Meinberg Security Advisory [MBGSA-1801]: Spectre and Meltdown

A team of cybersecurity researchers found critical vulnerabilities in modern processors, allowing programs to access data of other processes and therefore potentially retrieve private information like access credentials, emails, instant messages or business data. According to processor manufacturers, most of the used CPUs in computers, mobile devices and embedded systems are affected.

CVE-IDs:
CVE-2017-5753
CVE-2017-5715
CVE-2017-5754

[1] Description of the problem:
The three listed CVEs are referring to three vulnerabilities:
Spectre Variant 1: Bounds Check Bypass
Spectre Variant 2: Branch Target Injection
Meltdown Variant 1: Rogue Data Cache Load

By running malicious code on an affected system, an attacker can read memory contents of other running processes on the same system, i.e. cached passwords or other private data. A prerequisite of being able to abuse the vulnerabilities is therefore the ability of an attacker to run custom code, either by being able to execute a custom binary or by finding a way to somehow run own code by abusing another vulnerability that allows code execution.

The attack scenario called "Meltdown" is exploiting side effects of a technology called out-of-order-execution, "Spectre" is aimed at branch prediction/speculative execution features of modern processors.

[2] Affected Systems:
Many Meinberg products use one or more CPUs, especially the LANTIME and SyncFire product families have at least one management CPU and there are additional CPUs on NTP/PTP/SyncE cards like the Meinberg TSU, TSU-GBit and HPS-100. Here is a list of all Meinberg products containing a potentially affected CPU:

(a) LANTIME M-Series (M100, M200, M300, M400, M600, M900)
The management CPU of these products is an AMD Geode LX embedded microprocessor. AMD as the manufacturer of the CPU unfortunately did not release a detailed list of all AMD CPU models and their status in regards to Spectre/Meltdown. Instead, AMD chose to announce that all AMD CPUs are affected by the Bounds Check Bypass vulnerability. However, a technical analysis of the AMD Geode LX processor, which is based on the Cyrix MediaGX processor that has been designed in the mid-1990s, has been conducted by Meinberg's supplier and we have been told that the engineers came to the conclusion that, with 99.9% certainty, the AMD Geode LX is not affected. The CPU does not support speculative execution and out-of-order execution is only mentioned in regards to the FPU of the processor.

(b) LANTIME IMS Series (M500, M1000, M3000, M4000)
The management CPU in these LANTIME models is the same as in the M-Series product line, using an AMD Geode LX processor. As outlined above, the technical features as described in the datasheet/data book for this processor indicate that the CPU does not have the technical features required to be able to create the vulnerabilities described.

(c) NTP/PTP/SyncE modules TSU, TSU-Gbit and HPS-100
These Meinberg network synchronization modules are based on ARM CPUs with the TSU (100Mbit RJ45 PTP capable network interface) using a not-affected ARM CPU model. Both TSU-GBit and HPS-100 (Combo RJ45/SFP Gigabit interface) use Cortex A9 ARM cores that have been confirmed to be affected by Spectre / Meltdown.

(d) SyncFire SF1xxxx High Performance NTP server appliances
All SyncFire models use one or more Intel Xeon CPUs, all of them have been confirmed to be affected by the vulnerability.

The practical impact of a Meinberg CPU being affected by Meltdown/Spectre is very low, as there is considerable doubt that the AMD Geode LX CPU is really vulnerable and there is no supported way of installing and running binaries which are not part of the firmware image for users without superuser access rights. A superuser would be able to install and run own binaries, but on the other hand this user already has full access to the whole system.

[3] Possible Defense Strategies:
Meinberg is working on fixes/firmware updates that will address the vulnerabilities and reduce or mitigate the potential threats. The status on the day this MBG-SA is released is that there is ongoing work in the Linux kernel developer team to create, test and release patches for the kernel. For Meinberg's SyncFire devices, Intel has released a microcode update that addresses the Spectre attack scenario. That microcode update will be included in the upcoming firmware releases together with all available Linux kernel patches address Meltdown and Spectre. According to Intel, the microcode update as well as some of the kernel patches can reduce the performance of the CPU. There are ongoing tests to find out if this is true for Meinberg's SyncFire products.

We will issue an update to this security advisory as soon as we receive new information and/or have new firmware releases with fixes available for download.

[4] Additional Information Sources:

• https://meltdownattack.com/
• https://www.amd.com/en/corporate/speculative-execution
• https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en
• https://developer.arm.com/support/security-update
• https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
• https://googleprojectzero.blogspot.de/2018/01/reading-privileged-memory-with-side.html