Meltdown and Spectre
SUMMARY
A collaboration between multiple security industry and academic researchers led to the discovery of two separate vulnerabilities. The two vulnerabilities have been named “Meltdown” and “Spectre” and take advantage of flaws in the design of computer processors.
SIGNIFICANCE
The significance and concern is that these vulnerabilities are not tied to a specific operating system as some critical vulnerabilities are. Meltdown and Spectre take advantage of a performance boosting features “speculative execution” and “caching”. These features have been been built into almost all modern processors (within the last 20 years). Without a patch or update most devices are vulnerable to this including computers, servers, and mobile devices.
Meltdown
- This vulnerability is based on modern processor’s out-of-order execution feature
- Meltdown abuses this feature to read arbitrary memory locations
- If successfully exploited, it allows a program to access system memory and access content from other programs and the operating system itself
- Result: an attacker can use a program running on a machine to escalate privileges and gain access to data from all over that machine, including content from other programs and data that only privileged users should have access too.
- There are patches against Meltdown for Linux , Windows, and OS X.
Spectre
- Breaks the isolation between different applications
- Allows an attacker to break out from error-free programs (such as sandboxing in browsers)
- Does not allow an unprivileged process to privileged memory (like meltdown)
- Allows code execution in the victim process that it should not have access to (e.g. outside of a JavaScript sandbox)
- Result: An example is a web browser, an attacker can use Spectre to break from a browser tab to access another tab and leak sensitive information which in normal situations should not be accessible
- Patches have been created but this will likely require many patches over time
- Spectre is harder to exploit than Meltdown, but it is also harder to mitigate
POTENTIAL THREAT
At this time there is no evidence that a related exploit has been used in the wild. However, since the details about the vulnerability has been publicly disclosed and various levels of proof of concept code quickly surfaced it can be assumed that both vulnerabilities are being exploited.
Since processors by all of the popular companies are affected this is a very large attack surface.
MITIGATION
The vulnerabilities exist at the hardware level of the processor design so they cannot be fixed completely with a patch. Processor vendors and top computer software and hardware companies are releasing patches that work around the problems.
Patches and Updates
- Meltdown - patches have been released for Linux, OS X, and Windows
- Spectre - there are software patches available, but they are less broadly effective than for Meltdown. Vendors are shipping security patches to mitigate the browser specific Spectre vulnerabilities.
Actions
- Security Monitoring: Do not assume that security monitoring focused on defense will fully protect your network. Like any other vulnerabilities these can be used as tools by attackers, but at the end of the day you need to ensure that you are also monitoring as if your network has been compromised too.
- Security Architecture and Infrastructure: Reassess your security architecture with the perspective that an attacker with unprivileged access could elevate privileges of an account. Consider what they would have access to with the higher privilege level and how you could prevent a complete compromise.
- Change Management:
- Ensure that you have a solid change management plan to account for scheduled updates and out of band patches
- These vulnerabilities will likely continue to have ongoing patches, but there are plenty of other threats out there that you should be regularly patching for
- Specific patches for Meltdown and Spectre should be tested since there has been known compatibility issues and clear performance impacts as a result of the updates.
References
- SANS Webcast: https://www.renditioninfosec.com/2018/01/meltdown-and-spectre-vulnerability-slides/
- Meltdown and Spectre Official Page: https://meltdownattack.com/
- Official Spectre Report: https://spectreattack.com/spectre.pdf
- Official Meltdown Report: https://meltdownattack.com/meltdown.pdf
- Google’s Spectre Fix: http://www.zdnet.com/article/google-our-brilliant-spectre-fix-dodges-performance-hit-so-you-should-all-use-it/
- RenditionSec Action Plan: https://www.renditioninfosec.com/2018/01/meltdown-and-sceptre-enterprise-action-plan/