Meltdown and Spectre Overview
Meltdown and Spectre are kernel vulnerabilities that can result in the loss of system confidentiality through access to unauthorized memory locations on the local system. Meltdown (CVE-2017-5754) affects Intel chips – mostly impacting PCs. Spectre is broader and is based on two separate vulnerabilities (CVE-2017-5753 and CVE-2017-5715) and also impacts AMD and ARM chips, so most PCs, Apple devices, and smartphones are also impacted. Cloud and virtualized environments can also leak memory outside the running virtual machine.
No exploits of these vulnerabilities have been observed yet, however, expect a wave of attempted attacks given the widespread nature of vulnerable systems and extensive media exposure of the vulnerabilities. Proof of concept code exists that shows the possibility of stealing passwords or other data from the system.
The Software Engineering Institute (SEI) CERT originally released a statement that only replacing the chips would mitigate the vulnerabilities. It later issued a correction that firmware and software updates could mitigate the vulnerability. DHS issued an alert based on the original SEI statement saying that chip replacement will be required.
Microsoft Azure performance and availability were affected after the environment was patched and some servers failed to come back online.
Scope of Affected Devices
Almost all systems utilizing Intel, AMD, and ARM chips, including PCs, Linux devices, Apple iPads and iPhones, Macs, Android phones, and most other smartphones. Also impacted are a wide variety of appliances, special purpose machines, and networking devices which may not receive patches as quickly as the common endpoints. Apple noted Apple watches are not affected.
Intel Security Advisory
ARM Security Update
Amazon Security Bulletin
Apple Security Advisory
Google Project Zero Blog
Microsoft Security Guidance
Red Hat Vulnerability Response
VMWare Vulnerability Advisory
Both Meltdown and Spectre require the vulnerable machine to execute malicious code. The best prevention in the short-term is to consider all points by which code may be executed. In the case of a server resource, this could be through a service interface but the most likely point of ingress without additional compromise is through active code executed within a browser process.
- Microsoft, Apple, Mozilla, and others have patches or workarounds in development for their browser process. Google Chrome already contains an experimental feature that can prevent these attacks at chrome://flags/#enable-site-per-process. Apply these patches or workarounds as soon as possible to validate in your environment.
- Consider business cases for leveraging web browsers or consuming web resources on servers and critical systems. Consuming web resources has the potential to allow uninspected and non-validated code to reach the machine, and potentially execute malicious functionality like that seen in Spectre and Meltdown.
- CPU-level firmware patches are in development, and are beginning to roll out for many CPU types and vendors. Due to the nature of how the exploit must occur, Meltdown and Spectre minimally impact systems which only communicate outbound but do not retrieve any unmanaged data from other sources. For instance, while a system containing sensitive data may be vulnerable, if that system does not have an active listening service capable of executing submitted client-side code it cannot be exploited at this time. Consider these security risk vs. performance trade-offs when deciding whether or not to patch these systems.
- Follow your normal patch testing procedure before applying patches to critical systems or performing a mass update. There have been various reports that certain patches and system combinations caused systems to crash and not be recoverable, even after attempting to reinstall the operating system.
- Before applying vendor patches, review performance / capacity planning looking for critical systems that already had high CPU utilization, for example, over 70% CPU utilization as patching will cause systems to slow by up to 30%. Future patches may limit the performance trade but in the interim vendors are utilizing emergency patching and taking the performance trade-off in favor of limiting the vulnerability.
Some systems may be found to be impractical to patch and may not be able to have execution of active content disabled due to operational needs. Where possible care should be taken with these resources to restrict the execution of non-validated code submitted to the resource and its services. If this cannot be done, consider adding or enabling additional monitoring and protective controls for these systems, including heuristic signature updates from antivirus vendors and monitoring of abnormal execution characteristics.
Detection of Spectre & Meltdown is difficult, but not impossible. Please contact your existing partners or Revolutionary Security if you need assistance to detect or prevent these attacks.
About the Authors
Architect, LiveFire® Security Services
Joshua is the Architect of Revolutionary Security’s LiveFire® Security Services. He has extensive cross-domain experience including Cyber Architecture, Compliance and Governance, Identity and Access Management, Penetration Testing, and Digital Forensics and Incident Response. He has assessed and performed security testing on a wide array of Fortune 500 companies and has extensive experience with best practice guidance for securing information systems. Joshua holds GCFA, CISSP, CEH and various other certifications.
Trevor is a cyber security professional with experience in both Information Technology (IT) and Operations Technology (OT) environments. Trevor brings extensive experience working as a penetration tester and intelligence analyst performing various functions within global Security Operations Centers (SOCs) for Fortune 500 organizations, including IT/OT integrated SOC environments.