A lot of things have been said and explained about it. Here is what we found interesting:
Advisories
- CVE-2017-5715 : “Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.” (Variant 1: bounds check bypass aka Spectre)
- CVE-2017-5753 : “Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.” (Variant 2: branch target injection aka Spectre)
- CVE-2017-5754 : “Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.” (Variant 3: rogue data cache load aka Meltdown)
Linux Kernel
- Addressing Meltdown and Spectre in the kernel – Jonathan Corbet
- Meltdown and Spectre Linux Kernel Status – Greg KH
- ARM – Compiler support for mitigations – arm.com
- First wave of KVM updates – Paolo Bonzini
- QEMU and the Spectre and Meltdown attack – Paolo Bonzini and Eduardo Habkost
- Project Zero announcement
-
Vulnerabilities in modern computers leak passwords and sensitive data
elsewhere than in the kernel
- Mitigations landing for new class of timing attack – Luke Wagner (Mozilla Blog)
- A benchmark about consequences of the patches – reddit
- Today’s CPU vulnerability: what you need to know – Chrome
- Speculative Execution Exploit Performance Impacts – Describing the performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and CVE-2017-5715 – Red Hat
Intel
- Intel Analysis of Speculative Execution Side Channels – Intel White Paper
Linux Distributions and vendors
Hosting companies
- Important note about the security flaw impacting ARM & Intel hardware – Online.net
- Spectre and Meltdown – Vulnerabilities Status Page – Scaleway
- Meltdown, Spectre bug impacting x86-64 CPU – OVH fully mobilised – OVH
How to check vulnerability
- Spectre and Meltdown Checker – “A simple shell script to tell if your Linux installation is vulnerable against the 3 “speculative execution” CVEs“
French articles
- Alerte : multiples vulnérabilités dans des processeurs – Comprendre Meltdown et Spectre et leur impact – ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information)
- Episode #161 consacré à Meldown & Spectre – Podcast NoLimitSecu
xkcd.com
0 commentaires