記事番号: 000005558
記事の種類: Tech Note
最終変更日: 2018/06/04

Intel CPU Security Vulnerabilities: Spectre, Meltdown


Fiery Controllers, XF
See the Description and Details for affected products
A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to address the chip-level security bug.

    https://meltdownattack.com/ has a good explanation of Meltdown and Spectre.

    1. Meltdown allows any application to access all system memory, including memory allocated for the kernel. Mitigation for this vulnerability will require operating system patches and potentially firmware updates. Patches for this vulnerability may have a performance impact on systems. So far, only Intel chips have been shown to be vulnerable.
    2. Spectre allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. This vulnerability may require changes to processor architecture in order to fully mitigate. According to Google Project Zero, this vulnerability impacts Intel, AMD, and ARM chips.

    There are 3 CVEs associated with the issues:

    1. CVE-2017-5753: bounds check bypass (Also called Spectre)
    2. CVE-2017-5715: branch target injection (Also called Spectre)
    3. CVE-2017-5754: rogue data cache load (also called Meltdown)
    Microsoft released on January 9th 2018 a Windows Update to address Intel CPU vulnerabilities named Spectre and Meltdown. CVE-2017-5715 also requires a BIOS update.
     
    Fiery Linux devices do not allow non-EFI approved software to be installed or to run on a device. Software updates are EFI-signed to prevent unauthorized modification, including insertion of malware. EFI is not currently aware of any impact to Fiery Linux devices. However as further information becomes available it is being actively assessed.

    Windows Fierys are affected. However, EFI has completed our evaluation of the MS patches on the affected platforms and confirmed that there are no significant differences in Fiery functionality after patch installation. 


    Below you will find the Microsoft published fixes. The customer should check the Windows update history to make sure the below KBs are listed.
    Windows VersionMicrosoft Fix
    Win7 SP1KB4056894*
    Win8.1KB4056895
    Win10 KB4056890

    *Important: Regarding the installation of KB4056894. If your Fiery controller does not display KB4056894 in the Windows patch list, EFI recommends the following:

    • Download KB4056894 from Microsoft's Update Catalog. (Link here). 
    • Refer to Microsoft Knowledge article that explains why KB4056894 may not appear in the Windows Update patch list. (Link Here)

    A BIOS fix to address the scope of both Spectre vulnerabilities is still in progress. EFI is currently evaluating the solution from Intel and will communicate the BIOS fix release schedule for each HW platform when it is available.

    EFI strongly recommends customers stay current with all Microsoft Windows Updates and to periodically check the status of these issues in this knowledge article.