.

 

Related Posts

Intel Vulnerability at Processor Chip Level Will Affect Performance: The Intel vulnerability requires an OS–level patch to Linux, Windows and macOS, slowing down machines by up to 30 percent.

Apple Vulnerability Allows Root Login Without Password: A high–profile Apple vulnerability in MacOS High Sierra allows anyone to login as root without any password.