Meltdown and Spectre

Over the last couple weeks, the community has been made aware that processor families using speculative execution could be exploited by lower privileged malicious applications in user space to gain access to privileged memory such as login information, kernel data, and other sensitive information.  There are 3 variants of these vulnerabilities identified in the following CVEs:

1) Variant 1, CVE-2017-5733, also referred as Spectre.
2) Variant 2, CVE-2017-5715, also referred as Spectre.
3) Variant 3, CVE-2017-5754, also referred as Meltdown

Meltdown and Spectre affect some of the x86, ARM, and PowerPC processor families. Cavium processors in volume production have been assessed and are not susceptible to any of these variants. MontaVista advises checking with your SoC vendor to determine if a processor is affected.

MontaVista is engaged with the community to mitigate against these vulnerabilities and will be updating the following MontaVista products:

1) CGX 2.0 & 2.2.
2) CGE6 & CGE7.

We are actively working to provide patches to the Meltdown CVE in the above products. In addition, the community is creating fixes for Spectre variant 1 and 2 that are just now hitting the main line branch. MontaVista is monitoring the progress of these patches and will look to incorporate when we feel they are stable.

Keep in mind also, the vulnerabilities are not remotely exploitable, meaning one has to execute application code on the target system to make the attack work. This is important to note when assessing the priority of Meltdown and Spectre as some of MontaVista’s embedded customers do not allow untrusted code to execute on their platform.

To get an up-to-date status of Meltdown and Spectre progress on MontaVista’s products, please contact your local MontaVista account manager.

References:

Google Project Zero blog: https://googleprojectzero.blogspot.com/

Cavium Response: http://phx.corporate-ir.net/frame.zhtml?c=209126&p=cavium_response

AMD: https://www.amd.com/en/corporate/speculative-execution

ARM Processor Security Update: https://developer.arm.com/support/security-update

Intel Security Update: https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html


Related Products


Security Resource Center


CGE7 Data Sheet
CGE7 Datasheet
CGX Datasheet
CGX
Security Whitepaper
CGX

Meltdown And Spectre
CGX