Updated insights on new variants of CPU side-channel vulnerabilities

Published May 22, 2018 @ 16:55

The Visier Information Security team is continually monitoring for emerging threats exploiting the three variants of side-channel vulnerabilities described within the National Vulnerability Database (NVD) as CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. The “Spectre” (CVE-2017-5753, CVE-2017-5715) and “Meltdown” (CVE-2017-5754) vulnerabilities continue to be assessed as a MODERATE risk.

Two new variants of side-channel vulnerabilities have been discovered, resulting in the release of US-CERT Alert (TA18-141A) “Side-Channel Vulnerability Variants 3a and 4” for CPU hardware implementations. The two new vulnerabilities are described within the National Vulnerability Database (NVD) as:

  • Variant 3a: Rogue System Register Read – CVE-2018-3640
  • Variant 4: Speculative Store Bypass – CVE-2018-3639

Attacks on both vulnerability variants require local access to a target system. Risk is mitigated by a combination of requirements for exploitation and Visier’s layered defences, patch management practices, and service architecture which are very effective protection against attacks relying on achieving local access and code execution. The new variants are assessed as LOW risk.

Visier insights on memory side-channel vulnerabilities known as “Meltdown” and “Spectre”

Published Jan 18, 2018 @ 08:52

The Visier Information Security team has ongoing vulnerability management, emerging threat assessment, network security monitoring, and incident response practices. Our systems and services are continuously monitored for threats and activity throughout an attack’s lifecycle.

“Spectre” and “Meltdown” are a collection of vulnerabilities related to the way computers do memory management. These vulnerabilities are extremely complicated to remediate due to modern performance optimizations in more CPUs.  CPU hardware, operating system, and software vendors are all working together to build short- and long-term solutions.  Full remediation will require software and hardware changes to the vast majority of current devices in use around the world. The complexity of the problem makes it challenging to describe the risks, however Visier is taking a serious and considered approach that will at all times prioritize the security of customer data.

Visier has seen no indications of attempts to target or exploit Visier systems and services exploiting “Spectre” and “Meltdown” side-channel memory vulnerabilities.

What is Visier’s response?

  • On January 3rd, 2018, Visier initiated emerging threat assessment of three new memory side-channel vulnerabilities. The three vulnerabilities are described within the National Vulnerability Database (NVD) as CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. They have been named as “Spectre” (CVE-2017-5753, CVE-2017-5715) and “Meltdown” (CVE-2017-5754). These vulnerabilities are relevant to the majority of consumer- and enterprise-class processors in a wide variety of devices, personal computers, and servers.
  • Visier operates systems and services which rely on technology based on the architectures which are potentially vulnerable to CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.
  • Exploitation of Meltdown and Spectre vulnerabilities depend on an attacker executing code on a target system, which is a high-risk scenario that Visier defends against using multiple layers of security.
  • Visier’s remediation activities include processor microcode updates, operating system patching, and application patching with prioritization based on risk.
  • Visier is continuing to assess these emerging threats and places a high priority on protecting systems, services, and customer data.