Meltdown and Spectre - Modern CPU Vulnerabilities
Cumulus Networks released patches that fix these vulnerabilities. For information on how to apply the patches, read this article.
This issue was announced on the Cumulus Networks security announcement mailing list on January 4, 2018.
CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. The following organizations describe these attacks in detail:
- CERT/CC’s Vulnerability Note VU#584653.
- The United Kingdom National Cyber Security Centre’s guidance on Meltdown and Spectre.
- Google Project Zero (link is external).
- Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz). They refer to the Linux kernel mitigations for this vulnerability as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.
The Common Vulnerabilities and Exposures formally associated with Meltdown and Spectre are:
- CVE-2017-5753: Bounds check bypass (Spectre)
- CVE-2017-5715: Branch target injection (Spectre)
- CVE-2017-5754: Rogue data cache load (Meltdown)
To exploit these vulnerabilities in Cumulus Linux, an attacker needs to have local access to the system.
NVIDIA is evaluating, porting, and testing patches to Cumulus Linux. NVIDIA can release software updates as soon as they become available, and is going to announce any updates on the cumulus-security-announce mailing list. At this point, the performance impact of the fixes is unclear; the extent of the impact depends on the operating system, the nature of the fix and the workload of the system.