Spectre & Meltdown CPU Vulnerabilities

Name:

Name Spectre & Meltdown CPU Vulnerabilities

Tracking Number

2018-001

First Publish Date

5-Jan-2018

Date of Current Status

29-Mar-2018

Description

Vulnerabilities in select CPU vendors potentially could allow access to protected memory.

What You Need to Know?

Security researchers reported flaws in CPUs that may allow an attacker with local user access the ability to read areas of memory that would normally not be accessible, by using a method known as side-channel analysis. These vulnerabilities, CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown). Medium rated and local attack vector required. The exploitability score is very low (1.1 out of 10) due to constrained attack vectors. Spectre and Meltdown have limited capabilities and cannot be used by themselves to compromise a computer system. Side-channel analysis is a passive means of collecting data but cannot alter memory, execute arbitrary code, or otherwise affect the target. Local system access is required to exploit both Spectre and Meltdown. An attacker would need to gain access to the operating system either directly or by convincing an unsuspecting user to execute malicious code that is capable of evading security controls. Security experts including SANS have concluded the systems at highest risk are multi-user multi-tenant operating systems such as hypervisor and cloud infrastructures.

What Is Xerox Doing About This?

Xerox devices are closed systems based on embedded platforms. Several layers of security controls prevent installation of unauthorized software on Xerox devices:

Digitally signed software
McAfee whitelisting protection embedded into office devices
Onboard software verification

Office devices:

Xerox AltaLink devices support JIT (Just in Time compilation).No known exploit exists. To further harden the devices, JIT can be disabled by applying the SW patch listed below.
Other devices do not implement JIT- no patches required

Production devices:

The Digital Front Ends that are hosted on a PC- please see below for patch information

We will continue to monitor the situation and act accordingly to protect our provisions of products to you both now and in the future.

Impact

The risk to Xerox devices is very low for reasons outlined above. Xerox devices are not vulnerable to this type of attack vector (inclusive of Spectre, Meltdown, or any similar exploit).
Xerox Software Applications are not impacted. However, those that run on a PC with Windows, Linux, or Solaris operating systems, should have their PC updated, as appropriate.

What Should You Do?

Xerox devices: We recommend ensuring appropriate security practices and controls are applied to devices and environment.
Xerox AltaLink devices: We recommend applying software patch: SPAR release 100.00X.0180.01610 found at Xerox.com/security/Security Bulletin
EFI Digital Front End : Please consult the following link: http://www.efi.com/support-and-downloads/kbarticle/article-details/?knowledgeArticleID=kA339000000HCDaCAO
FreeFlow Print Server: Status of patches will be posted at Xerox.com/security/security bulletins
Other Xerox Software: For Xerox Solutions that run on Windows and Linux platforms, please refer to the Operating System Vendor website to review and determine if appropriate patches are necessary.

Always consult with your IT department as appropriate.

This notice will be updated if further information becomes available. Please visit https://www.xerox.com/Security for additional updates.

Spectre & Meltdown CPU Vulnerabilities

Office devices:

Production devices:

Xerox Security

Security Resources

Contact us

About Xerox: Corporate Information

Ways to Buy

Support and Drivers