General Customer Information for Spectre and Meltdown

Cyber Security Engineering Products Security Bulletin 2018 JAN 12.1


Publication Date 2018-01-11
Last Update 2018-01-11

Version 1.0

Summary


Security researchers published information on vulnerabilities known as Meltdown and Spectre. These known common vulnerabilities and exposures affect many modern processors from different vendors to a varying degree.

Vendors of affected processors, operating systems and other software, e.g. Internet browsers, are assessing the vulnerabilities and are releasing updates which help to mitigate the Meltdown and Spectre vulnerabilities.

Smiths Medical has analyzed the impact of these vulnerabilities and of the mitigations released on its own network-connected products.  To our knowledge, no Smiths Medical product has been affected by the vulnerabilities known as Meltdown and Spectre. If, in the future, Smiths Medical products are found to be affected, product-specific updates and information will be distributed directly to customers and posted on Smiths Medical’s website.

Vulnerability details


Meltdown and Spectre are vulnerabilities from a class of vulnerabilities referred to as “speculative execution side-channel attacks”. The impact of these vulnerabilities is that an attacker could obtain content from memory regions that should not be accessible. A pre-requisite to exploitation of these vulnerabilities is that an attacker must be able to execute code on a system with an affected processor without applied mitigations.

Meltdown was assigned CVE-2017-2754 and is known to affect processors from Intel and ARM.
Spectre was assigned CVE-2017-5715 and CVE-2017-5733, and is claimed to affect most processor vendors.

Detailed information on these vulnerabilities has been published by the researchers [1, 2], as well as by vendors of operating systems and processors, such as Microsoft [3] or Intel [4].

Recommendations


Vendors of processors, operating systems, and other applications are releasing updates that help to mitigate these vulnerabilities. Smiths Medical has analyzed the impact of these vulnerabilities on its network-connected products.
Updates for operating systems, processor firmware, and other systems can help to mitigate these vulnerabilities. When available in the future, if applicable and necessary,  Smiths Medical will be testing the compatibility of the patches released for supported operating systems for several products.

Smiths Medical is aware that some updates can result in compatibility, performance or stability issues on certain products and operating systems. Operating system vendors, such as Microsoft, are still working to address these compatibility issues with their updates. Smiths Medical will therefore continue to evaluate the applicability of those updates.
Smiths Medical recommends consulting the product support documentation via the usual information channels, or to contact Smiths Medical customer service for information on compatibility before applying the updates.

As a general guidance, Smiths Medical recommends that customers evaluate the following:

· Determine if vendors of the processors, operating systems and other software used on the computer systems have released mitigations for these vulnerabilities.
· As a pre-requisite for an attack, an attacker must be able to run untrusted code on affected systems. Therefore, Smiths Medical recommends determining if it is possible that untrusted code can be run on these systems, or if existing measures implemented by the operator reduces the likelihood of untrusted code being run.
· Applying a Defense-in-Depth concept can help to reduce the probability that untrusted code is run on the system. Smiths Medical recommends to apply the Defense-in Depth concept.
· Consult Smiths Medical product support documentation, or contact Smiths Medical customer service to determine if information on the compatibility of the updates provided by the vendors are available before applying the updates.

It is advised to configure the environment according to Smiths Medical operational guidelines in order to run the devices in a protected IT environment.

ADDITIONAL RESOURCES

[1] Information from Google Project Zero: https://googleprojectzero.blogspot.de/2018/01/reading-privileged-memory-withside.html
[2] Information from researchers at TU Graz: https://spectreattack.com/
[3] Information from Microsoft: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002
[4] Intel Security Advisory INTEL-SA-00088: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA00088&languageid=en-fr

Live Chat Login here