Published on: 09 January 2018
Google Project Zero has recently disclosed two security issues, known as Meltdown and Spectre. The security issues affect most Linux/Unix operating systems. They attack against the speculative execution feature of modern CPU microprocessors, through using side-channel analysis, to make data stored in the memory of one running process accessible by another unprivileged process (e.g. malicious program). Exploiting the security issues requires an attacker to load and run malicious programs or specially crafted web pages on affected systems.
Users are advised to take immediate action to patch the affected Linux/Unix systems to address the well-known Meltdown and Spectre CPU issues with elevated risks.
All Linux/Unix operating systems (on 32-bit and 64-bit) are affected.
A successful attack could lead to arbitrary code execution, elevation of privilege, or information disclosure.
Some product vendors have fixed or have planned to fix the vulnerabilities in their Linux/Unix systems as listed below. The list is not exhaustive and it is recommended to consult the product vendors to confirm the availability of patches. System administrators should apply the patches or follow the recommendations provided by the product vendors to mitigate the risk.
https://googleprojectzero.blogspot.hk/2018/01/reading-privileged-memory-with-side.html
https://meltdownattack.com/
https://spectreattack.com/
https://www.hkcert.org/my_url/en/alert/18010401
https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities
http://www.kb.cert.org/vuls/id/584653
https://www.ncsc.gov.uk/guidance/meltdown-and-spectre-guidance
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754