Meltdown / Spectre and other bad news to start 2018

Even though we are just a few days into 2018, the worldwide ICT and cybersecurity community is being hit hard by recent vulnerabilities called Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5753)

technology
Bad news to start 2018!

Even though we are just a few days into 2018, the worldwide ICT and cybersecurity community is being hit hard by recent vulnerabilities called Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5753)

Facts

Both these flaws are deep down in the heart of our computers, the CPU. It is widely known that Intel and ARM processors (the ones in our mobile phones) are vulnerable for Meltdown. For Spectre, others (AMD, Nvidia) are also affected. However these bugs being design issues it is highly probable that most modern processors are vulnerable (as always exceptions exist). For an exhaustive and factual list of CPUs affected here’s a good, and regularly updated, online resource.

Although, Meltdown and Spectre are separate and different vulnerabilities, for the sake of readability we consider them as a bundle in this article, mainly because they are both information disclosure vulnerabilities that can be abused to access sensitive information like usernames, passwords, secret keys and alike. Detailed resources including the original research papers are available via meltdownattack.om.

Figures

At the time of this writing, patches (aka updates) for many systems are available and more will be coming in the next days. A coordinated patch disclosure is foreseen for Jan 9th (today). However as the vulnerabilities address the physical layer, software patches can only address exploitation mechanisms, by blocking the access to the vulnerable part of the processor. The ultimate solution can only be achieved by firmware updates and/or hardware replacement (finding an unaffected alternative can be very tricky however).

For end users, the main danger until now, is based on JavaScript code, executed in browsers via malicious websites. Some browser vendors are already providing countermeasures via updates, e.g. Firefox advisory.

The major risk, however concern SaaS/cloud providers, particularly in a shared-hosting environment, where a malicious customer could potentially get access to (sensitive) information or any other customer data hosted on the same hardware, bypassing software containers (e.g. Docker, Xen) and virtual machines (e.g. VMware, HyperV).

Further more, what makes these vulnerabilities most notable from a risk assessment point of view is the breadth of exposure. Since these potentially affect nearly device with a modern processor, that means that full mitigation and remediation may not be possible. Older systems (like Windows XP) and devices (like unmaintained or end-of-life Android smartphones and IoT devices) will likely never receive fixes for these vulnerabilities.

Today, we are not aware of any successful attacks abusing these methods. Proof-of-concept exploits are available, however, real-life exploitation scenarios are not that easily executable.

Measures

The measures/actions to take are relatively simple and straightforward:

  • Users of shared-hosting (i.e. cloud) services should check with their service provider, to determine if, when and how security updates will be applied.
  • Administrators should:
    • Deploy security updates to all systems and devices as soon as they’re available.
    • Consider retiring systems and devices that cannot be updated.
    • Use comprehensive network and endpoint security (e.g. anti-virus, physical isolation of sensitive systems) that can help prevent attacks exploiting these vulnerabilities.

Patching is important, but in this case it might have significant impact on performance or even assurance of the system: On Windows, third-party software (e.g. anti-virus) could make the patch ineffective. Find here a list of antivirus patch statuses.

For specific or detailed support, don’t hesitate to contact our team of experts: CIRCL - info@circl.lu

On the longer run and to prevent from these from an organisational point of view, this six steps enterprise action plan from our C3 partner, the SANS institute, is most relevant.

This is just the beginning

Meltdown and Spectre are serious vulnerabilities and should be addressed as soon as possible. Mitigation is, however, not that easy, especially as patches can have a considerable performance impact (e.g. https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/), the exact loss depends a lot on the load of your system though.

In the meantime, another major software vulnerability was disclosed, which might pose a significant higher threat than Meltdown/Spectre, the recent Western Digital RCE vulnerability.
  • Share with care: