To bring some clarity to the Spectre and Meltdown situation, Flexera has compiled, and is making available here (see bottom of page), a rolling list of Secunia Research advisories we have issued related to the three CVE’s (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) affecting chips from e.g. Intel, AMD, ARM, and now NVidia.
It’s important to note that Secunia Research team’s verification process helps customers understand the real risk of the vulnerabilities reported. Most of the advisories related to these vulnerabilities are scored below “Moderately Critical” (scores of 1-3 out of a maximum of 5). The reason is that product context matters a lot in this instance. By “product context” we mean, what category of software is involved—e.g. operating systems, virtualization software, browsers, etc. This affects the attack vector that can be used by hackers—i.e. local versus remote access. It also affects the potential impact that an exploit can have on your systems (the “gain”).
Secunia Research analyzes each vulnerability on a case-by-case basis and provides a consistent, normalized rating. This criticality rating allows you to effectively prioritize vulnerabilities, so you know what to tackle first. This step is key because of the massive volume of vulnerabilities that are disclosed every year—there were more than 17,000 last year alone.
Based on our current knowledge as of this writing, the Meltdown and Spectre vulnerabilities may lead to “disclosure of private information” or may “bypass security restrictions.” But, in and of themselves, these vulnerabilities don’t result in a full-on system compromise. Meltdown and Spectre are currently not considered 0-day vulnerabilities, since there was no known exploitation happening in the wild at the time of initial disclosure. For these reasons, a rating of “Moderately Critical” in a “Remote” (WAN) case is the worst-case scenario, assuming there are no user authentication / interaction or other obstacles.
Secunia Research’s criticality ratings are uniquely valuable because they provide the additional product context that is essential to truly ascertain how serious a vulnerability is. The National Vulnerability Database (NVD), for example, doesn’t appear to perform a product context related analysis, which can result in potentially inaccurate results. The product context may significantly change the real impact of a vulnerability, as discussed. Again, the criticality of the Spectre and Meltdown vulnerabilities are very dependent on product context.
It’s very important to understand that since the Meltdown and Spectre vulnerabilities hit our news cycle last week, Secunia Research has published over 21 advisories, unrelated to either of these vulnerabilities, with a Highly Critical Rating. Some of these have a patch, and some others have partial fixes. These vulnerabilities are found in software like:
- Cisco Webex Meetings Server
- Cisco Webex Advanced Recording Format (ARF) player
- Microsoft Internet Explorer versions 9,10 and 11
- IBM Rational DOORS Next Generation 6
- IBM Websphere Application Server 9.0
- Debian GNU Linux 8 and 9
- Jackson 2.0
- Gentoo Linux
- And many others.
Spectre and Meltdown are stealing the headlines in this particular news cycle. However, on a regular basis Secunia Research is documenting vulnerabilities that could have a more immediate and potentially harmful impact on companies. This is why we urge all organizations to source vulnerability intelligence that is verified and rated based on a standard set of criteria. We also encourage everyone to use proper assessment of their environments and match that to the actual intelligence for a full view of the real risk. This allows for prioritization of remediation activities based on actual risk. This results in faster remediation of the most important vulnerabilities and improved security for your business.
Make no mistake that these Spectre and Meltdown vulnerabilities are very important and we all need to keep an eye on them. But it’s equally important to keep an eye on other critical vulnerabilities coming to light that, perhaps, are not making the news.