MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2018

MA-691.012018: MyCERT Alert - CPU Hardware Side-Channel Attacks Vulnerability

Date Published: 4/1/2018


1.0 Overview
MyCERT is aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern computer processors. Malaysia National Cyber Security Agency (NACSA) has released an alert regarding this matter. Users may refer to the URL below for details:


2.0 Description
CPU hardware implementations are vulnerable to side-channel attacks referred to as ‘Meltdown’ and ‘Spectre’. Both vulnerabilities take advantage of the ability to extract information from instructions that have executed on a CPU using the CPU cache as a side-channel. These hardware flaws allow programs to steal data which is currently processed on the computer. The issues are organized into three (3) variants:
 
NoVariantCVENameVulnerability
1.Variant 1CVE-2017-5753Bounds Check BypassSpectre
2.Variant 2CVE-2017-5715Branch Target InjectionSpectre
3.Variant 3CVE-2017-5754Rogue Data Cache LoadMeltdown



3.0 Impact
Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. An attacker able to execute code with user privileges can achieve various impacts, such as reading otherwise protected kernel memory and bypassing KASLR.


4.0 Affected Products
These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.
 

5.0 Recommendations
Users and administrators are encouraged to review the below URLs for more information and refer to CPU, OS & application vendors for necessary patches.
 

No.VendorURL
1Amazonhttps://aws.amazon.com/security/security-bulletins/AWS-2018-013/
2AMDhttps://www.amd.com/en/corporate/speculative-execution
3Androidhttps://source.android.com/security/bulletin/2018-01-01
4Applehttps://support.apple.com/en-us/HT208394
5ARMhttps://developer.arm.com/support/security-update
6CentOShttps://lists.centos.org/pipermail/centos-announce/2018-January/date.html
7Chromiumhttps://www.chromium.org/Home/chromium-security/ssca
8Citrixhttps://support.citrix.com/article/CTX231399
9F5https://support.f5.com/csp/article/K91229003
10Googlehttps://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
11Huaweihttp://www.huawei.com/en/psirt/security-notices/huawei-sn-20180104-01-intel-en
12IBMhttps://exchange.xforce.ibmcloud.com/collection/Central-Processor-Unit-CPU-Architectural-Design-Flaws-c422fb7c4f08a679812cf1190db15441
13Intelhttps://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
14Lenovohttps://support.lenovo.com/us/en/solutions/len-18282
15Linuxhttps://lkml.org/lkml/2017/12/4/709
16Microsoft Azurehttps://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
17Microsofthttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
18Mozillahttps://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
19NVIDIAhttp://nvidia.custhelp.com/app/answers/detail/a_id/4609
20OpenSUSEhttps://lists.opensuse.org/opensuse-security-announce/2018-01/msg00001.html
21Red Hathttps://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&documentKind=PortalProduct
22SuSEhttp://lists.suse.com/pipermail/sle-security-updates/2018-January/date.html
23Trend Microhttps://success.trendmicro.com/solution/1119183-important-information-for-trend-micro-solutions-and-microsoft-january-2018-security-updates
24VMWarehttps://www.vmware.com/security/advisories/VMSA-2018-0002.html
25Xenhttp://xenbits.xen.org/xsa/advisory-254.html



Generally, MyCERT advises users of this product to be updated with the latest security announcements made by the vendor and follow best practice security policies to determine which updates should be applied.


For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Handphone: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Cyber999 Mobile Apps: IOS Users or Android Users


6.0 References