Meltdown and Spectre, What You Need To Know
Meet Meltdown and Spectre, the reason why the general public is being urged to update their Windows and Mac Computers. What’s the rush? Almost every phone and computer manufactured within the last 20 years contains fundamental security flaws affecting central processing units (CPUs), the silicon chips critical for running each device. If exploited, these flaws could open the floodgates, allowing attackers to access sensitive data including passwords. What makes the situation more challenging is that the patches created to mitigate the issues can negatively affect a PC’s performance. The impact to Opengear devices seems to be minimal – we’ll dig into that later, but in the meantime, let’s first understand more about these flaws.
Meltdown and Spectre are a set of security vulnerabilities that affect CPUs and have remained undetected, until now. Researchers at Google, Cyberus Technology and Graz University of Technology discovered that these flaws invade places in the modern architectures where data passes through in a raw and unencrypted form. Usually, this data has powerful protections to prevent it from being interfered with or observed by other applications and processes, however Meltdown and Spectre circumvent these protections.
Meltdown (CVE-2017-5754) melts security barriers that are usually enforced by hardware. It affects the communication between an operating system (OS) and application, breaking the mechanism that keeps applications from accessing arbitrary systems memory. Attackers can use Meltdown to access personal information stored by the OS. It affects every Intel processor made since the early 1990’s. Yes, Meltdown is easier to fix than Spectre and can mainly be addressed by updating operating systems, however it can do a lot of damage if not properly patched.
Spectre (CVE-2017-5753, CVE-2017-5715) is more challenging to stop than Meltdown. There are two variations of Spectre and both have the ability to allow attackers to extract information running from other applications and affects processes made by Intel, AMD and ARM. These flaws are related to speculative execution, the optimization technique used by microprocessors to improve performance. These vulnerabilities give malicious programs the ability to exploit and steal sensitive data that was generated by another application.
Patching Meltdown and Spectre Protections
What should system and device owners do about Meltdown and Spectre? You should be relieved to know that the entire computer industry is scrambling to patch in protections. These attacks are the most threatening to shared hosting environments where multiple servers are capable of executing code on a system. As a result, cloud service providers have begun deploying attack mitigation efforts to their services.
You can keep your data safe by making specific updates to your CPU’s firmware, web browsers and operating systems. However, to completely mitigate these vulnerabilities, it is necessary to patch the OS to include recent fixes in the kernel and update the processors firmware.
The Opengear engineering team is aware of both of these vulnerabilities and we are diligently working to better understand if there is any potential impact with our devices. By default, Opengear devices will not run on untrusted code and as a preventative measure, our users are able to disable shell accounts for non-administrator users.
Devices that have been confirmed unaffected are:
- IM7200 Infrastructure Manager
- IM4200 Infrastructure Manager
- CM4100 Console Manager
- ACM5500 Remote Infrastructure Management
- ACM5000 Remote Site Manager
Be sure to check back in to see what patches we recommend for your devices.