Meltdown (security vulnerability)

See also: Transient execution CPU vulnerability

Meltdown
The logo used by the team that discovered the vulnerability
CVE identifier(s)CVE-2017-5754
Date discoveredJanuary 2018; 6 years ago (2018-01)
Affected hardwareIntel x86 microprocessors, IBM Power microprocessors, and some ARM-based microprocessors
Websitemeltdownattack.com

Meltdown is one of the two original transient execution CPU vulnerabilities (the other being Spectre). Meltdown affects Intel x86 microprocessors, IBM Power microprocessors,[1] and some ARM-based microprocessors.[2][3][4] It allows a rogue process to read all memory, even when it is not authorized to do so.

Meltdown affects a wide range of systems. At the time of disclosure (2018), this included all devices running any but the most recent and patched versions of iOS,[5] Linux,[6][7] macOS,[5] or Windows. Accordingly, many servers and cloud services were impacted,[8] as well as a potential majority of smart devices and embedded devices using ARM-based processors (mobile devices, smart TVs, printers and others), including a wide range of networking equipment. A purely software workaround to Meltdown has been assessed as slowing computers between 5 and 30 percent in certain specialized workloads,[9] although companies responsible for software correction of the exploit reported minimal impact from general benchmark testing.[10]

Meltdown was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754, also known as Rogue Data Cache Load (RDCL),[3] in January 2018. It was disclosed in conjunction with another exploit, Spectre, with which it shares some characteristics. The Meltdown and Spectre vulnerabilities are considered "catastrophic" by security analysts.[11][12][13] The vulnerabilities are so severe that security researchers initially believed the reports to be false.[14]

Several procedures to help protect home computers and related devices from the Meltdown and Spectre security vulnerabilities have been published.[15][16][17][18] Meltdown patches may produce performance loss.[19][20][21] Spectre patches have been reported to significantly reduce performance, especially on older computers; on the then-newest (2017) eighth-generation Core platforms, benchmark performance drops of 2–14 percent have been measured.[22] On 18 January 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported.[23] Nonetheless, according to Dell, "No 'real-world' exploits of these vulnerabilities [i.e., Meltdown and Spectre] have been reported to date [26 January 2018], though researchers have produced proof-of-concepts."[24][25] Dell further recommended "promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources ... following secure password protocols ... [using] security software to help protect against malware (advanced threat prevention software or anti-virus)."[24][25]

On 15 March 2018, Intel reported that it would redesign its CPUs to help protect against the Meltdown and related Spectre vulnerabilities (especially, Meltdown and Spectre-V2, but not Spectre-V1), and expected to release the newly redesigned processors later in 2018.[26][27][28][29] On 8 October 2018, Intel is reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors.[30]

