edit-icon download-icon

[Vulnerability notice] Meltdown and Spectre flaws in Intel processors

Last Updated: May 07, 2018

On January 3, 2018, serious security vulnerabilities were exposed in Intel processor chips. These vulnerabilities are caused by some design bugs at the chip hardware layer. Successful exploitation can result in leakage of the operating system’s kernel information, elevated access to system kernel data by applications, and other serious issues. Alibaba Cloud has synced key security information with Intel before the vulnerability disclosure, and continuously verifies remediation program.

See the following for more information about the vulnerability.


CVE identifier

  • CVE-2017-5753
  • CVE-2017-5715
  • CVE-2017-5754

Vulnerability name

Serious chip-level vulnerabilities in Intel processors

Vulnerability rating

High

Vulnerability description

Because of some security bugs during the realization of CPU process chips, low-privilege accesses to applications cannot be correctly distinguished with high-privilege accesses to the kernel. Thus, attackers may bypass the security isolation boundary of memory access, and gain memory data of the operating system and other applications in kernel, which results in greater risk of sensitive information leakage.

Based on the revealed attack details and the aggregate analysis by the Alibaba Cloud Technical team, these vulnerabilities can be exploited by two attack methods: Meltdown and Spectre. The CVE-2017-5754 vulnerability is exploited by Meltdown, and the CVE-2017-5753 and CVE-2017-5715 vulnerabilities are exploited by Spectre.

For more information about the attack methods, see the following articles:

Condition and method of exploitation

Based on the revealed PoC testing result, attackers must gain permissions of local normal account first, and then obtain local sensitive information with higher permissions through privilege escalation. The vulnerabilities can only be exploited under certain conditions.

Affected scope

Since the vulnerabilities exist in Intel x86-64 hardware, all Intel processor chips manufactured after 1995 may be affected. Meanwhile, processors of AMD, Qualcomm, and ARM are also affected.

How to fix or mitigate

  • Cloud platform

    Alibaba Cloud has launched updates on the underlying infrastructures of our cloud platform to fix the vulnerabilities. The updates are applied in batch, and are planned to be completed no later than 24:00:00 (UTC+08:00) on January 19, 2018. As hot upgrades are performed for these updates, customer’s business on the cloud platform remains unaffected.

References

[1]. Attack details revealed by Google
[2]. Security notice released by US CERT
[3]. Official notice released by Intel
[4]. Brief analysis of the vulnerabilities
[5]. Detailed analysis of the vulnerabilities

Thank you! We've received your feedback.