Two major vulnerabilities discovered affecting almost all devices on the market have been dominating the headlines recently, stretching beyond the normal tech news and into mainstream media.
This is for good reason; these vulnerabilities, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), affect a very basic CPU function known as speculative execution which is used in all modern CPUs.
What is speculative execution?
To improve performance, a CPU may predict and execute instructions ahead of time. If these predictions are incorrect they will be rolled back silently and invisibly without affecting running applications, however if correct, the execution can continue much faster for the software requiring them, thus improving performance.
Why is this a problem?
Although exploitation can be difficult, while undertaking speculative execution, some information may occasionally be left in memory and not cleared down, leaving it exploitable to a potential attacker.
There are, however, no known exploits of this in the wild today as confirmed by Google, Apple and others.
Notable mobile devices at risk include the Galaxy S8, S8+, Note 8, Google Pixel 2 and Pixel 2XL, as well as iPhone, iPad, Mac and Apple TV.
How is this being resolved?
Intel is working with ARM and AMD to fix this at the hardware level, however Apple, Google, Microsoft and others are also patching this via software.
- Apple released mitigations as part of iOS 11.2, macOS 10.13.2 and tvOS 11.2 with more to come including for the Safari browser.
- Google have released January 2018 security update which includes mitigations against attack. For the Chrome browser, Google suggest enabling site isolation
- Microsoft released security updates on January 3rd to mitigate attack for Windows devices, and a cumulative update for Windows Phone devices shortly after.
Please also see 16/01/2018 update post here.
Meltdown potentially impacts systems running MobileIron server products. This includes MobileIron physical appliances. An attacker who gains unprivileged access to a vulnerable system could potentially extract memory from other processes or VM’s.MobileIron Core, Sentry, and Cloud product deployments are less prone to this kind of attack as the system does not normally allow unprivileged users to run arbitrary programs. However, MobileIron is working to release patches to protect customers.
MobileIron will be releasing necessary updates across our products with the respective patches applied. We will keep you informed on the release date.
Customers with a upgrade or platform management subscription will be contacted asap to plan the intervention.
Customers using virtualization will want to apply patches from their hypervisor provider as well.
You can follow MobileIron’s article on their Security page on the knowledgebase https://community.mobileiron.com/docs/DOC-5739
- VMWare AirWatch:
Shared SaaS: The VMware AirWatch SaaS Service team is currently evaluating, identifying, and patching affected systems in our SaaS environments related to vulnerabilities described in CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown).Dedicated SaaS: In the event VMware AirWatch must perform maintenance that will affect our service availability to our SaaS dedicated customer environments, AirWatch will work with you to determine suitable scheduling of these activities.
On-Premise: On-Premise environments managed by customers should be remediated in accordance with the guidance document provided by your operating system vendor(s). VMware AirWatch is in the process of evaluating shipped products to determine whether patching is necessary. At this time, VMware AirWatch has not identified any AirWatch products requiring software patches.
You can follow vmware’s airwatch article at https://support.air-watch.com//articles/115015960907-Security-Vulnerability-CVE-2017-5753-CVE-2017-5715-Spectre-and-CVE-2017-5754-Meltdown-
How to protect devices from attack
First and foremost, ensure devices are updated – for Windows and iOS/macOS devices the updates will be immediately available, for Android devices the security patch is available already for some devices, but still in progress for others. Check frequently.
Secondly, CWSI has always recommended only installing applications from reputable sources, such as official app stores, and for this issue our advice is no different; installation from 3rd party locations is the leading source of malware infection on mobile devices.
If you wish more detail on these controls or anything else in relation to this advisory please don’t hesitate to contact us.
While these vulnerabilities are severe, it is worth reiterating that there are no known exploits in the wild. Meltdown requires the installation of local software in order to achieve an exploit and Spectre is considerably more difficult, requiring perfect timing, in order to do so.
As long as devices are kept up to date as mitigations are deployed, customer devices should be safe.
For questions or concerns, please reach out to email@example.com or reach me directly below.