Last updated on 02/28/2018
NCR is aware that Intel has reported issues with released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) causing unpredictable system behavior. On January 22, Intel recommended that customers stop deploying the current microcode version on impacted processors while Intel continues to perform additional testing on the updated solution.
NCR is not aware of any reports to indicate that this Spectre variant 2 (CVE 2017-5715) has been used to attack customers.
On February 20, Intel released new production microcode updates to OEM customers and partners for the 6th, 7th and 8th Generation Intel® Core™ product lines. These updates are intended to address the unpredictable system behavior issues reported in late January.
Please see the Intel Security Center link for details:
NCR is aware of the reports of new security vulnerabilities within computer chips produced by Intel, Advanced Micro Devices and ARM holdings. These vulnerabilities are identified as:
The issue potentially impacts a broad range of devices (mobile phones, desktops, servers and cloud systems) from multiple vendors including NCR products. According to Intel, software and firmware updates will be required to address these vulnerabilities. Some software patches have been made available by vendors. NCR is evaluating the recommendations from vendors and developing plans for expedited implementation with an emphasis on reducing impact to our customers' operations.
NCR will communicate further as additional mitigation recommendations become available. Further technical information, including many links to vendor communications, is available at https://meltdownattack.com
Recommendations for Financial Services ATM Customers
PC cores in NCR ATMs use chips identified in these reports as being impacted by these vulnerabilities. Current analysis indicates that by fully following the requirements within NCR’s Best Practice Guidelines and following industry best-practice, customers can mitigate the risk of a successful exploit of this vulnerability.
1. Deploy January 3, 2018 Microsoft Security Update
Intel's website indicated that the vulnerabilities can be mitigated via Microsoft Security Updates.
Microsoft released security updates on January 3, 2018 to mitigate against these vulnerabilities. Guidance from Microsoft is available at:
NCR has performed high level ATM lab testing of the security update provided by Microsoft on Windows 7 and Windows 10 and on January 10, 2018, NCR distributed a notification via NCR’s Software Security Team’s ms-security-hotfix mailing list to indicate that testing was successful. Microsoft has not made a patch available for Windows XP.
Microsoft has advised that there could be potential performance issues with the patch. NCR recommends that the patch be tested in the customer’s ATM lab environment prior to deployment.
Microsoft has provided additional guidance for customers that are using an anti-virus product. For more details, customers should contact their supplier of anti-virus products. NCR’s Solidcore Suite for APTRA is compatible and is not impacted by this patch.
NCR customers and partners who contract for NCR software maintenance can ask their NCR account team to subscribe them to the ms-security-hotfix mailings.
2. Deploy BIOS Update when it becomes available
Intel will be providing microcode updates to address, CVE-2017-5715. NCR will integrate the microcode from Intel and release new ATM BIOS versions for impacted cores.
The updated ATM BIOS should be deployed, once available, in addition to the Microsoft Security Updates. NCR customers should contact their NCR Account Manager or Professional Services contact to get additional information on the availability of these BIOS updates.
If a customer does not have our NCR Secure Remote BIOS Update solution, then these BIOS updates will require on-site visits to the ATMs. Customers should consider deploying NCR Secure Remote BIOS Update to further reduce the costs and operational impact of manual updates.
Customers with NCR Secure Remote BIOS Update solution can utilize remote distribution to update their ATM BIOS. NCR is making updates to NCR Secure Remote BIOS Update to enable the remote delivery of the new BIOS to their ATMs. Availability dates of NCR Secure Remote BIOS Update will be announced as soon as possible.
Additional Guidance and Recommendations:
1. Follow NCR’s best-practice guidelines detailed within the NCR Logical Security: Security Requirements to Help Protect Against Logical Attacks.
2. Test and then deploy the January 3, 2018 patches made available by Microsoft as soon as possible.
3. Test and then deploy updated BIOS for Talladega, Riverside, Pocono, Estoril, Silverstone, and Monza as they become available. Lanier and Lanier II coresare not impacted. We are awaiting confirmation from Intel on whether Kingsway cores are affected or not.
4. Assess and address the same vulnerabilities across the entire enterprise.
Customers who would like additional guidance as to their current state of security deployment and how it aligns with NCR’s best practices may wish to avail themselves of the ATM Security Assessment. Further information on this alert please contact Owen Wild.
Recommendations for Retail, Restaurant, Cinema, Travel and Non-ATM Financial Solutions
NCR’s engineering teams continue to work to determine any further impact on performance and/or functionality. Should changes potentially impact performance/functionality, a formal communication will be sent.
Update for Managed Services, Hosted Solutions/Cloud Customers
NCR teams continue to monitor our Threat Prevention, Detection and Response Center to detect and respond to suspicious activity in our internal and Software as-a Service (SaaS) systems.
The actions we are taking include: