CVE-2017-5754, CVE-2017–5753 and CVE-2017–5715 Spectre and Meltdown are hardware vulnerabilities that affect all modern CPU designs. That includes all desktop, laptop, and ARM CPU’s and mobile devices.

The two vulnerabilities can be located on the Mitre CVE Database:

 

Meltdown – CVE-2017-5754

Spectre – CVE-2017-5715 CVE-2017-5753

CVE-2017-5753 and CVE-2017-5715 Spectre and Meltdown are hardware vulnerabilities that affect all modern CPU designs. Yes, that includes all desktop, laptop, and ARM CPU’s and mobile devices.

Method of Attack:

  • Meltdown is easy to exploit and gives access to kernel memory and other programs’ memory from userspace. Affects Intel CPUs. There is a kernel fix that more or less doubles the cost of context switches, and cutting performance by a staggering 20%.
  • Spectre is hard to exploit and allows access to some other program’s memory. Affects all main CPU vendors who implement speculative execution. There is no fix, but some userspace mitigation should be possible, at the significant performance cost of preventing speculative execution.

The attack is exploited by manipulating timing of various functions and methods that the CPU uses to speed up performance. This attack allows an unprivledged process to leak private information from a priviledged process.

 

Risk Level:

There is currently a LOW PROBABILITY of you being attacked, but a HIGH IMPACT if you are.

As time goes on, the probability of attack will steadily rise, as cybercriminals become more aware of the utility and develop more automated methods of exploiting this vulnerability, the probability of attack will steadily rise.

Conclusion:

Meltdown and Spectre and extremely impressive from a technical standpoint. In the meantime, make sure you are keeping up to date with the latest security kernel patches, be careful of zero-day exploits since many developers will be in a rush to resolve the vulnerability and will likely require modification to the system kernel.

Meltdown Technical Whitepaper

Spectre Technical Whitepaper

About the Author: Louis Powers is an information security consultant and works for A2 Cybersecurity in Stony Point, New York.

lpowers@a2cybersecurity.com

https://a2cybersecurity.com/

146 S. Liberty Stony Point, NY 10980


Leave a Reply

Your email address will not be published. Required fields are marked *