Support


Vulnerability Report

Support


Vulnerability Report

In case you want to inform SYSGO about security issues with one of our products, please contact security@sysgo.com. To protect sensitive information, we ask you to encrypt your message with the PGP key provided below.

Please include as much details as possible in your report, including:

  • Product name and version where you found the issue.
  • If possible, steps to reproduce the situation where the vulnerability was discovered.
  • Information about known exploits.

The SYSGO security team will contact you as soon as the request has been processed.

Key information:
Activation Date: Aug 23, 2018
Expiration Date: Aug 23, 2028
Fingerprint: 9547 0823 A191 AD95 D0B7 6E19 B06C E47F B5D6 2CA3
Key type: RSA
Key size: 4096 bit

PGP Key

Security Vulnerability Notice

+++ UPDATE +++

SYSGO team members credited for discovery of Spectre variant

In a new Vulnerability Note (VU#180049) dated May 21, cert.org describes two new variants of the Spectre vulnerability. Variant 4 or Speculative Store Bypass (SSB) has been discovered by Jann Horn of Google Project Zero (GPZ) and Ken Johnson of the Microsoft Security Response Center (MSRC) and is listed under CVE-2018-3639. Discovery of Variant 3a, Rogue System Register Read (RSRE) or CVE-2018-3640 is credited to Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO GmbH who reported it to Intel. Intel rates this problem as medium. Rogue System Register Read allows a local attacker to read certain CPU registers or arbitrary privileged data via cache timing side-channel analysis.

The discovery of the new vulnerability by SYSGO developers once again emphasizes the deep expertise and the dedication of the entire staff while they strive to offer customers much more than just reliable code. The appreciation by Intel for this discovery shows that SYSGO engineers are at the forefront of technology itself as well as of security. We at SYSGO will continue to have a holistic view of our customers' needs and requirements, keeping our software platforms safe, secure and certifiable.

+++++++++++++

Security Vulnerability Notice

SYSGO has been made aware by various chip vendors about latest vulnerability possibilities on hardware from Intel, AMD, ARM, and PowerPC, called "Spectre" and "Meltdown". While Spectre affects hardware from all vendors, Meltdown mainly affects Intel x86 architectures. These vulnerabilities can be used to allow programs access to data in the memory of other running programs or operating systems, e.g. passwords, messages or other personal data, or to read arbitrary locations from protected memory regions. Currently no publically known security attacks had been recorded.

There are three main variants of the exploits, as detailed by Google in their blogpost, that explain in detail the mechanisms:

  • Variant 1, Spectre: bounds check bypass (CVE-2017-5753)
  • Variant 2, Spectre: branch target injection (CVE-2017-5715)
  • Variant 3, Meltdown: rogue data cache load (CVE-2017-5754)

Details of affected ARM processors can be found here:
https://developer.arm.com/support/security-update

Intel’s statement can be found here:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

Since getting informed about these issues end of December 2017 SYSGO is working on a technical analysis checking the situation and preparing software patches where needed.

More details from our ELinOS team are available here.