February 22 2018

SECURITY UPDATE: Meltdown & Spectre – What you need to know…

What is “Meltdown”? What is “Spectre”? How does it affect my contact center? Is my Genesys platform protected?

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.

Which systems are affected by Meltdown?
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013).

What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre)

Why is it called Meltdown?
The vulnerability basically melts security boundaries which are normally enforced by the hardware.

Why is it called Spectre?
The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.

Is there more technical information about Meltdown and Spectre?
Yes, there is an academic paper and a blog post about Meltdown, and an academic paper about Spectre. Furthermore, there is a Google Project Zero blog entry about both attacks.

What are CVE-2017-5753 and CVE-2017-5715?
CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

What is the CVE-2017-5754?
CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

UPDATE as of Jan 23, 2018: Genesys continues to monitor the following security advisories:  CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 (Meltdown and Spectre). Genesys is working with partners and suppliers to apply patches to OS kernels. Because of the quick response to these security advisories, some supplier patches have caused unpredictable system behavior. As new patches are released, Genesys will apply those as quickly as possible. Our goal is to balance system stability with prudent, risk-based vulnerability management. We still have no indication that Genesys systems have been targeted with this vulnerability.

[2018.01.05] Genesys has been made aware of new research concerning software analysis methods that could be used for malicious purposes to access data on a vulnerable machine (Meltdown and Spectre). This affects many modern processors across servers, desktops, and mobile devices. There is currently no evidence that this vulnerability can lead to data being modified or deleted.

This is a widespread vulnerability, and like most of the technology industry Genesys is working quickly to patch the issue as updates are released. We are following the patch procedures recommended by our vendors and will continue to do as more information becomes available. Please consult with your vendor for any third-party OS, software, or hardware for recommended updates. We will update this notice as we have new information and as we make progress patching this vulnerability.

If you are concerned about the vulnerability of your systems, please contact the experts at AVDS today. We can help.