Meltdown and Spectre Vulnerabilities
Last updated on 04/31/2018
NCR VOYIX is aware that Intel has reported issues with released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) causing unpredictable system behavior. On January 22, Intel recommended that customers stop deploying the current microcode version on impacted processors while Intel continues to perform additional testing on the updated solution.
NCR is not aware of any reports to indicate that this Spectre variant 2 (CVE 2017-5715) has been used to attack customers.
On February 20, Intel released new production microcode updates to OEM customers and partners for the 6th, 7th and 8th Generation Intel® Core™ product lines. These updates are intended to address the unpredictable system behavior issues reported in late January.
Please see the Intel Security Center link for details:
<https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr>
NCR is aware of the reports of new security vulnerabilities within computer chips produced by Intel, Advanced Micro Devices and ARM holdings. These vulnerabilities are identified as:
CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
The issue potentially impacts a broad range of devices (mobile phones, desktops, servers and cloud systems) from multiple vendors including NCR products. According to Intel, software and firmware updates will be required to address these vulnerabilities. Some software patches have been made available by vendors. NCR is evaluating the recommendations from vendors and developing plans for expedited implementation with an emphasis on reducing impact to our customers' operations.
NCR will communicate further as additional mitigation recommendations become available. Further technical information, including many links to vendor communications, is available at https://meltdownattack.com
Recommendations for Financial Services ATM Customers
PC cores in NCR ATMs use chips identified in these reports as being impacted by these vulnerabilities. Current analysis indicates that by fully following the requirements within NCR’s Best Practice Guidelines and following industry best-practice, customers can mitigate the risk of a successful exploit of this vulnerability.
1. Deploy January 3, 2018 Microsoft Security Update
Intel's website indicated that the vulnerabilities can be mitigated via Microsoft Security Updates.
Microsoft released security updates on January 3, 2018 to mitigate against these vulnerabilities. Guidance from Microsoft is available at:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
NCR has performed high level ATM lab testing of the security update provided by Microsoft on Windows 7 and Windows 10 and on January 10, 2018, NCR distributed a notification via NCR’s Software Security Team’s ms-security-hotfix mailing list to indicate that testing was successful. Microsoft has not made a patch available for Windows XP.
Microsoft has advised that there could be potential performance issues with the patch. NCR recommends that the patch be tested in the customer’s ATM lab environment prior to deployment.
Microsoft has provided additional guidance for customers that are using an anti-virus product. For more details, customers should contact their supplier of anti-virus products. NCR’s Solidcore Suite for APTRA is compatible and is not impacted by this patch.
NCR customers and partners who contract for NCR software maintenance can ask their NCR account team to subscribe them to the ms-security-hotfix mailings.
2. Deploy BIOS Update when it becomes available
Intel will be providing microcode updates to address, CVE-2017-5715. NCR will integrate the microcode from Intel and release new ATM BIOS versions for impacted cores.
The updated ATM BIOS should be deployed, once available, in addition to the Microsoft Security Updates. NCR customers should contact their NCR Account Manager or Professional Services contact to get additional information on the availability of these BIOS updates.
If a customer does not have our NCR Secure Remote BIOS Update solution, then these BIOS updates will require on-site visits to the ATMs. Customers should consider deploying NCR Secure Remote BIOS Update to further reduce the costs and operational impact of manual updates.
Customers with NCR Secure Remote BIOS Update solution can utilize remote distribution to update their ATM BIOS. NCR is making updates to NCR Secure Remote BIOS Update to enable the remote delivery of the new BIOS to their ATMs. Availability dates of NCR Secure Remote BIOS Update will be announced as soon as possible.
Additional Guidance and Recommendations:
Customers should:
- Follow NCR’s best-practice guidelines detailed within the NCR Logical Security: Security Requirements to Help Protect Against Logical Attacks.
- Test and then deploy the January 3, 2018 patches made available by Microsoft as soon as possible.
- Test and then deploy updated BIOS for Talladega, Riverside, Pocono, Estoril, Silverstone, and Monza as they become available. Lanier and Lanier II coresare not impacted. We are awaiting confirmation from Intel on whether Kingsway cores are affected or not.
- Assess and address the same vulnerabilities across the entire enterprise.
Customers who would like additional guidance as to their current state of security deployment and how it aligns with NCR’s best practices may wish to avail themselves of the ATM Security Assessment. Further information on this alert please contact Owen Wild.
Recommendations for Retail, Restaurant, Cinema, Travel and Non-ATM Financial Solutions
Customers should:
- Test and deploy patches made available by vendors as soon as possible, including the patches made available by Microsoft on January 3, 2018 and SUSE once available specifically to address these vulnerabilities.
- Test and deploy BIOS Updates when they become available. Intel will be providing microcode updates to address, CVE-2017-5715.
- The updated BIOS packages have been posted for the XR8 (7607) and XR7Plus (7703) hardware platforms.
- The updated BIOS should be deployed, once available, in addition to the Microsoft Security Updates.
Marketing Name NCR Product
Class/ModelMotherboard
NicknameCPU Family XR7 Plus 7703 Richmond Skylake XR8 7607 Daytona Skylake XR6 7603 Monte Carlo Haswell SelfServ 75 7705-2xxx Monte Carlo Haswell SCER UK Post 2244 Monaco Haswell SCCO R6 7360 Monaco Haswell SCER UK Post 2244 Monaco Haswell TP120 2368 Monaco Haswell SCCO R6 7360 Monaco Haswell XR7 7702 Monaco Haswell SelfServ 90 7709 Monaco Haswell XK7 8820-2xxx Monaco Haswell XR5 7701 Dover Braswell P1235 7745 1235 (Braswell) Braswell P1532 7734 1532 (Braswell) Braswell P1535 7761 1535 (Braswell) Braswell P1535 7761 1535 (Braswell) Braswell XR3 7613 Dover Braswell XR4 7602 Dover Braswell 82XRT 7606 Pocono Sandy Bridge KC4 (Standard) 1924 KC4 (Braswell) Braswell RealPOS 72XRT 7616 Bristol II Sandy Bridge SelfServ 4 2004 Riverside Sandy Bridge SelfServ 4 2004 Riverside Sandy Bridge RealPOS 60 Rel. 2.0 7601-3xxx/4xxx Riverside Sandy Bridge RealPOS 23 Rel 2.0 7649-4xxx Riverside Sandy Bridge SelfServ 75 7705-1xxx Riverside Sandy Bridge SelfServ 85 Rel. 2 8006-11xx Riverside Sandy Bridge - Follow IT security best-practices. Maintain good security hygiene and security controls.
- Review your current security systems and logs for any unexpected activity.
- Look for further communications from NCR as additional mitigation recommendations become available.
NCR’s engineering teams continue to work to determine any further impact on performance and/or functionality. Should changes potentially impact performance/functionality, a formal communication will be sent.
Update for Managed Services, Hosted Solutions/Cloud Customers
NCR teams continue to monitor our Threat Prevention, Detection and Response Center to detect and respond to suspicious activity in our internal and Software as-a Service (SaaS) systems.
The actions we are taking include:
- Coordinating the patching of lab equipment with Software Services and Professional Services teams
- Prioritizing vendor contact and patching of internal enterprise IT systems and NCR customer-facing SaaS infrastructure
- Prioritizing external- and internal-facing systems and devices
- Coordinating with hardware and software suppliers regarding patch availability
- Deploying patches into test environments to determine performance impacts
- Deploying patches into production environments after testing, using our standard change management processes