Meltdown and Spectre Vulnerabilities

 

Last updated on 04/31/2018

 

 

NCR VOYIX is aware that Intel has reported issues with released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) causing unpredictable system behavior.  On January 22, Intel recommended that customers stop deploying the current microcode version on impacted processors while Intel continues to perform additional testing on the updated solution.   

 

NCR is not aware of any reports to indicate that this Spectre variant 2 (CVE 2017-5715) has been used to attack customers. 

 

On February 20, Intel released new production microcode updates to OEM customers and partners for the 6th, 7th and 8th Generation Intel® Core™ product lines. These updates are intended to address the unpredictable system behavior issues reported in late January.  

 

Please see the Intel Security Center link for details:

<https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr>

 

NCR is aware of the reports of new security vulnerabilities within computer chips produced by Intel, Advanced Micro Devices and ARM holdings. These vulnerabilities are identified as:

CVE-2017-5715CVE-2017-5753CVE-2017-5754

 

The issue potentially impacts a broad range of devices (mobile phones, desktops, servers and cloud systems) from multiple vendors including NCR products. According to Intel, software and firmware updates will be required to address these vulnerabilities. Some software patches have been made available by vendors. NCR is evaluating the recommendations from vendors and developing plans for expedited implementation with an emphasis on reducing impact to our customers' operations.

 

NCR will communicate further as additional mitigation recommendations become available. Further technical information, including many links to vendor communications, is available at https://meltdownattack.com

 

 

Recommendations for Financial Services ATM Customers

 

PC cores in NCR ATMs use chips identified in these reports as being impacted by these vulnerabilities. Current analysis indicates that by fully following the requirements within NCR’s Best Practice Guidelines and following industry best-practice, customers can mitigate the risk of a successful exploit of this vulnerability.

 

1. Deploy January 3, 2018 Microsoft Security Update

 

Intel's website indicated that the vulnerabilities can be mitigated via Microsoft Security Updates.

 

CVE-2017-5753

 

CVE-2017-5754

 

CVE-2017-5715

 

Microsoft released security updates on January 3, 2018 to mitigate against these vulnerabilities. Guidance from Microsoft is available at:

 

https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe

 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

 

NCR has performed high level ATM lab testing of the security update provided by Microsoft on Windows 7 and Windows 10 and on January 10, 2018, NCR distributed a notification via NCR’s Software Security Team’s ms-security-hotfix mailing list to indicate that testing was successful. Microsoft has not made a patch available for Windows XP.

 

Microsoft has advised that there could be potential performance issues with the patch.  NCR recommends that the patch be tested in the customer’s ATM lab environment prior to deployment.

 

Microsoft has provided additional guidance for customers that are using an anti-virus product.   For more details, customers should contact their supplier of anti-virus products.  NCR’s Solidcore Suite for APTRA is compatible and is not impacted by this patch.    

 

NCR customers and partners who contract for NCR software maintenance can ask their NCR account team to subscribe them to the ms-security-hotfix mailings. 

 

2. Deploy BIOS Update when it becomes available

 

Intel will be providing microcode updates to address, CVE-2017-5715. NCR will integrate the microcode from Intel and release new ATM BIOS versions for impacted cores.

 

The updated ATM BIOS should be deployed, once available, in addition to the Microsoft Security Updates. NCR customers should contact their NCR Account Manager or Professional Services contact to get additional information on the availability of these BIOS updates.

 

If a customer does not have our NCR Secure Remote BIOS Update solution, then these BIOS updates will require on-site visits to the ATMs. Customers should consider deploying NCR Secure Remote BIOS Update to further reduce the costs and operational impact of manual updates.  

 

Customers with NCR Secure Remote BIOS Update solution can utilize remote distribution to update their ATM BIOS. NCR is making updates to NCR Secure Remote BIOS Update to enable the remote delivery of the new BIOS to their ATMs. Availability dates of NCR Secure Remote BIOS Update will be announced as soon as possible.

