News

Speculative Execution Vulnerabilities in x86 and ARM CPUs

2018/01/17

UPDATE 16 April 2018 - On the 10 April 2018 AMD announced that it is releasing processor microcode updates to mitigate security vunerability SPECTRE Variant 2 (CVE-2017-5715). AMD had previously indicated that their processors would not be affected by the SPECTRE or MELTDOWN security vunerabilities, however after further analysis and after working with their customers and partners they have released a microcode update to mitigate these vunerabilities. AMD still states that it will be difficult to exploit SPECTRE Variant 2 on AMD processors. 

Based on this new microcode update, GIGABYTE estimates that all BIOS updates for our products using AMD processors will be ready by 6/1. Please refer to this webpage or our twitter page for the latest information regarding updates to mitigate against SPECTRE.

Taipei, Taiwan, 17 January 2018 - Security researchers have recently uncovered security issues known by two names, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, and CVE-2017-5715). These issues apply to all modern processors and affect nearly all computing devices and operating systems. All GIGABYTE systems are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious software to be installed in your systems, GIGABYTE recommend downloading software only from trusted sources.

Resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM / BIOS update from GIGABYTE.

  • Variant 1 (CVE-2017-5753, bounds check bypass or Spectre)
    The threat can be contained with an OS patch.
  • Variant 2 (CVE-2017-5715, branch target injection or Spectre)
    GIGABYTE will provide BIOS updates combining processor microcode to further mitigate the threat.
  • Variant 3 (CVE-2017-5754, rogue data cache load or Meltdown)
    The threat can be contained with an OS patch.

For the availability date of BIOS updates for all GIGABYTE affected products, please refer to the following table. BIOS updates can be downloaded from the support section of each individual product page (please find your affected product here)

    CPU ModelsRecovery BIOS Release Time
    Intel Xeon Scalable Processors 2/27
    Intel Xeon W Processors 3/8
    Intel Xeon Processor E3-1200 v5/v6 Product Family 2/27
    Intel Xeon Processor E3-1200 v3/v4 Product Family 3/30
    Intel Xeon Processor E5-2600 v3/v4 Product Family 3/14
    Intel Xeon Processor D-1500 Product Family 3/14
    Intel Atom Processor C3000 Series 3/18
    Intel Pentium and Celeron Processor N3000 Product Families Coming Soon
    Intel Atom Processor E3800 Product Family and Intel Celeron Processor N2807/N2930/J1900 Coming Soon
    AMD EPYC Series 3/12
    Cavium ThunderX Product Family Not impacted by this event

    Background

    The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
    The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory — including that of the kernel — from a less-privileged user process such as a malicious software running on a system.

    Intel has provided a high level statement here: https://newsroom.intel.com/press-kits/security-exploits-intel-products/

    Resources

    Please follow @GigabyteServer on Twitter for instant notification of all BIOS updates as they become available!