ClearSCADA

Critical Update - Spectre and Meltdown

18 January 2018

The testing and verification of Microsoft patches for these vulnerabilities is ongoing. Further updates will be added to this page.

We hope to advise users during January of the potential performance impact of the updates, and whether an update of ClearSCADA software will be required for any reason.

Our current advice is not to apply recent patches from Microsoft, as the impact is not yet completely known.

We are aware of a separate issue related to other changes within the Microsoft monthly roll-up update which relates to Windows 7, .Net 4.7.1, and ClearSCADA 2014 and up. (See here).

8 January 2018

Schneider Electric® has become aware of two side channel attacks that leverage critical vulnerabilities in a wide range of computer CPU. These vulnerabilities have been named Spectre and Meltdown. Spectre tricks other applications into accessing arbitrary locations in their memory. Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. There have been no known exploits in the wild. Schneider Electric is actively assessing the impact on our offers.

Details:

Meltdown:

Desktop, Laptop, and Cloud computers may be affected by Meltdown. Every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). Researchers have successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, researchers have only verified Meltdown on Intel processors.

CVE-2017-5754 is the official vulnerability reference to Meltdown.

Spectre:

Desktops, Laptops, Cloud Servers, as well as Smartphones may be affected by Spectre. All modern processors capable of keeping many instructions in flight are potentially vulnerable. Researchers have verified Spectre on Intel, AMD, and ARM processors.

CVE-2017-5753 and CVE-2017-5715 are the official vulnerability references to Spectre.

Recommended Mitigations

Schneider Electric is actively monitoring vendor research into these vulnerabilities to determine appropriate actions to be taken. At the time of this publication, information is being updated rapidly and the impact of proposed mitigations and patches remains unclear. Many of the initial mitigations proposed by hardware and operating system vendors indicate a high level of potential performance impact, Schneider Electric recommends caution if mitigations or patches are applied to critical and/or performance constrained systems. If you elect to apply recommended patches or mitigations in advance of further guidance from Schneider Electric, we strongly recommend evaluating the impact of those measures on a Test & Development environment or an offline infrastructure. Schneider Electric will provide further guidance as information becomes available.

More Information
Mailing Subscription:

To stay updated on any security issues of interest, please refer to our Security Notification areas: