Article Type: Tech Note
Last Modified Date: 6/4/2018
Intel CPU Security Vulnerabilities: Spectre, Meltdown
https://meltdownattack.com/ has a good explanation of Meltdown and Spectre.
- Meltdown allows any application to access all system memory, including memory allocated for the kernel. Mitigation for this vulnerability will require operating system patches and potentially firmware updates. Patches for this vulnerability may have a performance impact on systems. So far, only Intel chips have been shown to be vulnerable.
- Spectre allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. This vulnerability may require changes to processor architecture in order to fully mitigate. According to Google Project Zero, this vulnerability impacts Intel, AMD, and ARM chips.
There are 3 CVEs associated with the issues:
- CVE-2017-5753: bounds check bypass (Also called Spectre)
- CVE-2017-5715: branch target injection (Also called Spectre)
- CVE-2017-5754: rogue data cache load (also called Meltdown)
Fiery Linux devices do not allow non-EFI approved software to be installed or to run on a device. Software updates are EFI-signed to prevent unauthorized modification, including insertion of malware. EFI is not currently aware of any impact to Fiery Linux devices. However as further information becomes available it is being actively assessed.
Windows Fierys are affected. However, EFI has completed our evaluation of the MS patches on the affected platforms and confirmed that there are no significant differences in Fiery functionality after patch installation.
Below you will find the Microsoft published fixes. The customer should check the Windows update history to make sure the below KBs are listed.
|Windows Version||Microsoft Fix|
*Important: Regarding the installation of KB4056894. If your Fiery controller does not display KB4056894 in the Windows patch list, EFI recommends the following:
- Download KB4056894 from Microsoft's Update Catalog. (Link here).
- Refer to Microsoft Knowledge article that explains why KB4056894 may not appear in the Windows Update patch list. (Link Here)
A BIOS fix to address the scope of both Spectre vulnerabilities is still in progress. EFI is currently evaluating the solution from Intel and will communicate the BIOS fix release schedule for each HW platform when it is available.
EFI strongly recommends customers stay current with all Microsoft Windows Updates and to periodically check the status of these issues in this knowledge article.