5

I couldn't find any information about the recently published Spectre/Meltdown attacks affecting VIA CPUs.

Are they also affected by this vulnerabilities?

ml_
  • 153
  • 4

2 Answers2

3

VIA's global market share in below 1%, therefore they are not even mentioned.

As the "VIA Nano" generation from 2008 onward, is able to do out-of-order execution (https://en.wikipedia.org/wiki/VIA_Nano), it could be highly possible, they are affected as well.

With respect to their ARM-based products, Cortex A8 and A9 were used there, so they would be vulnerable.

Gambaz
  • 52
  • 1
  • But VIA C3/C7 are safe as they’re in-order… from Meltdown at least. Does Spectre affect them? • Also, market share is not a good metric here; we’re looking at installed devices, for purposes where these are still good (often even *better* than newer CPUs). – mirabilos Jan 05 '18 at 17:38
1

VIA has just recently announced a new "Enterprise IoT Gateway" in November 2017. Press release here: https://www.viatech.com/en/2017/11/artigo-a630-iot-gateway-system/)

The system is based on a Cortex-A9 dual-core SoC, which is per se vulnerable:

Variant 1: bounds check bypass (CVE-2017-5753)

Variant 2: branch target injection (CVE-2017-5715)

(source: https://developer.arm.com/support/security-update)

Also worse is, that the system is delivered with a 3.4.5 Linux Kernel BSP. Even this is not the latest release, which is 3.4.113, the 3.4.x branch is already EOL since October 2016

Not only that this particular version 3.4.5 has a long list of vulnerabilities, see here: https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/version_id-136438/opgpriv-1/Linux-Linux-Kernel-3.4.5.html but this gives a good outlook what to expect. If a new product is released with a Linux Kernel which has been already EOL for more than one year, plus as we are talking about an embedded system where you can not simply choose the kernel you want, it seems very unlikely that there will be a patch for them.

eZyRiDr
  • 11
  • 1