Reference: CERT.be Advisory #2018-001
Affected systems: [CPUs (Intel, AMD, Qualcomm), architectures: x86, x86_64, ARM]
Type: CPU hardware vulnerable to side-channel attacks
Two new side-channel based attacks, dubbed Meltdown and Spectre, affect the main CPU architectures. While Spectre affects all three major chip makers (Intel, AMD and ARM), AMD claims their processors are immune to Meltdown.
To achieve high performance, modern processors implement several optimization techniques such as out-of-order execution (used in Meltdown) or branch prediction (used in Spectre). These mechanisms have side-effects that can be leveraged by attackers to:
• read the content of private kernel memory (Meltdown)
• access information about other processes, including a virtual machine’s host operating system (Spectre).The issue comes from hardware design choices, and any workaround will have to come at the operating system level.
Systems affected by Meltdown
Researchers successfully conducted exploitation on Intel processors. Exploitation on other systems is currently unknown; the research paper doesn’t discard this possibility.
Desktops, laptops and handheld Intel CPU based devices are all affected.
Systems affected by Spectre
- Most devices using Intel, AMD or ARM A75 based processors are affected.
For both vulnerabilities, exploitation can provide access to non-authorized memory pages (user and kernel level).
For both vulnerabilities, the most exposed systems are cloud providers because they present a larger attack surface. The risk for the general public is much lower.
Some systems can be vulnerable to both.
Currently, researchers have identified three vulnerabilities:
Devices that are affected:
- • Servers
• Cell phones
• Smart TVs
• IoT devices
• Other devices with affected CPUs
Patch your system(s) as soon as possible.
Vendor-specific links to advisories and patches:
Fedora Project: https://fedoramagazine.org/protect-fedora-system-meltdown/
Open SUSE: https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00001.html
Red hat: https://access.redhat.com/security/security-updates/#/security-advisorie...