Earlier this year on January 3, 2018, researchers disclosed three vulnerabilities that could allow an unprivileged local attacker, in specific circumstances, to read privileged memory belonging to other processes or memory allocated to the operating system kernel. These vulnerabilities are described in CVE-2017-5753 and CVE-2017-5715, which is collectively known as Spectre, and CVE-2017-5754, known as Meltdown. For additional information about the disclosure, please visit https://meltdownattack.com/.
To take advantage of these vulnerabilities, an attacker must be able to run code on an affected device. While the underlying CPU and/or operating systems may be affected by these vulnerabilities, our SBC device is a closed system that under normal circumstances does not allow customers to run custom code. As a result, if customers are following our recommended deployment procedure (as outlined in IP Firewall Security), they should not be vulnerable to this issue.
Furthermore, the current technical solutions to the Spectre problems vary between different Intel processors and carry a high risk of system instability.
Sangoma feels that the risk of such solution is not acceptable for mission critical products such as Sangoma's SBC.
Sangoma will continue to monitor and evaluate Spectre solutions and will make appropriate changes when the risk is deemed acceptable.