Security Update: Meltdown and Spectre
January 8, 2018
Two new vulnerabilities that affect many modern microprocessors were published on January 3rd, 2018. These vulnerabilities could allow attackers to read the contents of memory used by other applications on the same server or even processes running in other virtual machines (VMs).
The first vulnerability, called Meltdown, affects only Intel CPUs and can be fixed with an operating system patch.
The second, called Spectre, affects CPUs from AMD and ARM. It requires a CPU design change and cannot be fixed in software.
Cradlepoint routers are not affected by either vulnerability. However, Cradlepoint services like NetCloud Manager (NCM) and NetCloud Perimeter (NCP) run on servers that may be vulnerable.
What is it?
Both vulnerabilities are based on a CPU optimization called “speculative execution”. Both also require an attacker to install malware on the target system.
With Meltdown, an attacker -- who can install and run a program on the target machine -- can access the memory of all other programs running on that machine.
With Spectre, an attacker can “read” memory of other programs through indirect means.
For more information, please see
The related CVEs are shown below:
(Spectre) “branch target injection” mitigated by CPU microcode update from CPU vendor
(Spectre) “bounds check bypass”
(Meltdown) “rogue data cache load” fixed with OS update
What Cradlepoint devices or services may be affected?
All NCM and NCP services run on cloud servers which may be affected. However, most NCM services run on multi-tenant servers and Cradlepoint’s primary cloud provider has patched their servers so that NCM is not vulnerable to Meltdown attacks running in other tenant spaces.
NCM could still be vulnerable to Meltdown exploits which manage to install malware on the NCM VMs. The operating system patch to fix Meltdown is expected to be released soon. Cradlepoint will then begin immediate execution of its plans to apply the patch to all NCM systems.
No Cradlepoint routers use CPU’s vulnerable to Meltdown.
For Spectre, Cradlepoint does not support installing compiled applications on any routers with the Spectre vulnerability. An attacker would need to install malware that exploits certain CPU instruction patterns. Such patterns can only exist in compiled programs and Cradlepoint does not support compiling SDK apps.
Published Date: 01/25/2018
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at email@example.com.