On November 12, Intel disclosed a new processor-based speculative execution vulnerability as well as several firmware/platform vulnerabilities across their products. While an attacker would need network adjacency, local network or physical access, user intervention, or local code execution to exploit these vulnerabilities on our recommended hardware, we suggest you perform upgrades to ensure defense-in-depth when they are available. Some updates will happen automatically, and some will require admin intervention (see below).
We will be updating this advisory as new information becomes available. If you have specific questions about how these vulnerabilities impact your deployment, please contact us through the Support Portal (membership is available to SecureDrop administrators on request) or via firstname.lastname@example.org (GPG encrypted).
Assessment of vulnerabilities to SecureDrop
Based on our initial assessment, the vulnerabilities can only be exploited by an adversary with network adjacency, local network, physical access or local code execution on the host. As a result, we estimate the likelihood of exploitation as follows:
Journalist and Admin Workstations
Depending on deployment model and network setup of these workstations (i.e., which parties have access to the network, and what purposes it is used for), we believe the likelihood of exploitation to be low to moderate.
SecureDrop servers (Application and Monitor Servers)
Given the presence of the hardware firewall, the likelihood of exploitation on servers is low.
Secure Viewing Station
Since the Secure Viewing Station has network removed or disabled, the likelihood of exploitation is low.
What administrators need to do
OS-level updates on SecureDrop servers will be applied automatically. You will need to manually apply firmware updates for both servers and workstations when they are available, as well as upgrade your workstations to a new version of Tails when it is available.
- Intel microcode updates have already been updated by upstream Ubuntu through automatic nightly package updates.
- The SecureDrop team will update the grsecurity kernel to 4.14.154 as part of the next release, scheduled for December 3rd, which will contain kernel fixes, including updated network and graphics device drivers.
- BIOS and UEFI firmware updates: the server manufacturer will make available BIOS/UEFI fixes for your platform. We will update this advisory with detailed steps for recommended hardware once updates become available.
- BIOS and UEFI firmware updates: the hardware manufacturer will make available BIOS/UEFI fixes for your platform. We will update this advisory with instructions for selected T series ThinkPad laptops once updates become available.