ACSC programs and advice are being migrated to cyber.gov.au (see sidebar)

News

ACSC Statement on Reports of Speculative Execution Flaws in Processors

Main Points

  • Security researchers have developed methods involving speculative execution to read kernel memory from user space on a variety of processors from a range of vendors produced in the last decade. At this point there is no indication that the reported flaws are being actively exploited by malicious cyber actors.
  • The exact details of this security research have now been released by the Project Zero team at Google. Until the full details of the security research have been analysed by the ACSC, it is difficult to determine the full extent of the impact it may have, however some of the affected companies have acknowledged an issue exists and work is underway to remediate it.
  • Patches are expected in the near future for various operating systems and applications likely to be impacted (e.g. virtualisation software). Firmware patches from the vendors of the affected hardware are also expected in the near future.
  • Organisations should apply operating system, application and firmware patches when available from the affected companies. It is advised that when available these should be implemented within the timeframes recommended by the ACSC (i.e. within 48 hours of release for extreme risk security vulnerabilities).
  • Applying the patches may possibly have a performance impact on processing capability. But on balance, the ACSC's advice is to patch systems to address potential security vulnerabilities.
    • For everyday use of devices, the impact of applying these patches is unlikely to be noticeable. The risks or consequences of choosing not to patch is as yet unknown. We welcome advice on any performance impacts experienced as a result of patching actions.
    • Should you be operating at near maximum processing capacity, we recommend considering options to increase or manage capacity to minimise the potential impact of patching.
  • The ACSC will assess the impact of this security research on cloud services listed on the Certified Cloud Services List (CCSL) and provide updates as necessary.
  • Intel, AMD and ARM have released press statements that can be found below and at the following links:

Intel Statement:

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices - with many different vendors' processors and operating systems - are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers."

AMD Statement:

"There is a lot of speculation today regarding a potential security issue related to modern microprocessors and speculative execution. As we typically do when a potential security issue is identified, AMD has been working across our ecosystem to evaluate and respond to the speculative execution attack identified by a security research team to ensure our users are protected.

To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time."

ARM Statement:

"I can confirm that ARM have been working together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This method requires malware running locally and could result in data being accessed from privileged memory. Please note our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted."

Relevant links:

Google Project Zero https://googleprojectzero.blogspot.com.au/2018/01/reading-privileged-memory-with-side.html

Microsoft https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180002

RedHat https://access.redhat.com/security/vulnerabilities/speculativeexecution

Google https://support.google.com/faqs/answer/7622138

Amazon https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

ARM https://developer.arm.com/support/security-update

US-CERT https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities

Vulnerability websites https://meltdownattack.com, https://spectreattack.com

Xen https://xenbits.xen.org/xsa/advisory-254.html

IBM https://securityintelligence.com/cpu-vulnerability-can-allow-attackers-to-read-privileged-kernel-memory-and-leak-data/

CVE sites http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715, http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753, http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754

In August 2018 ACSC launched a new website, cyber.gov.au, to reflect its new organisation.

Cyber security programs and advice are being migrated to cyber.gov.au. Information and advice on this site remains current.

Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.

Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.

Information for Australian businesses
Information for individual Australian citizens
Information for Federal, State and Local government agencies