The RKL eSolutions Technology Services and Risk Management teams have been closely monitoring the emerging story regarding the discovery of major security flaws affecting essentially all mainstream CPUs from Intel, AMD, and Arm. This is still an evolving story, however, we did want to provide some guidance for our clients as early as possible.
What are Meltdown and Spectre?
All modern CPUs in our workstations and servers segregate memory to different levels to isolate potentially sensitive data from user processes. They also utilize a number of engineering approaches to maximize performance. Two of these, speculative execution and out-of-order execution, have been discovered to have fundamental design flaws that could, in theory, allow a malicious program to access some of the isolated data. This could allow the attacker to possibly gain access to passwords, user-identifiable data, or other sensitive information that should be isolated from access.
Meltdown is the flaw that allows exploitation of out-of-order instructions. It is the higher risk flaw, in that it requires a lower level of expertise to exploit. To date, it has only been shown to affect processors manufactured by Intel. It is often referred to as the “KPTI” issue, in that it is a breakdown of Kernel Page-Table Isolation.
Spectre is the more complex flaw that is much more complex to exploit. It still represents a significant security risk, however, and also needs to be addressed in an expedient manner. It affects processors from Intel, AMD, and Arm.
CERT and the Department of Homeland Security have offered this following chart to easily reference the two issues and their security footprint:
Spectre | Meltdown | |
CPU mechanism for triggering | Speculative execution from branch prediction | Out-of-order execution |
Affected platforms | CPUs that perform speculative execution from branch prediction | Intel x86 CPUs that allow memory reads in out-of-order instructions |
Difficulty of successful attack | High - Requires tailoring to the software environment of the victim process | Low - Kernel memory access exploit code is mostly universal |
Impact | Cross- and intra-process memory disclosure | Kernel memory disclosure to userspace |
Software mitigations | Unknown | Kernel page-table isolation (KPTI) |
What should I do?
The CPU manufacturers and Operating System vendors are all working together to provide both firmware and software updates to help mitigate these issues. All computer users, including those using mobile devices, home computers, office desktop workstations, and servers, need to continue to monitor information sources and seek updates to their computers as soon as vendors make them available.
This requires the following actions:
Additional Information
We have found the following links helpful in monitoring and identifying remedial fixes for the Meltdown and Spectre security issues:
If your organization needs assistance in identifying and mitigating the security risks presented by Meltdown and Spectre, please contact us and we can provide the necessary IT and Risk Management services to help ensure the security of your IT infrastructure.
IT Infrastructure Help