Meltdown and Spectre: Cybersecurity Vulnerabilities

January 12, 2018 2:05 pm

As you may know, a series of newly discovered vulnerabilities affecting Intel, AMD and ARM processor chips could permit attackers to gain unauthorized access to a computer's memory. The vulnerabilities have been dubbed Meltdown and Spectre and affect nearly all modern processors. The vulnerabilities can only be mitigated through operating system patches or firmware updates.

Details:

  • Meltdown (CVE-2017-5754) exploits a flaw in out-of-order execution, a performance feature found in many modern processor chips. If successfully exploited, an attacker can obtain a copy of the entire kernel address space, including any mapped physical memory, in other words, any data stored in memory at the time of the attack.
  • Spectre (CVE-2017-5753 and CVE-2017-5715) has a similar outcome but works in a slightly different way, and exploits a flaw in processor design to trick an application into leaking information stored in memory.
  • Neither vulnerability is currently being exploited in the wild.
  • The vulnerabilities are significant, since a successful exploit could allow attackers to gain unauthorized access to sensitive data, including passwords.
  • However, exploit of any vulnerable computer would require the attackers to gain access to the targeted computer via a prior step, such as running a malicious application or through JavaScript which triggers an exploit in order to run as native code.

Patching and compatibility:

  • There are multiple reports that the patches can impact system performance and compatibility. Due care should be taken to test changes, including consultations with vendors, to prevent any negative impact from the patches.
  • IT System Administrators are advised to test any patches prior to deployment. Testing should begin immediately.
  • Several cloud vendors are already patching their systems aggressively, users of cloud infrastructure (AWS, Azure, Google etc) may still need to apply operating system patches
  • Patches have already been released for Microsoft Windows 10Apple macOS, and Linux to patch the Meltdown vulnerability. Microsoft will release patches for legacy operating systems next week.
  • Work is underway to develop a patch for Spectre. It is reportedly more difficult to patch but also more difficult to exploit.
  • Trend are still testing compatibility and have released a knowledge-base article with the status of their products and some steps to prepare for patching

Additional Information:
Initial Disclosure: https://googleprojectzero.blogspot.ro/2018/01/reading-privileged-memory-with-side.html
Microsoft Azure: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
Microsoft: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s
AWS: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
VMware: https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html
RHEL: https://access.redhat.com/security/vulnerabilities/speculativeexecution
Trend: http://blog.trendmicro.com/fixing-meltdown-spectre-vulnerabilities/

Other interesting articles:
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/
https://spectreattack.com/
https://www.bleepingcomputer.com/news/security/google-almost-all-cpus-since-1995-vulnerable-to-meltdown-and-spectre-flaws/
https://venturebeat.com/2018/01/03/aws-google-and-microsoft-promise-their-clouds-are-mostly-protected-from-processor-flaw/
https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html