MELTDOWN AND SPECTRE - UNDERSTANDING AND MITIGATING THE THREATS
By now, you've heard about the processor vulnerabilities affecting almost every processor in common use today; those vulnerabilities are called Meltdown and Spectre:
What is the threat?
As a summary, the issues are located at the kernel level of the chips and can lead to leaking running memory outside the current process. Both would enable a hacker to access confidential information such as secret passwords, personal information or photos from desktops, laptops, cloud servers or smartphones.
Contrary to some initial reporting, this is not just an Intel bug, it affects AMD and ARM processors as well. These could even be used in cloud / virtualised environments to leak memory outside the running virtual machine.
Mitigating the Threats
The US-CERT website has detailed updated advisories for most of the relevant companies. The patches detailed here should be considered preliminary to protect against the most obvious paths to this vulnerability, but future patches are likely planned to deal with the potential significant performance hits from these patches and for better mitigation coverage. Spectre, in particular, will require follow-on patching. Due to the nature of these patches, reboots will be required. So in the short term, patch and reboot everything.
That said, please note the following advice from the SANS Institute newsbites editors on how to prioritise patching, and when to potentially NOT patch:
- All devices that use these chips are affected, so you also need to think about network security devices that may be vulnerable: firewalls, proxy servers, routers, etc. Best to contact the vendors of these devices to get information from them on how they are handling it.
- There are two reasons to consider not to install this patch: First of all, some anti-virus products may not work after it is installed, or may even crash the system. Microsoft tried to cover this part and will disable the patch on affected systems. Secondly, systems may suffer a performance hit, in particular, if they use software that heavily relies on syscalls (typically heave IO workloads). This isn't a remote code execution, so test carefully and don't fall into panic mode. Prioritise exposed shared systems.
Questions & Answers
Why is it called Meltdown?
The bug basically melts security boundaries which are normally enforced by the hardware.
Why is it called Spectre?
The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.
Which flaw is worse?
Asked which of the two flaws posed the greater challenge, Daniel Gruss (the security researcher who initially identified the flaws) said: ”The immediate problem is Meltdown.
“After that it is going to be Spectre. Spectre is more difficult to exploit but also to mitigate. So in the long run I’d bet on Spectre.”
Am I affected by the bug?
Most certainly, yes.
Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.
Can my antivirus detect or block this attack?
While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.
What can be leaked?
If your system is affected, the security researches proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.
Which systems are affected by Meltdown?
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). The security researchers successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, they have only verified Meltdown on Intel processors.
Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, the security researchers have verified Spectre on Intel, AMD, and ARM processors.
Which cloud providers are affected by Meltdown?
Cloud providers which use Intel CPUs and Xen PV as virtualisation without having patches applied. Furthermore, cloud providers without real hardware virtualisation, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.
What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion, we refer to the papers (Meltdown and Spectre)
What are CVE-2017-5753 and CVE-2017-5715?
CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by the MITRE organisation.
What is CVE-2017-5754?
CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
Can I see Meltdown in action?
Source of Q&A information: https://meltdownattack.com