Security Advisory: Meltdown and Spectre – Processor Flaws Expose Networks to New Class of Vulnerabilities

Security researchers have identified a flaw, present in most computer processors, that allows unauthorized disclosure of information. The flaw, which affects most major processor manufacturers, is the first known instance of a security vulnerability at the processor level, and could be exploited in servers, workstations (including laptops), network infrastructure, mobile devices, IoT devices and consumer electronics – essentially any system utilizing an impacted processor.

The vulnerabilities allow an authenticated attacker with access to a company’s system to execute code that may compromise data currently being processed on the system within other processes. The attacker must have physical or logical access to the system to exploit, or has exploited a separate vulnerability to be able to take advantage of these processor-level vulnerabilities remotely. Memory controlled by one process is not typically able to be accessed by another process. These vulnerabilities circumvent current protections and currently have publicly available exploit code.

The exposure means that passwords, documents, emails and other data residing on affected systems may be at risk. In a shared services environment, such as many cloud environments, there is a risk of one customer using the attack to access data of another customer sharing the same hardware.

Protiviti has published a Flash Report with important links and steps organizations should take now to evaluate impacted systems and address any issues.

The MITRE Corporation, which manages federally funded cybersecurity research and is responsible for providing identifiers, is calling the vulnerabilities Meltdown and Spectre, and has released three distinct Common Vulnerabilities and Exposures (CVE) numbers: CVE-2017-5754 (Meltdown), and CVE-2017-5753 and CVE 2017-5715 (Spectre).

Mitigations for the uncovered vulnerabilities are already available. Here’s a quick to-do list for companies:

  • Each of the three major cloud-hosting providers (Amazon Web Services, Google Cloud and Microsoft Azure) have provided responses. Get familiar with the information relevant to you.
  • Immediately evaluate your organization’s vulnerabilities and apply patches to in-house devices and systems – taking care to put the patches through standard patch testing to identify potential adverse system performance or issues.
  • Reach out to partners that process sensitive data and solicit information on how they are responding to these vulnerabilities.
  • Be aware of the wide variety of systems impacted. Patch management programs that focus on the end-user environment and specific server platforms, such as Windows or Linux, will not have sufficient coverage to manage this risk. Work to identify and address other impacted systems. Commonly overlooked systems include virtualized platforms, connected devices, and vendor systems that are sitting on the company network.
  • Provide company leadership and the board of directors with regular, transparent updates that give an appropriate sense of the risk exposure, actions being taken to mitigate the risk and any potential impact on the business.

Protiviti will continue to monitor the situation and will provide updates as warranted. Download the Flash Report here.

Andrew Retrum

Managing Director
Technology Consulting – Security and Privacy

Subscribe to Topics

Learn to better manage your data and safeguard your privacy in a world of breaches this Data Privacy Day – January 28. Find out all the ways you can get involved at http://ow.ly/KESt50Df0sN
#PrivacyAware #dataprivacy

Want to reduce your operating costs and improve customer experience whilst still meeting #AML and #CTF regulatory obligations? Register for our presentation on January 27th today!
http://ow.ly/ScaC50DcVbB #KYC #CustomerExperience #ProcessEfficiency #ProcessMining

Oracle’s latest release (20D) for #RiskManagementCloud was published on Oct 28, 2020. To enable organizations to take advantage of the updates, our #TechnologyBlog explains key changes specific to Risk Management Advanced Access Controls
http://ow.ly/YnFt50D7XrM #Oracle

January 28 is Data Privacy Day and Protiviti is proud to be a Data Privacy Day Champion. Learn how @Protiviti experts like Manisha Agarwal-Shah can solve your key challenges with our data privacy consulting solutions http://ow.ly/lhHZ50DeRST #privacyaware #dataprivacy

What does #resilience mean for your organization? A key first step is understanding the attributes of a #BCM or Operational Resilience program. Learn more at http://ow.ly/tVsp50DcVab
#businesscontinuity #businesscontinuityplanning #operationalresilience #bankingindustry

Load More...