Preventing a Meltdown: Recommendations for the Meltdown / Spectre Vulnerabilities

By Joshua Broussard, Architect, LiveFire® Security Services Revolutionary Security and Trevor Houck, Security Consultant, Revolutionary Security

Preventing a Meltdown: Recommendations for the Meltdown / Spectre Vulnerabilities

Meltdown and Spectre Overview

Meltdown and Spectre are kernel vulnerabilities that can result in the loss of system confidentiality through access to unauthorized memory locations on the local system. Meltdown (CVE-2017-5754) affects Intel chips – mostly impacting PCs. Spectre is broader and is based on two separate vulnerabilities (CVE-2017-5753 and CVE-2017-5715) and also impacts AMD and ARM chips, so most PCs, Apple devices, and smartphones are also impacted. Cloud and virtualized environments can also leak memory outside the running virtual machine.

Specifically, these vulnerabilities attempt to take advantage of a CPU feature called “speculative execution”, which is leveraged by the CPU to optimize performance by running tasks that may not actually be required. Flaws in “speculative execution” can trick the processor to leak data returned from other applications under certain circumstances. This requires monitoring precise CPU clock times to inject code at the exact right time. JavaScript running in browsers, for example, can trigger this issue allowing remote injection to a local machine via infected websites or ads.

No exploits of these vulnerabilities have been observed yet, however, expect a wave of attempted attacks given the widespread nature of vulnerable systems and extensive media exposure of the vulnerabilities. Proof of concept code exists that shows the possibility of stealing passwords or other data from the system.

The Software Engineering Institute (SEI) CERT originally released a statement that only replacing the chips would mitigate the vulnerabilities. It later issued a correction that firmware and software updates could mitigate the vulnerability. DHS issued an alert based on the original SEI statement saying that chip replacement will be required.

Microsoft Azure performance and availability were affected after the environment was patched and some servers failed to come back online.

Scope of Affected Devices

Almost all systems utilizing Intel, AMD, and ARM chips, including PCs, Linux devices, Apple iPads and iPhones, Macs, Android phones, and most other smartphones. Also impacted are a wide variety of appliances, special purpose machines, and networking devices which may not receive patches as quickly as the common endpoints. Apple noted Apple watches are not affected.

Vendor Responses

OS updates are available and more are coming for Windows, iOS, MacOS, and Linux to limit exposure to the vulnerability. Browser updates are also limiting the JavaScript attack vector. Intel expects to release updates on/around January 12th to further limit the vulnerabilities at the chip firmware level.  Specific vendor details are summarized in the links below.

Intel                       Security Advisory

ARM                      Security Update

Amazon               Security Bulletin

Apple                    Security Advisory

Google                 Project Zero Blog

Microsoft            Security Guidance

Red Hat                Vulnerability Response

SUSE                      Vulnerability Response

VMWare              Vulnerability Advisory

 

Recommendations

Both Meltdown and Spectre require the vulnerable machine to execute malicious code. The best prevention in the short-term is to consider all points by which code may be executed. In the case of a server resource, this could be through a service interface but the most likely point of ingress without additional compromise is through active code executed within a browser process.

  • Microsoft, Apple, Mozilla, and others have patches or workarounds in development for their browser process. Google Chrome already contains an experimental feature that can prevent these attacks at chrome://flags/#enable-site-per-process. Apply these patches or workarounds as soon as possible to validate in your environment.
  • Until a patch is made available for your browser, disable active client-side code based content – such as JavaScript, ActiveX, Java, Flash, and others – to prevent execution of malicious code.
  • Consider business cases for leveraging web browsers or consuming web resources on servers and critical systems. Consuming web resources has the potential to allow uninspected and non-validated code to reach the machine, and potentially execute malicious functionality like that seen in Spectre and Meltdown.
  • CPU-level firmware patches are in development, and are beginning to roll out for many CPU types and vendors. Due to the nature of how the exploit must occur, Meltdown and Spectre minimally impact systems which only communicate outbound but do not retrieve any unmanaged data from other sources. For instance, while a system containing sensitive data may be vulnerable, if that system does not have an active listening service capable of executing submitted client-side code it cannot be exploited at this time. Consider these security risk vs. performance trade-offs when deciding whether or not to patch these systems.
  • Follow your normal patch testing procedure before applying patches to critical systems or performing a mass update. There have been various reports that certain patches and system combinations caused systems to crash and not be recoverable, even after attempting to reinstall the operating system.
  • Before applying vendor patches, review performance / capacity planning looking for critical systems that already had high CPU utilization, for example, over 70% CPU utilization as patching will cause systems to slow by up to 30%. Future patches may limit the performance trade but in the interim vendors are utilizing emergency patching and taking the performance trade-off in favor of limiting the vulnerability.

Some systems may be found to be impractical to patch and may not be able to have execution of active content disabled due to operational needs. Where possible care should be taken with these resources to restrict the execution of non-validated code submitted to the resource and its services. If this cannot be done, consider adding or enabling additional monitoring and protective controls for these systems, including heuristic signature updates from antivirus vendors and monitoring of abnormal execution characteristics.

Detection of Spectre & Meltdown is difficult, but not impossible. Please contact your existing partners or Revolutionary Security if you need assistance to detect or prevent these attacks.

 


About the Authors

Joshua Broussard
Architect, LiveFire® Security Services
Revolutionary Security

Joshua is the Architect of Revolutionary Security’s LiveFire® Security Services. He has extensive cross-domain experience including Cyber Architecture, Compliance and Governance, Identity and Access Management, Penetration Testing, and Digital Forensics and Incident Response. He has assessed and performed security testing on a wide array of Fortune 500 companies and has extensive experience with best practice guidance for securing information systems. Joshua holds GCFA, CISSP, CEH and various other certifications.

Trevor Houck
Security Consultant
Revolutionary Security

Trevor is a cyber security professional with experience in both Information Technology (IT) and Operations Technology (OT) environments. Trevor brings extensive experience working as a penetration tester and intelligence analyst performing various functions within global Security Operations Centers (SOCs) for Fortune 500 organizations, including IT/OT integrated SOC environments.

Share this post