Major vulnerabilities named Meltdown and Spectre have emerged, impacting almost all modern microprocessors. These vulnerabilities allow programs to read data through the memory of other programs processed by the microprocessor. Normally, programs are not authorized to perform this.
An attacker could exploit the Meltdown and Spectre vulnerabilities to steal secret data used in other running programs like passwords, emails, documents, etc...
All recent Intel x86 microprocessors and some ARM-based microprocessors are affected. AMD microprocessors are not affected by the Meltdown vulnerability but are impacted by the variant one of the Spectre vulnerabilities.
Today, almost every system are using these microprocessors. It means that most systems are affected, including servers, desktops, laptops and mobile devices.
Cloud providers and hypervisors are also greatly impacted, as a virtual machine can possibly access to the memory of another virtual machine running in the same host, meaning that a malicious customer could steal other customer informations.
Details of the vulnerability
Spectre - Variant 1: bounds check bypass (CVE-2017-5753)
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
Spectre - Variant 2: branch target injection (CVE-2017-5715)
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
Meltdown - Variant 3: Rogue data cache load (CVE-2017-5754)
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
The Google Project Zero team has developed proofs of concept for each vulnerability but attacks for now are quite slow, especially when exploiting the Spectre Variant 2 used to steal data from other virtual machines on a same hypervisor.
For more details, see https://googleprojectzero.blogspot.fr/2018/01/reading-privileged-memory-with-side.html
DenyAll products are not affected because they do not execute untrusted data, yet the operating systems will be updated as soon as fixes are released to keep them safe from Meltdown and Spectre vulnerabilities in any case.
However please note that, when running in a virtual machine, informations from DenyAll products (including secrets) may be leaked to other untrusted virtual machines running on a same vulnerable host. Thus we advise to update hypervisors, microcode for processors, and all guest systems running on the same host (guests' update may be less critical provided the host is up to date, though).
DenyAll WAF and rWeb
Kernel updates will be available for the following versions:
- i-Suite 5.5.4 to 5.5.13 (LTS)
- DenyAll WAF 6.4.1 (LVS)
- DAOS 10 for rWeb
For customers using Dell appliances, BIOS updates are available to enhance the processors microcode helping the mitigation of the Spectre Variant 2 vulnerability:
- Update for R230 models
- Update for R630 models
- Updates for previous models (R620, R610, R220, R210, ...) are still in development. For more details about status and release dates, see the Dell Support page.
BIOS updates were removed by Dell due to stabilities issues after deploying the first patch.
The cloud provider for Cloud Protector has already deployed an update on his platform. Virtual machines for Cloud Protector will be updated soon.
A kernel update for Ubuntu will be available soon. To perform the update, open the administration interface, go to Configuration and Check for updates.