The following control systems products are affected:
The following embedded products are affected:
The following HMI products are affected:
The following Industrial PC products are affected:
Several CPUs manufactured by Intel, AMD or based on ARM technology may leak information due to their internal operation if attacked by specifically written software executed on the affected systems.
The information in this advisory is based on the statements of respective manufacturers.
Microprocessors from Intel and AMD using the x86 architecture and some microprocessors using the ARM, PowerPC, and MIPS architecture may be susceptible to a group of attacks named Meltdown and Spectre. These attacks may lead to a (complete) disclosure of information in the memory of systems. Integrity and availability are not affected, but information gained using these weaknesses may be used in further attacks.
Meltdown [CVE-2017-5754] allows reading the complete memory of the attacked system using a specifically crafted executable code.
Only those systems can be affected that allow the installation/execution of custom code or load dynamic contents from foreign/untrusted sources. If only the root/administrative user can install/execute custom code, no additional risk exists, as the root/administrative user can read the information without exploiting this vulnerability. If a web browser can be used to view foreign web pages, the Spectre attack must be considered.
Systems that do not allow installation/execution of custom code are not affected.
On Industrial PCs and HMIs that operate with user installable or upgradable operating systems (mainly Windows) the latest version or update may be installed if required in the use case. As the update may have a performance impact, the application should be tested accordingly.
Jann Horn (Google Project Zero), Werner Haas, Thomas Prescher (Cyberus Technology), Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology) published the Meltdown attack on https://meltdownattack.com/.
Jann Horn (Google Project Zero) and Paul Kocher, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61) published the Spectre attack on https://meltdownattack.com/.