Security Advisory: Meltdown and Spectre – Processor Flaws Expose Networks to New Class of Vulnerabilities

Security researchers have identified a flaw, present in most computer processors, that allows unauthorized disclosure of information. The flaw, which affects most major processor manufacturers, is the first known instance of a security vulnerability at the processor level, and could be exploited in servers, workstations (including laptops), network infrastructure, mobile devices, IoT devices and consumer electronics – essentially any system utilizing an impacted processor.

The vulnerabilities allow an authenticated attacker with access to a company’s system to execute code that may compromise data currently being processed on the system within other processes. The attacker must have physical or logical access to the system to exploit, or has exploited a separate vulnerability to be able to take advantage of these processor-level vulnerabilities remotely. Memory controlled by one process is not typically able to be accessed by another process. These vulnerabilities circumvent current protections and currently have publicly available exploit code.

The exposure means that passwords, documents, emails and other data residing on affected systems may be at risk. In a shared services environment, such as many cloud environments, there is a risk of one customer using the attack to access data of another customer sharing the same hardware.

Protiviti has published a Flash Report with important links and steps organizations should take now to evaluate impacted systems and address any issues.

The MITRE Corporation, which manages federally funded cybersecurity research and is responsible for providing identifiers, is calling the vulnerabilities Meltdown and Spectre, and has released three distinct Common Vulnerabilities and Exposures (CVE) numbers: CVE-2017-5754 (Meltdown), and CVE-2017-5753 and CVE 2017-5715 (Spectre).

Mitigations for the uncovered vulnerabilities are already available. Here’s a quick to-do list for companies:

  • Each of the three major cloud-hosting providers (Amazon Web Services, Google Cloud and Microsoft Azure) have provided responses. Get familiar with the information relevant to you.
  • Immediately evaluate your organization’s vulnerabilities and apply patches to in-house devices and systems – taking care to put the patches through standard patch testing to identify potential adverse system performance or issues.
  • Reach out to partners that process sensitive data and solicit information on how they are responding to these vulnerabilities.
  • Be aware of the wide variety of systems impacted. Patch management programs that focus on the end-user environment and specific server platforms, such as Windows or Linux, will not have sufficient coverage to manage this risk. Work to identify and address other impacted systems. Commonly overlooked systems include virtualized platforms, connected devices, and vendor systems that are sitting on the company network.
  • Provide company leadership and the board of directors with regular, transparent updates that give an appropriate sense of the risk exposure, actions being taken to mitigate the risk and any potential impact on the business.

Protiviti will continue to monitor the situation and will provide updates as warranted. Download the Flash Report here.

Andrew Retrum

Managing Director
Security and Privacy

Subscribe to Topics

Protiviti is happy to announce that Wendy Luebbe has joined as a Managing Director for the Technology Consulting Solution. Based in Orlando and with over 20 years of experience, Wendy will focus on the Enterprise Data & Analytics segment, specializing in financial services.

Join Protiviti's Scott Laliberte and Andrew Struthers-Kennedy for thoughts on how organizations should discuss and evaluate risks and include emerging technologies as part of risk and audit reviews. http://ow.ly/oJ0a50Fx7Hx

#ITaudit #ProtivitiTech #emergingtechrisks #prowebinars

Consumer #privacy is key. Protiviti recommends focusing on three buckets and eleven requirements that cover what an organization must consider when developing personal #data privacy protections and have a relationship with #digital #identitymanagement. http://ow.ly/8BuC50FA5Hj

Protiviti’s Scott Laliberte hosted a panel with three Chief Information Security Officers on July 11th. While all faced their own distinct pandemic-related issues, many common themes emerged during the discussion. Learn more: http://ow.ly/Er9e50FA3Q3

#CISO #ProtivitiTech

Reporting and #analytics are critical for #CIOs because they structure #data to guide businesses in strategic decision making. Learn why companies must harness and use information that propels business goals. http://ow.ly/eGoR50FA2ub

#TechTransformation #enterprisetransformation

Load More...