Vulnerabilities that allow unauthorized access to the contents of virtual memory have been identified in Intel, ARM64 and AMD processors. Attacks that exploit these vulnerabilities were dubbed Meltdown and Spectre.
According to researchers at Google Project Zero, the newly identified problem includes three vulnerabilities:
- bounds check bypass (CVE-2017-5753/Spectre);
- branch target injection (CVE-2017-5715/Spectre);
- rogue data cache load (CVE-2017-5754/Meltdown).
While both Spectre and Meltdown attacks allow user applications to obtain other programs’ data, Meltdown attacks also allow kernel memory to be read.
These flaws may affect computers, servers and mobile devices running Windows, macOS, Linux, Android, iOS and Chrome OS, since most of these devices use vulnerable microprocessors. According to Kaspersky Lab ICS СERT researchers, Meltdown and Spectre vulnerabilities may also affect industrial equipment, primarily SCADA servers, industrial computers and networking devices. To find out whether specific devices being used are vulnerable, checking with their respective vendors is recommended.
Cisco has already published an advisory providing information on vulnerabilities in its products. Affected devices include Cisco 800 Industrial Integrated Services routers and Industrial Ethernet 4000 switches.
Siemens has published a security bulletin, in which it stated that it is analyzing the impact of Spectre and Meltdown vulnerabilities on its products and testing the compatibility of its solutions with patches released for operating systems.
Update (January 15, 2018):
ABB is also analyzing this issue. According to the company’s notification, the security flaws identified can potentially affect all ABB products that use vulnerable processors.
Update 2 (January 19, 2018):
Schneider Electric has published a notification on the impact of the vulnerabilities on its products, recommending caution in installing patches if they are applied to critical systems.
OSIsoft has published information on installing Windows updates to close the Spectre and Meltdown vulnerabilities. It includes data on the effect of patches on the performance of PI Systems software.
Information on materials published by other vendors, including General Electric and Rockwell Automation, can be found in the relevant US ICS CERT advisory.