Yesterday, two critical vulnerabilities in almost all modern processors became public knowledge. What impact does this have on the CERT@VDE target group?
First of all, the good news: although the vulnerabilities have a critical impact on the security of multi-user systems and especially cloud applications, most ICS components cannot be compromised by these vulnerabilities alone.
Both vulnerabilities use a side-channel attack to bypass kernel data protection, allowing a process to obtain information to which it would not normally have access. However, for an attack to be successful, it is necessary to be able to execute arbitrary code on the respective processor. f a user cannot do this because he does not have shell access to the system, the attack cannot be carried out (see also the message at Heise ).
CERT@VDE therefore advises all users to keep their own clients (be it a laptop, tablet or smartphone) at the latest patch level and, above all, to update the browser used. System administrators should give high priority to patching servers on which users have shell access. If you use cloud services, find out from your provider what steps they are taking!
We are monitoring the situation closely. At the time of publication of this report, we had no information on ICS components that are directly vulnerable to attacks due to Meltdown or Spectre. Should this change, we will publish appropriate advisories in due course.