Meltdown and Spectre Side-Channel Vulnerabilities
Date: 4 January 2018
The purpose of this alert is to bring attention to side-channel vulnerabilities, which affect many modern computer processors. There are three known variants of this issue. Variant 1: CVE-2017-5753, Variant 2: CVE-2017-5715, Variant 3: CVE-2017-5754. Variants 1 and 2 are referred to as Spectre. Variant 3 is referred to as Meltdown.
These hardware vulnerabilities work on personal computers, mobile devices, and in the cloud. Every Intel processor which implements out-of-order execution is potentially affected by Meltdown. Spectre affects Intel, AMD and ARM processors.
Both Meltdown and Spectre use side-channel to obtain the information from the accessed memory location, termed “Kernel-memory-leaking”. While Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory, Spectre tricks other applications into accessing arbitrary locations in their memory. Leaked information could include passwords stored in a password manager or browser, personal photos, emails, instant messages and documents.
The exploitation does not leave any traces and it is unlikely that the intrusion would be detected. However, the antivirus may detect malware used in the intrusion. There has not been a confirmation of any active exploitation at this time.
CCIRC recommends consulting the operating system vendor or system manufacturer for specific risk mitigation advice. It is recommended to apply software and firmware updates as soon as they are available. In case of unsuccessful mitigation organizations may consider a replacement of CPU hardware.
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: