Over the last couple weeks, the community has been made aware that processor families using speculative execution could be exploited by lower privileged malicious applications in user space to gain access to privileged memory such as login information, kernel data, and other sensitive information. There are 3 variants of these vulnerabilities identified in the following CVEs:
1) Variant 1, CVE-2017-5733, also referred as Spectre. 2) Variant 2, CVE-2017-5715, also referred as Spectre. 3) Variant 3, CVE-2017-5754, also referred as Meltdown
Meltdown and Spectre affect some of the x86, ARM, and PowerPC processor families. Cavium processors in volume production have been assessed and are not susceptible to any of these variants. MontaVista advises checking with your SoC vendor to determine if a processor is affected.
MontaVista is engaged with the community to mitigate against these vulnerabilities and will be updating the following MontaVista products:
1) CGX 2.0 & 2.2. 2) CGE6 & CGE7.
We are actively working to provide patches to the Meltdown CVE in the above products. In addition, the community is creating fixes for Spectre variant 1 and 2 that are just now hitting the main line branch. MontaVista is monitoring the progress of these patches and will look to incorporate when we feel they are stable.
Keep in mind also, the vulnerabilities are not remotely exploitable, meaning one has to execute application code on the target system to make the attack work. This is important to note when assessing the priority of Meltdown and Spectre as some of MontaVista’s embedded customers do not allow untrusted code to execute on their platform.
To get an up-to-date status of Meltdown and Spectre progress on MontaVista’s products, please contact your local MontaVista account manager.