What are the Spectre and Meltdown vulnerabilities?
Spectre and Meltdown are the names given to new vulnerabilities that were revealed at the beginning of 2018, and affects almost every computer processor manufactured over the last 20 years.
Spectre and Meltdown are actually specific variations of a major security flaw that affects processors (CPUs), and arises from built-in features that help systems run faster.
Spectre affects Intel, AMD and ARM processors, and thus extends beyond servers and PCs to include mobile phones, tablets and basically anything that has a chip in it, such as Smart Home devices. Spectre gets it’s name from Speculative Execution, which is a function that involves a processor attempting to predict the future in order to work faster. If the processor knows that software code includes multiple logical branches, it will start working out the calculations for all of those branches before the software even has to decide between them. Spectre tricks software into revealing data that should have been kept hidden within the protected memory area of the processor cache.
Meltdown primarily affects Intel processors, and got it’s name because it “melts” the security barrier that prevents software from accessing data in the system that it shouldn’t normally be able to see. This includes data belonging to other software, other users, or even data contained within different virtual servers hosted on the same hardware. This is specifically concerning for systems hosted by cloud providers.
Who is affected?
Pretty much everybody, because Spectre and Meltdown are flaws at the architecture level. It doesn’t matter what operating system or software is running on the device, be it Windows, OS X, Linux, Android, or something else, everything is equally vulnerable.
A huge variety of devices containing chips from the past 20 years are theoretically affected, from servers to TVs, and even baby monitors, and Meltdown in particular could be used to attack cloud based platforms, where huge numbers of networked computers share data among millions of users.
Is there a fix?
Chip manufactures and software vendors have been busy working on patches since being notified of these vulnerabilities several months ago.
Hardware patches, known as microcode updates, are being released by chip and hardware manufacturers, and can be applied following specific instructions for the affected product. These microcode updates are a small piece of software that is directly installed on to the processor to act as an interface between the hardware and operating system.
Software patches and updates are also being made available by software vendors, and will generally be installed as part of their normal update process.
As the problem is so widespread, and affects millions, if not billions of devices, a recall simply is not an option. Existing systems can only be patched to workaround the flaw, whilst going forward, chip manufactures will need to fundamentally redesign their processor architecture.
Is there an impact on performance or reliability?
Software updates will only partially mitigate the threat by altering or disabling how software code makes use of the speculative execution or caching features built in to the processors, and thus could impact on performance or even stability of the system.
It has been reported that Meltdown patches could reduce performance of Intel processors by as much as 30%, although the impact is likely to vary depending on what the device is used for. Virtualisation and database systems are likely to be impacted more than other types of systems.
Specific Vendor Updates
In order to help our customers, here is a list of some of the manufactures updates and statements –
We are aware of the recently discovered security vulnerabilities known as Meltdown and Spectre. These industry-wide vulnerabilities impact many modern processors, and allow malicious code to force a processor into allowing access to protected data in the system memory (RAM). We are working closely with our processor and Operating System suppliers to address the issues, and we will release the needed firmware updates to reduce the risks.
Schneider Electric is actively investigating the impact of Spectre and Meltdown attacks on our offerings. Information will be posted once it becomes available.
No DrayTek products are vulnerable to Meltdown or Spectre. This includes routers, modems, switches and wireless access points. None of our products use affected CPUs. In addition, DrayTek products operate under a closed ecosystem; it is not possible to install additional apps or code into any of our hardware products which would be a pre-requisite for either of these vulnerabilities.
A number of Fujitsu products incorporating microprocessors manufactured by certain third-party suppliers are affected by these vulnerabilities. Fujitsu has asked its suppliers to provide patches as soon as possible for all affected products that are currently supported (as included in the list of affected systems provided under the link below). Older systems that are no longer supported will not be patched.
HP is working closely with our partners, and updates will be made as soon as possible. Check this Security Bulletin frequently for updates.
Intel is committed to product and customer security and to responsible disclosure. We worked closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to mitigate this issue promptly and constructively.
Microsoft is aware of new hardware processor vulnerabilities that are named Spectre and Meltdown. These are a newly discovered class of vulnerability based on a common chip architecture that, when originally designed, was created to speed up computers.
We have identified a number of affected QNAP NAS models. You can find the comprehensive list below. We are currently working on software updates to fix these vulnerabilities.
We will continue updating this advisory with the latest information.