Security researchers have identified a flaw, present in most computer processors, that allows unauthorized disclosure of information. The flaw, which affects most major processor manufacturers, is the first known instance of a security vulnerability at the processor level, and could be exploited in servers, workstations (including laptops), network infrastructure, mobile devices, IoT devices and consumer electronics – essentially any system utilizing an impacted processor.
The vulnerabilities allow an authenticated attacker with access to a company’s system to execute code that may compromise data currently being processed on the system within other processes. The attacker must have physical or logical access to the system to exploit, or has exploited a separate vulnerability to be able to take advantage of these processor-level vulnerabilities remotely. Memory controlled by one process is not typically able to be accessed by another process. These vulnerabilities circumvent current protections and currently have publicly available exploit code.
The exposure means that passwords, documents, emails and other data residing on affected systems may be at risk. In a shared services environment, such as many cloud environments, there is a risk of one customer using the attack to access data of another customer sharing the same hardware.
Protiviti has published a Flash Report with important links and steps organizations should take now to evaluate impacted systems and address any issues.
The MITRE Corporation, which manages federally funded cybersecurity research and is responsible for providing identifiers, is calling the vulnerabilities Meltdown and Spectre, and has released three distinct Common Vulnerabilities and Exposures (CVE) numbers: CVE-2017-5754 (Meltdown), and CVE-2017-5753 and CVE 2017-5715 (Spectre).
Mitigations for the uncovered vulnerabilities are already available. Here’s a quick to-do list for companies:
- Each of the three major cloud-hosting providers (Amazon Web Services, Google Cloud and Microsoft Azure) have provided responses. Get familiar with the information relevant to you.
- Immediately evaluate your organization’s vulnerabilities and apply patches to in-house devices and systems – taking care to put the patches through standard patch testing to identify potential adverse system performance or issues.
- Reach out to partners that process sensitive data and solicit information on how they are responding to these vulnerabilities.
- Be aware of the wide variety of systems impacted. Patch management programs that focus on the end-user environment and specific server platforms, such as Windows or Linux, will not have sufficient coverage to manage this risk. Work to identify and address other impacted systems. Commonly overlooked systems include virtualized platforms, connected devices, and vendor systems that are sitting on the company network.
- Provide company leadership and the board of directors with regular, transparent updates that give an appropriate sense of the risk exposure, actions being taken to mitigate the risk and any potential impact on the business.
Protiviti will continue to monitor the situation and will provide updates as warranted. Download the Flash Report here.