Security Advisory Release Date: January 5th, 2018 | Advisory Identifier: AXON-1801
Security researchers recently announced two wide-spread processor vulnerabilities, named Meltdown and Spectre. These flaws allow programs running on affected systems to access portions of memory that should normally be inaccessible, potentially allowing for unauthorized access to sensitive data.
Axon customers are not required to take any actions on their accounts running in Axon cloud services. Axon cloud services have been patched against these flaws at the infrastructure level, and patches provided by operating system vendors will be applied as they are released.
The chipsets used by our Axon body cameras, in-car systems, and CEW’s are not vulnerable to either Meltdown or Spectre. Axon Dock is not vulnerable to Meltdown, but could be impacted by Spectre. Real-world exploitation is extremely unlikely and impractical on ARM chipsets, as the researchers detailed. In consultation with the chipset manufacturer, Axon will continue to evaluate if at some point in time an update to the Dock to mitigate Spectre would be beneficial.
According to the researchers, “Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.”
According to the researchers, “Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.”
Axon cloud services running on Microsoft Azure have already been patched at the hypervisor level against these issues. Operating system level patches will also be applied rapidly once they are available from operating system vendors. Axon cloud regions using Microsoft Azure include United States, Canada, and United Kingdom. https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
Axon cloud services running on Amazon Web Services (AWS) are already protected at the infrastructure level. Operating system level patches will also be applied rapidly, once they are available from operating system vendors. Axon cloud regions using Amazon Web Services include EU, and Australia. https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
According to ARM, the chipsets used by our body cameras and in-car systems are not vulnerable to either Meltdown or Spectre.
Axon Dock could be impacted by the Spectre vulnerabilities, but not Meltdown. However, as the researchers explained, exploitation on ARM has been shown to be difficult and limited. On a hardened operating system that does not run outside, unvetted code, such as that used on the Dock, exploitation is extremely difficult and very impractical. In consultation with the chipset manufacturer, Axon will continue to evaluate if an update to the Dock to mitigate Spectre would be beneficial.
Applicable CVEs (Common Vulnerabilities and Exposures) & Other Resources
https://meltdownattack.com
Spectre: CVE-2017-5753 and CVE-2017-5715
Meltdown: CVE-2017-5754
Suggested Actions
Axon customers are not required to take any actions on their accounts running in Axon cloud services. However, customers are always encouraged to review their general security practices and settings. https://www.axon.com/trust/security/evidence/best-practices
Axon customers are not required to take any actions on their Axon devices. However, customers are always encouraged to review their general security practices and settings.
Tips for Protecting your Agency Desktops, Laptops, and Mobile Devices
Axon customers are encouraged to apply operating system updates to their client systems, such as desktops, laptops, and mobile devices, as soon as is reasonable. As with any update, please consult your system administrators for additional information specific to your agency's environment or practices.
As these vulnerabilities are rooted in elements of hardware processor design and involve only the ability to read memory data (not write), many of the traditional security measures will not be effective at preventing attacks against these vulnerabilities or detecting that attacks have happened. While general security best-practices should continue to be used, such as anti-virus, network segmentation, and general operating system hardening, these are not likely to provide adequate mitigations for these vulnerabilities.
The most effective mitigations for Spectre and Meltdown are to apply the vendor supplied patches.
Microsoft released security updates for these issues originally on January 3rd, 2018. Note that Microsoft will only apply these security updates if you are also running a compatible anti-virus program. See https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released for more information. Customers should ensure these updates have been applied to their systems as soon as possible.
Apple released a fix with its December 6th update of macOS High Sierra 10.13.2 and security updates for macOS Sierra and El Capitan. This was initially reported to be a partial fix, but Apple recently stated that it was a complete fix. Customers should ensure these updates have been applied to their systems as soon as possible.
ARM (the designer behind the scenes of Apple's core processors in its iPhones) has stated that it is vulnerable to Spectre, but not Meltdown attacks. Apple has not yet released an update for its iPhones to remediate these vulnerabilities, but as with other devices on ARM, exploitation has so far proven to be very difficult to exploit. Customers should watch for updates from Apple and apply then when available.
Google has stated “exploitation has been shown to be difficult and limited on the majority of Android devices.” Even so, Google released a fix with its December security patches. Unless you have a Google Pixel device, whether these updates are available to you is a complicated matter as phone manufacturers and carriers each add complications to the process. Customers should apply updates if possible and consult their wireless carrier and/or phone manufacturer to receive information specific to their hardware.
One of the more concerning attack vectors involve browsers. This allows code from a website to access memory that it should not have access to.
Google Chrome has made some recommendations here: https://support.google.com/faqs/answer/7622138#chrome that should last until additional mitigations are released on January 23rd.
Mozilla Firefox released fixes on January 4th in version 57.0.4: https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ .
Microsoft released updates for Internet Explorer and Edge along with its Windows updates.
Apple has not yet published an update for Safari, but has promised an update “in the coming days”.
Where reasonable, customers should apply these updates and settings as soon as possible.