Meltdown and Spectre are a class of information disclosure vulnerabilities exploiting well-known microprocessor performance maximizing design choices – out-of-order execution, branch prediction and speculative execution, and leak data via side-channel attacks. These affect all modern Intel processors, and (in the case of Spectre) many AMD and some ARM cores. Because the vulnerabilities are in the hardware (microprocessor), all software applications, including the operating system, are equally affected. Variants of Meltdown and Spectre exploits have been assigned CVE-2017-5753 (bounds check bypass), CVE-2017-5715 (branch target injection), and CVE-2017-5754 (rogue data cache load). CERT Vulnerability Note VU#584653.
Meltdown can be mitigated by applying software patches for the kernel available from operating system vendors. Spectre can be mitigated by applying software patches for operating systems as well as popular browsers available from respective vendors.
Further details on Meltdown and Spectre are available here.
Meltdown, Spectre and Symantec Encryption products
Operating system patches are available from vendors to mitigate these hardware issues. Since exploitation requires access to the hosts, and in some cases physical access, the overall risk is to Encryption products is low. Symantec has performed extensive testing of Encryption server and endpoint systems with the most current system updates from Microsoft, Apple, and Red Hat. In all cases, no issues were uncovered. Customers should therefore apply the operating system patches to mitigate any adverse impact of these vulnerabilities (see NOTE below). If immediate patching is not possible, customers must restrict access to these systems to authorized personnel only. Additionally, customers should refrain from installing software of unknown origin on these systems.
Per operating system vendors, a primary side-effect of the vulnerability patches is an anticipated performance penalty, between 5 and 30%, for all software applications. Encryption products tests however do not indicate a noticeable performance degradation between unpatched and patched systems. Customers experiencing an unacceptable performance degradation as a result of these patches are requested to contact Symantec Support via regular channels.
Symantec Information Centric Encryption Service (ICE) runs on Amazon Web Services (AWS) and Amazon has patched their cloud infrastructure to mitigate this risk. Details on AWS response can be found here.
NOTE: Symantec Encryption Management Server is not impacted by this vulnerability. By design, the Server does not allow local system access, which is absolutely necessary to exploit this vulnerability. However, if customers have deployed Symantec Encryption Management Server in a virtual environment, they should refrain from applying the VMware Hypervisor patch as this verification is currently in progress.
In addition, customers deploying Symantec Encryption Desktop for Linux should refrain from applying the patches until confirmed by Symantec. This verification is currently in progress.