Meltdown and Spectre are hardware design vulnerabilities in CPUs utilizing speculative execution.
While the defect exists in the hardware, mitigations in operating systems are possible and are currently available.
CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. The issues are organized into three variants:
These attacks are possible due to the interaction between operating system memory management and CPU implementation optimization choices.
The Linux kernel mitigations for this vulnerability are referred to as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.
Attacks require the ability to execute code locally on a target system. Typically, this type of attack requires a valid account or independent compromise of the target. Attacks using JavaScript in web browsers are also possible. Multi-user and multi-tenant systems (including virtualized environments) likely face the greatest risk. Systems used to browse arbitrary web sites are also at risk. Single-user systems that do not readily provide a way for attackers to execute code locally face significantly lower risk.
Vendors are releasing patches for vulnerable systems and cloud environments like Amazon and Azure are patching the operating systems they deliver.
ASPL-759 shipped on January 5, 2018 contained checks for the following products: