[SingCERT] Alert on Security Flaws Found in Central Processing Units (CPUs)

Published on Thursday, 04 January 2018 18:35

Background
 
On 3 January 2018, a group of security researchers published the discovery of two vulnerabilities dubbed “Meltdown” and “Spectre” affecting desktop computers, smartphones, tablets and cloud services. The vulnerabilities enable attackers to steal any data processed by the computer.
 
Meltdown (CVE-2017-5754) allows attackers to bypass the security boundaries between user applications and the operating system, which enables them to access information from the operating system memory, including sensitive data from other programs. Only Intel processors are affected by it so far. Spectre (CVE-2017-5753 & CVE-2017-5715) affects Intel, AMD and ARM processors and allows attackers to trick applications into leaking its data.
 
Affected Vendors
 
List of affected vendors:

Impact
 
A successful exploit on vulnerable CPUs could allow attackers to read and access confidential information, such as passwords, which could allow them to compromise computers or entire server networks.
 
Recommendations
 
The solution to mitigate these exploits is to update the firmware. Vendors such as Intel and Microsoft have pushed out patches to fix these vulnerabilities.

SingCERT recommends users to monitor the respective product vendor’s websites for the release of security patches and update to the latest patch as soon as possible.  
 
References
 
https://www.theverge.com/2018/1/3/16844630/intel-processor-security-flaw-bug-kernel-windows-linux
https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html
https://meltdownattack.com/
http://www.zdnet.com/article/security-flaws-affect-every-intel-chip-since-1995-arm-processors-vulnerable/#ftag=RSSbaffb68