Security Vulnerability Notice
SYSGO has been made aware by various chip vendors about latest vulnerability possibilities on hardware from Intel, AMD, ARM, and PowerPC, called "Spectre" and "Meltdown". While Spectre affects hardware from all vendors, Meltdown mainly affects Intel x86 architectures. These vulnerabilities can be used to allow programs access to data in the memory of other running programs or operating systems, e.g. passwords, messages or other personal data, or to read arbitrary locations from protected memory regions. Currently no publically known security attacks had been recorded.
There are three main variants of the exploits, as detailed by Google in their blogpost, that explain in detail the mechanisms:
- Variant 1, Spectre: bounds check bypass (CVE-2017-5753)
- Variant 2, Spectre: branch target injection (CVE-2017-5715)
- Variant 3, Meltdown: rogue data cache load (CVE-2017-5754)
Details of affected ARM processors can be found here:
Intel’s statement can be found here:
Since getting informed about these issues end of December 2017 SYSGO with its ELinOS Linux distribution is working on a technical analysis checking the situation and preparing software patches where needed. A Linux community patch called KPTI (formerly called Kaiser) needs to be integrated or backported for older kernel versions.
The SYSGO ELinOS team is actively working on integrating all available kernel-, tool- and user space patches. We expect to have further details and instructions for ELinOS customers under support available in the coming weeks.