 

Additional Guidance and Recommendations:

 

Customers should:

 

  1. Follow NCR’s best-practice guidelines detailed within the NCR Logical Security: Security Requirements to Help Protect Against Logical Attacks.
  2. Test and then deploy the January 3, 2018 patches made available by Microsoft as soon as possible.
  3. Test and then deploy updated BIOS for Talladega, Riverside, Pocono, Estoril, Silverstone, and Monza as they become available.  Lanier and Lanier II coresare not impacted. We are awaiting confirmation from Intel on whether Kingsway cores are affected or not. 
  4. Assess and address the same vulnerabilities across the entire enterprise.

 

Customers who would like additional guidance as to their current state of security deployment and how it aligns with NCR’s best practices may wish to avail themselves of the ATM Security Assessment. Further information on this alert please contact Owen Wild.

 

 

Recommendations for Retail, Restaurant, Cinema, Travel and Non-ATM Financial Solutions

 

Customers should:

  1. Test and deploy patches made available by vendors as soon as possible, including the patches made available by Microsoft on January 3, 2018 and SUSE once available specifically to address these vulnerabilities.
  2. Test and deploy BIOS Updates when they become available. Intel will be providing microcode updates to address, CVE-2017-5715.
    • The updated BIOS packages have been posted for the XR8 (7607) and XR7Plus (7703) hardware platforms.
    • Marketing Name NCR Product
      Class/Model
      Motherboard
      Nickname
      CPU Family
      XR7 Plus 7703 Richmond Skylake
      XR8 7607 Daytona Skylake
      XR6 7603 Monte Carlo Haswell
      SelfServ 75 7705-2xxx Monte Carlo Haswell
      SCER UK Post 2244 Monaco Haswell
      SCCO R6 7360 Monaco Haswell
      SCER UK Post 2244 Monaco Haswell
      TP120 2368 Monaco Haswell
      SCCO R6 7360 Monaco Haswell
      XR7 7702 Monaco Haswell
      SelfServ 90 7709 Monaco Haswell
      XK7 8820-2xxx Monaco Haswell
      XR5 7701 Dover Braswell
      P1235 7745 1235 (Braswell) Braswell
      P1532 7734 1532 (Braswell) Braswell
      P1535 7761 1535 (Braswell) Braswell
      P1535 7761 1535 (Braswell) Braswell
      XR3 7613 Dover Braswell
      XR4 7602 Dover Braswell
      82XRT 7606 Pocono Sandy Bridge
      KC4 (Standard) 1924 KC4 (Braswell) Braswell
      RealPOS 72XRT 7616 Bristol II Sandy Bridge
      SelfServ 4 2004 Riverside Sandy Bridge
      SelfServ 4 2004 Riverside Sandy Bridge
      RealPOS 60 Rel. 2.0 7601-3xxx/4xxx Riverside Sandy Bridge
      RealPOS 23 Rel 2.0 7649-4xxx Riverside Sandy Bridge
      SelfServ 75 7705-1xxx Riverside Sandy Bridge
      SelfServ 85 Rel. 2 8006-11xx Riverside Sandy Bridge
    • The updated BIOS should be deployed, once available, in addition to the Microsoft Security Updates.
  3. Follow IT security best-practices. Maintain good security hygiene and security controls.
  4. Review your current security systems and logs for any unexpected activity.
  5. Look for further communications from NCR as additional mitigation recommendations become available.
 
 
NCR’s engineering teams continue to work to determine any further impact on performance and/or functionality. Should changes potentially impact performance/functionality, a formal communication will be sent.

 

 

Update for Managed Services, Hosted Solutions/Cloud Customers

 

NCR teams continue to monitor our Threat Prevention, Detection and Response Center to detect and respond to suspicious activity in our internal and Software as-a Service (SaaS) systems.

 

The actions we are taking include:

 

  • Coordinating the patching of lab equipment with Software Services and Professional Services teams
 
  • Prioritizing vendor contact and patching of internal enterprise IT systems and NCR customer-facing SaaS infrastructure
 
  • Prioritizing external- and internal-facing systems and devices
 
  • Coordinating with hardware and software suppliers regarding patch availability
 
  • Deploying patches into test environments to determine performance impacts
 
  • Deploying patches into production environments after testing, using our standard change management processes