News

Speculative Execution Vulnerabilities in ARM and x86 CPUs

2018/01/17

Security researchers have recently uncovered security issues known by two names, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, and CVE-2017-5715). These issues apply to all modern processors and affect nearly all computing devices and operating systems. All GIGABYTE systems are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious software to be installed in your systems, GIGABYTE recommend downloading software only from trusted sources.
Resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM update from GIGABYTE.

  • Variant 1 (CVE-2017-5753, bounds check bypass or Spectre)
    The threat can be contained with an OS patch.
  • Variant 2 (CVE-2017-5715, branch target injection or Spectre)
    GIGABYTE will provide online ROM flash combining processor microcode updates to further mitigate the threat.
  • Variant 3 (CVE-2017-5754, rogue data cache load or Meltdown)
    The threat can be contained with an OS patch.

Intel has provided a high level statement here: https://newsroom.intel.com/press-kits/security-exploits-intel-products/

Resources

CPU ModelsRecovery BIOS Release Time
Intel Xeon Scalable Processors Waiting for chipset vendor microcode update
Intel Xeon W Processors Waiting for chipset vendor microcode update
Intel Xeon Processor E3-1200 v6 Product Family Waiting for chipset vendor microcode update
Intel Xeon Processor E5 v4 Product Family Waiting for chipset vendor microcode update
Intel Xeon Processor D-1500 Product Family Waiting for chipset vendor microcode update
Intel Atom Processor C3000 Series Waiting for chipset vendor microcode update
Intel Pentium and Celeron Processor N3000 Product Families Waiting for chipset vendor microcode update
Intel Atom Processor E3800 Product Family and Intel Celeron Processor N2807/N2930/J1900 Waiting for chipset vendor microcode update
AMD EPYC Series 2/9
Cavium ThunderX Product Family Not impact by this event

Background

The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious software running on a system.