PHOENIX CONTACT: addressing Meltdown and Spectre vulnerabilities

Several CPUs manufactured by Intel, AMD or based on ARM technology may leak information due to their internal operation if attacked by specifically written software executed on the affected systems.

The information in this advisory is based on the statements of respective manufacturers.

Microprocessors from Intel and AMD using the x86 architecture and some microprocessors using the ARM, PowerPC, and MIPS architecture may be susceptible to a group of attacks named Meltdown and Spectre. These attacks may lead to a (complete) disclosure of information in the memory of systems. Integrity and availability are not affected, but information gained using these weaknesses may be used in further attacks.

Meltdown [CVE-2017-5754] allows reading the complete memory of the attacked system using a specifically crafted executable code.

Spectre [version 1: CVE-2017-5753, version 2: CVE-2017-5715] allows reading the memory of other processes using a specifically crafted executable code or dynamic code as used in web browsers.

Only those systems can be affected that allow the installation/execution of custom code or load dynamic contents from foreign/untrusted sources. If only the root/administrative user can install/execute custom code, no additional risk exists, as the root/administrative user can read the information without exploiting this vulnerability. If a web browser can be used to view foreign web pages, the Spectre attack must be considered.

Systems that do not allow installation/execution of custom code are not affected.

On Industrial PCs and HMIs that operate with user installable or upgradable operating systems (mainly Windows) the latest version or update may be installed if required in the use case. As the update may have a performance impact, the application should be tested accordingly.