If you have not yet seen or heard about 3 serious security vulnerabilities (Spectre and Meltdown) that become public last week then you need to be across them fast (CVE-2017-5715, 5753 and 5754). They represent the largest and widest ranging computing ecosystem security problem that I’ve seen in a long time, and have had a response across the entire enterprise and consumer computing industry as a result. One of the issues (Meltdown) is Intel specific, the other issues impact multiple CPU architectures (Intel, ARM, AMD, Power etc). Although patches for some products have been released already the full solutions are expected to take some time to resolve. All of the major IT vendors have given response to the issues their top priority. This article will contain key links to information that you need to know to prepare and determine the risk for your particular environment.
There are three specific variants for the issues:
Variant 1 (Spectre) – Bounds Check Bypass (CVE-2017-5753 – CVSSv3 8.2)
Variant 2 (Spectre) – Branch Target Injection (CVE-2017-5715 – CVSSv3 8.2)
Variant 3 (Meltdown) – Rogue Data Cache Load (CVE-2017-5754 – CVSSv3 7.9)
The starting point should be the industry created site to aggregate the research data for these issues – https://spectreattack.com/.
Then you should review the specific academic research papers and documentation:
Meltdown Academic Paper – https://meltdownattack.com/meltdown.pdf
Spectre Academic Paper – https://spectreattack.com/spectre.pdf
Google Project Zero – https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with- side.html
Then there are a number of vendor released security advisories:
Intel Security Advisory (INTEL-SA-00088) – https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA- 00088&languageid=en-fr
Microsoft Security Advisory (ADV180002) – https://portal.msrc.microsoft.com/en-US/security- guidance/advisory/ADV180002
Citrix Security Advisory (CTX231390) – https://support.citrix.com/article/CTX231390
VMware Security Advisory – https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Cert Advisory (VU#584653) – http://www.kb.cert.org/vuls/id/584653
Nutanix Security Advisories (#7 -Side-Channel Speculative Execution Vulnerabilities) – https://portal.nutanix.com/#/page/static/securityAdvisories
Individual CVE Links:
CVE-2017-5753 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
CVE-2017-5715 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
CVE-2017-5754 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754
There have been performance concerns with regards to the fixes and RedHat has done some specific research on this and it is available – https://access.redhat.com/articles/3307751.
Final Word
As you can see from the research and various papers and advisories that are available the security vulnerabilities are wid