Spectre & Meltdown CPU Vulnerabilities

Name:
Spectre & Meltdown CPU Vulnerabilities
Tracking Number
2018-001
First Publish Date
5-Jan-2018
Date of Current Status
26-Jan-2018
Next Planned Update
Description
Vulnerabilities in select CPU vendors potentially could allow access to protected memory.
What You Need to Know?
Security researchers reported flaws in CPUs that may allow an attacker with local user access the ability to read areas of memory that would normally not be accessible, by using a method known as side-channel analysis. These vulnerabilities, CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown). Medium rated and local attack vector required. The exploitability score is very low (1.1 out of 10) due to constrained attack vectors.

Spectre and Meltdown have limited capabilities and cannot be used by themselves to compromise a computer system. Side-channel analysis is a passive means of collecting data but cannot alter memory, execute arbitrary code, or otherwise affect the target.

Local system access is required to exploit both Spectre and Meltdown. An attacker would need to gain access to the operating system either directly or by convincing an unsuspecting user to execute malicious code that is capable of evading security controls.

Security experts including SANS have concluded the systems at highest risk are multi-user multi-tenant operating systems such as hypervisor and cloud infrastructures.

What Is Xerox Doing About This?
Xerox devices are closed systems based on embedded platforms. Several layers of security controls prevent installation of unauthorized software on Xerox devices:
  • Digitally signed software
  • McAfee whitelisting protection embedded into office devices
  • Onboard software verification

Office devices:

  • Xerox AltaLink devices support JIT (Just in Time compilation).No known exploit exists. To further harden the devices, JIT can be disabled by applying the SW patch listed below.

  • Other devices do not implement JIT- no patches required

Production devices:

  • The Digital Front Ends that are hosted on a PC- please see below for patch information

 

We will continue to monitor the situation and act accordingly to protect our provisions of products to you both now and in the future.

Impact
The risk to Xerox devices is very low for reasons outlined above. Xerox devices are not vulnerable to this type of attack vector (inclusive of Spectre, Meltdown, or any similar exploit).

Xerox Software Applications are not impacted. However, those that run on a PC with Windows, Linux, or Solaris operating systems, should have their PC updated, as appropriate.

What Should You Do?
  • Xerox devices: We recommend ensuring appropriate security practices and controls are applied to devices and environment.
  • Xerox AltaLink devices: We recommend applying software patch: SPAR release 100.00X.0180.01610 found at Xerox.com/security/Security Bulletin
  • EFI Digital Front End : Please consult the following link: http://www.efi.com/support-and-downloads/kbarticle/article-details/?knowledgeArticleID=kA339000000HCDaCAO
  • FreeFlow Print Server: Xerox is currently awaiting patches from our OS vendors. Once received, the patches will be tested and a security bulletin will be posted at Xerox.com/security/security bulletins
  • Other Xerox Software: For Xerox Solutions that run on Windows and Linux platforms, please refer to the Operating System Vendor website to review and determine if appropriate patches are necessary.

Always consult with your IT department as appropriate.

This notice will be updated if further information becomes available. Please visit https://www.xerox.com/Security for additional updates.