US-CERT- TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

Started by Netwörkheäd, January 17, 2018, 06:07:33 PM

Previous topic - Next topic

Netwörkheäd

TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

[html]Original release date: January 04, 2018 | Last revised: January 17, 2018

      

Systems Affected


      

CPU hardware implementations

      
      

Overview


      

On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as https://meltdownattack.com/">Meltdown and https://spectreattack.com/">Spectre— that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

      
      

Description


      

CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. These attacks are described in detail by CERT/CC's Vulnerability Note https://www.kb.cert.org/vuls/id/584653">VU#584653, the United Kingdom National Cyber Security Centre's guidance on https://www.ncsc.gov.uk/guidance/meltdown-and-spectre-guidance">Meltdown and Spectre, https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html">Google Project Zero, and the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz). The Linux kernel mitigations for this vulnerability are referred to as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.

      
      

Impact


      

Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

      
      

Solution


      

NCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information. In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however, this vulnerability is more difficult to exploit.

Let's not argue. Let's network!