Google research found an issue in many modern processors which can allow programs to access protected data. This could enable potential attacker software to defeat memory access controls and get access to confidential and sensitive information such as passwords.
There are three different variations of the vulnerability; CVE-2017-5753 and CVE-2017-5715 called “Spectre” and CVE-2017-5754 known as “Meltdown”.
For more details about the vulnerability, please visit: https://spectreattack.com/
Toradex Products | Arm Core | Variant 1 SPECTRE CVE-2017-5753 |
Variant 2 SPECTRE CVE-2017-5715 |
Variant 3 MELTDOWN CVE-2017-5754 |
Colibri VF50 Colibri VF61 |
Cortex®-A5 | Not Affected | Not Affected | Not Affected |
Colibri iMX6ULL Colibri iMX7 |
Cortex®-A7 | Not Affected | Not Affected | Not Affected |
Colibri iMX6S Colibri iMX6DL Apalis iMX6D Apalis iMX6Q |
Cortex®-A9 | Affected Patched in Linux BSP 2.8b3 |
Affected Patched in Linux BSP 2.8b3 |
Not Affected |
Colibri T30 Colibri T20 Apalis T30 |
Cortex®-A9 | Affected | Affected | Not Affected |
Apalis TK1 | Cortex®-A15 | Affected Patched in Linux BSP 2.8b3 |
Affected Patched in Linux BSP 2.8b3 |
Not Affected |
Colibri PXA270 Colibri PXA300 Colibri PXA310 Colibri PXA320 |
XScale® | Not Affected | Not Affected | Not Affected |
The Cortex®-M4 Cores on the Colibri VF61, Colibri iMX7, and Apalis TK1 are not affected.
Note: The solutions proposed by NVIDIA and NXP were integrated to the Embedded Linux BSP for all i.MX 6 and TK1 based modules, starting from Toradex Embedded Linux BSP release 2.8b3. Please see this release note for more details.
These vulnerabilities can be fixed via software patches. As this issue affects the Arm Cores, Arm® is leading the efforts. For the most up to date information about the current status, please check: https://developer.arm.com/support/security-update
Toradex is working with NXP® and NVIDIA® to integrate the software patches in the Linux Board Support Packages (BSPs) provided by Toradex.
NVIDIA also provides public information about the status of the TK1 SoC, please see: http://nvidia.custhelp.com/app/answers/detail/a_id/4616
Toradex is in contact with Microsoft about this issue but currently there is no roadmap for fixes.
To exploit these security vulnerabilities, a carefully crafted malware must be loaded onto the system. On many embedded systems, the OEM is controlling the software which can run on the system which reduces the risk. The high degree of customizations and relatively low volumes of embedded systems make a large general attack unlikely. We are not able to give a general recommendation, and you will need to assess the risk for your particular device depending on the use case. In general, it is recommended only to allow authenticated software to be executed.
See Also:
https://developer.toradex.com/knowledge-base/access-security(colibri)
https://www.toradex.com/blog/wannacry-cyber-attack-impact-on-wince
https://developer.toradex.com/knowledge-base/webinterface
https://developer.toradex.com/knowledge-base/registry-access-using-program