If you have not yet seen or heard about 3 serious security vulnerabilities (Spectre and Meltdown) that become public last week then you need to be across them fast (CVE-2017-5715, 5753 and 5754). They represent the largest and widest ranging computing ecosystem security problem that I’ve seen in a long time, and have had a response across the entire enterprise and consumer computing industry as a result. One of the issues (Meltdown) is Intel specific, the other issues impact multiple CPU architectures (Intel, ARM, AMD, Power etc). Although patches for some products have been released already the full solutions are expected to take some time to resolve. All of the major IT vendors have given response to the issues their top priority. This article will contain key links to information that you need to know to prepare and determine the risk for your particular environment.
There are three specific variants for the issues:
Variant 1 (Spectre) – Bounds Check Bypass (CVE-2017-5753 – CVSSv3 8.2)
Variant 2 (Spectre) – Branch Target Injection (CVE-2017-5715 – CVSSv3 8.2)
Variant 3 (Meltdown) – Rogue Data Cache Load (CVE-2017-5754 – CVSSv3 7.9)
The starting point should be the industry created site to aggregate the research data for these issues – https://spectreattack.com/.
Then you should review the specific academic research papers and documentation:
Meltdown Academic Paper – https://meltdownattack.com/meltdown.pdf
Spectre Academic Paper – https://spectreattack.com/spectre.pdf
Google Project Zero – https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with- side.html
Then there are a number of vendor released security advisories:
Intel Security Advisory (INTEL-SA-00088) – https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA- 00088&languageid=en-fr
Microsoft Security Advisory (ADV180002) – https://portal.msrc.microsoft.com/en-US/security- guidance/advisory/ADV180002
Citrix Security Advisory (CTX231390) – https://support.citrix.com/article/CTX231390
VMware Security Advisory – https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Cert Advisory (VU#584653) – http://www.kb.cert.org/vuls/id/584653
Nutanix Security Advisories (#7 -Side-Channel Speculative Execution Vulnerabilities) – https://portal.nutanix.com/#/page/static/securityAdvisories
Individual CVE Links:
CVE-2017-5753 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
CVE-2017-5715 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
CVE-2017-5754 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754
There have been performance concerns with regards to the fixes and RedHat has done some specific research on this and it is available – https://access.redhat.com/articles/3307751.
As you can see from the research and various papers and advisories that are available the security vulnerabilities are wide ranging and required and industry wide response. The security research, discovery, coordination and patching of these problems has been cross industry and covers consumer and enterprise systems. This is no small undertaking and all industry participants have been working together on the response. This is a good example of industry participants working together to resolve customer issues. There will no doubt be many lessons to be learned coming out of this and this will make for interesting reading and research for years to come.
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com. By Michael Webster +. Copyright © 2012 – 2018 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.