View Source

h3. Critical Update - Spectre and Meltdown

h5. 26 February 2018

The testing and verification of Microsoft patches for these vulnerabilities is complete.

We recommend that the *February* roll-up updates from Microsoft are installed and used with ClearSCADA. Test results for these updates are located [here.|CS:Microsoft Update Testing]

Our testing with the available Spectre and Meltdown operating system updates *active* has shown that there is a measurable impact on performance. Impact on disk I/O was not as noticeable in our testing as was the impact on network access. It is not possible to produce definitive figures, so we recommend that you perform testing on offline/simulation systems before deployment, particularly on large or heavily loaded systems. e.g. where total lock usage is above 40%.

You can see total lock usage by adding the result of the OPC tags "#LOCK.1.% Time In Excl Lock" and "#LOCK.1.% Time In Shared Lock". These OPC tags are figures from 0 to 1. The values of these metrics are also listed in snapshot files as percentages from 0 to 100 (search for '% Time In Excl Lock' and '% Time In Shared Lock' and see the figures in the first line). We recommend comparing figures before and after the updates are applied and activated.

h5. 18 January 2018

The testing and verification of Microsoft patches for these vulnerabilities is ongoing. Further updates will be added to this page.

We hope to advise users during January of the potential performance impact of the updates, and whether an update of ClearSCADA software will be required for any reason.

Our current advice is not to apply recent patches from Microsoft, as the impact is not yet completely known.

We are aware of a separate issue related to other changes within the Microsoft monthly roll-up update which relates to Windows 7, .Net 4.7.1, and ClearSCADA 2014 and up. (See [here|https://github.com/dotnet/announcements/issues/53]).

h5. 8 January 2018

Schneider Electric® has become aware of two side channel attacks that leverage critical vulnerabilities in a wide range of computer CPU. These vulnerabilities have been named Spectre and Meltdown. Spectre tricks other applications into accessing arbitrary locations in their memory. Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. There have been no known exploits in the wild. Schneider Electric is actively assessing the impact on our offers.

h5. Details:

*Meltdown:*

Desktop, Laptop, and Cloud computers may be affected by Meltdown. Every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). Researchers have successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, researchers have only verified Meltdown on Intel processors.

[CVE-2017-5754|https://nvd.nist.gov/vuln/detail/CVE-2017-5754] is the official vulnerability reference to Meltdown.



*Spectre:*

Desktops, Laptops, Cloud Servers, as well as Smartphones may be affected by Spectre. All modern processors capable of keeping many instructions in flight are potentially vulnerable. Researchers have verified Spectre on Intel, AMD, and ARM processors.

[CVE-2017-5753|https://nvd.nist.gov/vuln/detail/CVE-2017-5753] and [CVE-2017-5715|https://nvd.nist.gov/vuln/detail/CVE-2017-5715] are the official vulnerability references to Spectre.



h5. Recommended Mitigations

Schneider Electric is actively monitoring vendor research into these vulnerabilities to determine appropriate actions to be taken. At the time of this publication, information is being updated rapidly and the impact of proposed mitigations and patches remains unclear. Many of the initial mitigations proposed by hardware and operating system vendors indicate a high level of potential performance impact, Schneider Electric recommends caution if mitigations or patches are applied to critical and/or performance constrained systems. If you elect to apply recommended patches or mitigations in advance of further guidance from Schneider Electric, we strongly recommend evaluating the impact of those measures on a Test & Development environment or an offline infrastructure. Schneider Electric will provide further guidance as information becomes available.

* Microsoft: Please refer to Microsoft support sites for further information.
** [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002]
** [https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe]
** [https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution]
* Linux: Kernel page table isolation (KPTI), a hardening technique designed to improve security by isolating the kernel space from user space memory has already been implemented in the Linux kernel. Please visit your respective Linux distribution site for patches.
* Cloud: Amazon Web Services and Microsoft Azure have applied patches to address mitigations for these attacks.

h5. More Information

* Meltdown and Spectre Official site: [https://meltdownattack.com/]
* Microsoft OS: [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002]
* Linux based fix : [https://gruss.cc/files/kaiser.pdf]
* KAISER: [https://lwn.net/Articles/738975/]
* AMD statement: [https://www.amd.com/en/corporate/speculative-execution]
* Reading privileged memory with a side-channel\- Google Project Zero Blog post: [https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html]
* ARM: [https://developer.arm.com/support/security-update]
* Google: [https://support.google.com/faqs/answer/7622138]



h5. Mailing Subscription:

To stay updated on any security issues of interest, please refer to our Security Notification areas:

* Schneider Electric CyberSecurity Notifications (All Products):[http://www.schneider-electric.com/b2b/en/support/cybersecurity/security-notifications.jsp]
* ClearSCADA Security Notification List:[http://resourcecenter.controlmicrosystems.com/display/CS/Stay+Informed%21]