Meltdown and Spectre: Are Encryption Products Affected?

book

Article ID: 170766

calendar_today

Updated On:

Products

Encryption Management Server Endpoint Encryption

Issue/Introduction

Meltdown and Spectre are a class of information disclosure vulnerabilities exploiting well-known microprocessor performance maximizing design choices – out-of-order execution, branch prediction and speculative execution, and leak data via side-channel attacks. These affect all modern Intel processors, and (in the case of Spectre) many AMD and some ARM cores. Because the vulnerabilities are in the hardware (microprocessor), all software applications, including the operating system, are equally affected. Variants of Meltdown and Spectre exploits have been assigned CVE-2017-5753 (bounds check bypass), CVE-2017-5715 (branch target injection), and CVE-2017-5754 (rogue data cache load). CERT Vulnerability Note VU#584653.

Meltdown can be mitigated by applying software patches for the kernel available from operating system vendors. Spectre can be mitigated by applying software patches for operating systems as well as popular browsers available from respective vendors.

Further details on Meltdown and Spectre are available here.

Resolution

Meltdown, Spectre and Symantec Encryption products

Operating system patches are available from vendors to mitigate these hardware issues. Since exploitation requires access to the hosts, and in some cases physical access, the overall risk to Encryption products is low. The security of Symantec Encryption products is dependent on the platform on which they are installed.  As long as the environment is secure, Symantec Encryption products are not affected.

Symantec has performed extensive testing of Encryption server and endpoint systems with the most current system updates from Microsoft, Apple, and Red Hat. In all cases, no issues were uncovered. Customers should therefore apply the operating system patches to mitigate any adverse impact of these vulnerabilities (see NOTE below). If immediate patching is not possible, customers must restrict access to these systems to authorized personnel only. Additionally, customers should refrain from installing software of unknown origin on these systems.

Per operating system vendors, a primary side-effect of the vulnerability patches is an anticipated performance penalty, between 5 and 30%, for all software applications. Encryption products tests however do not indicate a noticeable performance degradation between unpatched and patched systems. Customers experiencing an unacceptable performance degradation as a result of these patches are requested to contact Symantec Support via regular channels.

Symantec Information Centric Encryption Service (ICE) runs on Amazon Web Services (AWS) and Amazon has patched their cloud infrastructure to mitigate this risk. Details on AWS response can be found here.