Intel continues to release CPU microcode updates that include mitigation for the Spectre vulnerability announced in January. This week the company released fixes for several CPUs on the Skylake platform.
The company’s first batch of microcode updates released a month ago, caused reboots and other unexpected behavior for systems running Haswell and Broadwell CPUs. OEMs then withdrew their BIOS/UEFI updates that incorporated those updates and are now in the process of testing fixes that should resolve the issues.
In the meantime, Intel continued to work on microcode updates for other generations of CPUs that weren’t covered by the initial patches. These updates are needed to add new CPU features that operating systems can use to mitigate branch target injection, also known as Spectre variant 2.
This is the most generic of three CPUs vulnerabilities disclosed in January—Meltdown and Spectre variants 1 and 2—and is the only one that requires low-level changes to how CPUs work. By comparison, Meltdown is fixed through OS patches and Spectre variant 1 through browser updates.
Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel, said the company will share microcode updates for additional CPUs with OEMs over the coming days.
“Ultimately, these updates will be made available in most cases through OEM firmware updates,” Shenoy said in a blog post Wednesday. “I can’t emphasize enough how critical it is for everyone to always keep their systems up-to-date. Research tells us there is frequently a substantial lag between when people receive updates and when they actually implement them. In today’s environment, that must change.”
Cisco Warns Users About Ongoing Attacks Exploiting ASA Vulnerability
Cisco Systems has updated its security advisory about a critical vulnerability that affects many Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls, to warn customers of ongoing attacks.
“The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory,” the company said. “Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory.”
The flaw, tracked as CVE-2018-0101, was announced last week and has the maximum severity score of 10.0 on the CVSS scale. The vulnerability was found by researchers from NCC Group who warned that it allows attackers “to see all of the data passing through the system and provides them with administrative privileges, enabling them to remotely gain access to the network behind it.”
Cisco found additional attack vectors and released an improved fix this week. However, according to competitor Cato Networks, there are 120,000 ASA firewalls on the internet with the WebVPN software enabled and this is just one of the vulnerable ASA features.
The high number of vulnerable devices makes this exploit very attractive for hackers, especially since their targets are almost guaranteed to be accessible on the internet due to their function as firewalls and VPN gateways and because of their potential to provide access to internal networks.
On Feb. 7, Cisco also released patches for vulnerabilities in a wide range of other products, including for a critical remote code execution flaw in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN and RV134W VDSL2 Wireless-AC VPN routers, an arbitrary command execution vulnerability in Cisco UCS Central, a RADIUS authentication bypass in Cisco Policy Suite and a denial-of-service vulnerability in its Cisco Virtualized Packet Core−Distributed Instance (VPC−DI) software.