Significant security vulnerabilities have been found to exist in most common processor architectures that implement virtual memory, including some Intel, AMD and ARM processors.
This issue was first identified from a widely reposted Tumblr post from 1st January 2018 (citing a LWN article from 15th November 2017). Since then advisories have been released by providers including Google, Intel, AMD, ARM, and Microsoft, and updates are expected to be released by major operating system and cloud providers.
The flaws reportedly allow unprivileged users to identify kernel virtual address ranges, which could lead to exposure of sensitive data stored in the memory as well as the ability to insert malicious code into the running kernel – thus gaining privileged access to a system.
The flaws have been identified as three vulnerability variants, grouped as Meltdown (variant 3) and Spectre (variant 1 and 2):
- Variant 1: bounds check bypass (CVE-2017-5753)
- Variant 2: branch target injection (CVE-2017-5715)
- Variant 3: rogue data cache load (CVE-2017-5754)
What is the risk to my organisation?
The level of security risk from these vulnerabilities will depend on the types of hardware, hypervisor, operating system and current patch levels. Microsoft has also identified a compatibility issue with the patch for this vulnerability with regards to anti-virus applications, so asset owners should make themselves aware of any caveats before implementing patches.
What should organisations do?
Specific software mitigations have been developed and made available by several providers via kernel-level patches since at least October 2017, however patched systems may notice a drop in performance for any virtual applications requiring kernel interaction, e.g. reading or writing to disc. Large organisations may need to increase resources to manage normal workloads.
Asset owners should look at the advice from their system providers now and in the coming months, and make patch management decisions in line with their best security practices.