Meltdown and Spectre

From SpinetiX Support Wiki

Jump to: navigation, search

This article is related to Security.

Meltdown and Spectre vulnerabilities: impact on SpinetiX products

Updated on 29/May/2018

Based on the recent discoveries about vulnerabilities in various computer processors, known as Meltdown and Spectre, SpinetiX is conducting an ongoing assessment of their applicability to its products. This article documents the current status.

The variants of processor vulnerabilities to cache timing side channel attacks that have been identified are the following:

  • Variant 1: bounds check bypass (CVE-2017-5753), also known as Spectre-V1.
  • Variant 2: branch target injection (CVE-2017-5715), also known as Spectre-V2.
  • Variant 3: rogue data cache load (CVE-2017-5754), also known as Meltdown.
  • Subvariant 3a: rogue system register read (CVE-2018-3640), also known as Spectre-NG.
  • Variant 4: speculative store bypass (CVE-2018-3639), also known as Spectre-NG.

Following the analysis of ARM ( we can confirm that:

  • The ARM 926EJ-S processor used on HMP100, HMP130 and HMP200 products is vulnerable to neither Spectre nor Meltdown.
  • The ARM Cortex-A8 processor used on DiVA, HMP300 and HMP350 products is vulnerable only to Spectre, it is not vulnerable to Meltdown nor Spectre-NG.

Therefore, no SpinetiX products are vulnerable to Meltdown (CVE-2017-5754) or Spectre-NG (CVE-2018-3639 and CVE-2018-3640). HMP100, HMP130 and HMP200 products are not vulnerable to Spectre (CVE-2017-5753 and CVE-2017-5715). However, DiVA, HMP300 and HMP350 products are vulnerable to Spectre (CVE-2017-5753 and CVE-2017-5715).

These vulnerabilities can allow to steal data which is resident in memory by using a cache timing side-channel attack. This method is dependent on being able to run malware locally on the target device, which means it is important for device owners to follow good security practices by keeping the firmware up to date, having protected their devices with good passwords and having a sound policy for content acquisition and authoring.

The SpinetiX firmware running on its products is a tightly controlled environment and does not allow running any third-party software. Therefore, direct exploitation of the Spectre vulnerabilities is believed to not be possible. The only vector through which an attacker can run routines to exploit these vulnerabilities is via the JavaScript engines in the SVG and HTML interpreters. The HTML interpreter takes care of rendering Web Page Layers, while the SVG interpreter renders all other content.

The JavaScript code run inside the SVG interpreter is under the control of the content creator. As long as good practices for content authoring are followed it should not be possible to introduce malware into the JavaScript engine inside the SVG interpreter.

The HTML interpreter runs in a separate security context, but may be used to render third party content outside the control of the content author. As such, it could be possible for malware to be introduced via a malicious or compromised web site. This malware would be run by the JavaScript engine of the HTML interpreter and, if successful, could steal data. As the HTML interpreter runs in a separate security context, it is only able to steal data held by the HTML interpreter itself. The SpinetiX firmware hands at most two pieces of sensitive information to the HTML interpreter. One is the username and password for the site being loaded, if the URI of the Web Page Layer matches one among the saved passwords configured on the device. The other is the HTTP proxy’s username and password, if one is configured on the device. Therefore, the only data that could be stolen is data on the site at the URI of the Web Page Layer, or other site loaded by it, plus the two sensitive pieces detailed above if they are used. It is thus recommended that the Web Page Layer be used only to load known and trusted sites and as much as possible ad-free, as ads can be a source of JavaScript malware. Note that Web Page Layers, and thus the HTML interpreter, cannot be used on DiVA, so this attack vector applies to HMP300 and HMP350 products only.

As explained above, the extent to which the Spectre vulnerabilities can be exploited on HMP300 and HMP350 products is very limited and even more so on DiVA. Customers which are nevertheless concerned by this should make sure that Web Page Layers are used to load trusted and well-known sites only, or that all Web Page Layers be removed from the content. Customers should also ensure that good security practices are followed for content authoring and that devices are properly protected with good passwords.

SpinetiX is actively monitoring the evolution of such vulnerabilities and further security mitigations might be included in future firmware releases - that will be communicated through the firmware release notes at the time of release.

This page was last modified on 5 October 2018, at 19:24.