It has recently been announced that a generic weakness in the speculative execution or out of order execution mechanisms implemented by modern processors units (CPU) could allow unauthorized access to sensitive data through different attack scenarios as documented in CVE-2017-5715/CVE-2017-5753 (known as Spectre) and CVE-2017-5754 (known as Meltdown).
Whatever the exploitation scenario, this weakness requires use of specific vulnerable CPU's and for the CPU to execute a specific code sequence to access unauthorized memory space.
Gemalto has set up a dedicated team of security experts to work on the situation and immediately performed a full assessment of its portfolio of offers, services, and manufacturing environments.
The status regarding Gemalto's offers is the following:
- Are not impacted by this weakness:
- HSM, smart cards, hardware tokens, secure elements, IoT devices
- Are not threatened by realistically exploitable scenarios:
- Manufacturing & personalization services
- Private cloud environments
- Appliance based products
- Software solutions
- Are exposed and require patches or mitigations:
- Services based on Public Cloud environments, and especially the segregation between tenants of shared hardware. All identified attack scenarios are reported as mitigated by our Cloud Service Providers.
- Mobile Applications: the exposure varies depending on the mitigation provided by the device maker. This risk can be partially mitigated by the Gemalto software security mechanism.
We recommend that our Customers apply all relevant vendors' patches and mitigations. It is important to note that the patches supplied by OS vendors can impact the performance and the stability of the system. Gemalto recommends to test them and evaluate the performance impact on each platform (Hardware/OS) prior to roll out to production systems.
Gemalto CERT continues to closely monitor developments and will update this information as needed.
Customers who have more questions about these vulnerabilities should get in touch with their usual Gemalto contact.