  1. ^ "Potential Impact on Processors in the POWER Family – IBM PSIRT Blog". IBM.com. 2018-01-25. Archived from the original on 2018-04-03. Retrieved 2018-01-30.
  2. ^ "About speculative execution vulnerabilities in ARM-based and Intel CPUs". Apple Support. Archived from the original on 2021-03-27. Retrieved 2018-01-05.
  3. ^ a b Arm Ltd. "Arm Processor Security Update". ARM Developer. Archived from the original on 2018-04-04. Retrieved 2018-01-04.
  4. ^ Bright, Peter (2018-01-05). "Meltdown and Spectre: Here's what Intel, Apple, Microsoft, others are doing about it". Ars Technica. Archived from the original on 2018-05-27. Retrieved 2018-01-06.
  5. ^ a b "Apple Confirms 'Meltdown' and 'Spectre' Vulnerabilities Impact All Macs and iOS Devices, Some Fixes Already Released". 2018-01-04. Archived from the original on 2020-12-05. Retrieved 2018-01-05.
  6. ^ Vaughan-Nichols, Steven J. (2018-01-11). "Major Linux distros have Meltdown patches, but that's only part of the fix". ZDNet. Archived from the original on 2020-11-09. Retrieved 2018-01-16.
  7. ^ "CVE-2017-5754". Security-Tracker.Debian.org. Archived from the original on 2021-04-12. Retrieved 2018-01-16.
  8. ^ "CERT: "Meltdown and Spectre" CPU Security Flaw Can Only Be Fixed by Hardware Replacement – WinBuzzer". 2018-01-04. Archived from the original on 2021-05-08. Retrieved 2018-01-05.
  9. ^ Cite error: The named reference register was invoked but never defined (see the help page).
  10. ^ "Industry Testing Shows Recently Released Security Updates Not Impacting Performance in Real-World Deployments". Intel newsroom. 2018-01-04. Archived from the original on 2021-10-06. Retrieved 2018-01-05.
  11. ^ Schneier, Bruce. "Spectre and Meltdown Attacks Against Microprocessors – Schneier on Security". Schneier.com. Archived from the original on 2021-04-12. Retrieved 2018-01-09.
  12. ^ "This Week in Security: Internet Meltdown Over Spectre of CPU Bug". Cylance.com. 2018-01-05. Archived from the original on 2018-01-09. Retrieved 2018-01-30.
  13. ^ "Meltdown, Spectre: here's what you should know". Rudebaguette.com. 2018-01-08. Archived from the original on 2018-07-05. Retrieved 2018-01-30.
  14. ^ King, Ian; Kahn, Jeremy; Webb, Alex; Turner, Giles (2018-01-08). "'It Can't Be True.' Inside the Semiconductor Industry's Meltdown". Bloomberg Technology. Archived from the original on 2018-01-10. Retrieved 2018-01-10.
  15. ^ Cite error: The named reference NYT-20180104 was invoked but never defined (see the help page).
  16. ^ Cite error: The named reference FM-20180105 was invoked but never defined (see the help page).
  17. ^ Cite error: The named reference PCW-20180104 was invoked but never defined (see the help page).
  18. ^ Cite error: The named reference CNET-20180104 was invoked but never defined (see the help page).
  19. ^ Cite error: The named reference bbcflaw was invoked but never defined (see the help page).
  20. ^ Cite error: The named reference NYT-20180103 was invoked but never defined (see the help page).
  21. ^ Cite error: The named reference TV-20180104 was invoked but never defined (see the help page).
  22. ^ Hachman, Mark (2018-01-09). "Microsoft tests show Spectre patches drag down performance on older PCs". PC World. Archived from the original on 2018-02-09. Retrieved 2018-01-09.
  23. ^ Cite error: The named reference ZDN-20180118 was invoked but never defined (see the help page).
  24. ^ a b Staff (2018-01-26). "Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products". Dell. Archived from the original on 2018-01-27. Retrieved 2018-01-26.
  25. ^ a b Staff (2018-01-26). "Meltdown and Spectre Vulnerabilities". Dell. Archived from the original on 2018-03-05. Retrieved 2018-01-26.
  26. ^ Warren, Tom (2018-03-15). "Intel processors are being redesigned to protect against Spectre – New hardware coming later this year". The Verge. Archived from the original on 2018-04-21. Retrieved 2018-03-20.
  27. ^ Shankland, Stephen (2018-03-15). "Intel will block Spectre attacks with new chips this year – Cascade Lake processors for servers, coming this year, will fight back against a new class of vulnerabilities, says CEO Brian Krzanich". CNET. Archived from the original on 2018-04-23. Retrieved 2018-03-20.
  28. ^ Smith, Ryan (2018-03-15). "Intel Publishes Spectre & Meltdown Hardware Plans: Fixed Gear Later This Year". AnandTech. Archived from the original on 2018-05-04. Retrieved 2018-03-20.
  29. ^ Coldewey, Devin (2018-03-15). "Intel announces hardware fixes for Spectre and Meltdown on upcoming chips". TechCrunch. Archived from the original on 2018-04-12. Retrieved 2018-03-28.
  30. ^ Cite error: The named reference AT-20181008 was invoked but never defined (see the help page).