Spectre & Meltdown CPU Vulnerabilities

Name:
Name Spectre & Meltdown CPU Vulnerabilities
Tracking Number
2018-001
First Publish Date
5-Jan-2018
Date of Current Status
29-Mar-2018
Description
Vulnerabilities in select CPU vendors potentially could allow access to protected memory.
What You Need to Know?
Security researchers reported flaws in CPUs that may allow an attacker with local user access the ability to read areas of memory that would normally not be accessible, by using a method known as side-channel analysis. These vulnerabilities, CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown). Medium rated and local attack vector required. The exploitability score is very low (1.1 out of 10) due to constrained attack vectors. Spectre and Meltdown have limited capabilities and cannot be used by themselves to compromise a computer system. Side-channel analysis is a passive means of collecting data but cannot alter memory, execute arbitrary code, or otherwise affect the target. Local system access is required to exploit both Spectre and Meltdown. An attacker would need to gain access to the operating system either directly or by convincing an unsuspecting user to execute malicious code that is capable of evading security controls. Security experts including SANS have concluded the systems at highest risk are multi-user multi-tenant operating systems such as hypervisor and cloud infrastructures.
What Is Xerox Doing About This?
Xerox devices are closed systems based on embedded platforms. Several layers of security controls prevent installation of unauthorized software on Xerox devices:
  • Digitally signed software
  • McAfee whitelisting protection embedded into office devices
  • Onboard software verification

Office devices:

  • Xerox AltaLink devices support JIT (Just in Time compilation).No known exploit exists. To further harden the devices, JIT can be disabled by applying the SW patch listed below.
  • Other devices do not implement JIT- no patches required

Production devices:

  • The Digital Front Ends that are hosted on a PC- please see below for patch information

We will continue to monitor the situation and act accordingly to protect our provisions of products to you both now and in the future.

Impact
The risk to Xerox devices is very low for reasons outlined above. Xerox devices are not vulnerable to this type of attack vector (inclusive of Spectre, Meltdown, or any similar exploit).
Xerox Software Applications are not impacted. However, those that run on a PC with Windows, Linux, or Solaris operating systems, should have their PC updated, as appropriate.
What Should You Do?

Always consult with your IT department as appropriate.

This notice will be updated if further information becomes available. Please visit https://www.xerox.com/Security for additional updates.