The Vulnerability That Keeps On Giving: Seven New Variations of Spectre and Meltdown Discovered

By Rob Hlavaty, Security Consultant, Revolutionary Security and Trevor Houck, Senior Security Consultant, Revolutionary Security

The Vulnerability That Keeps On Giving: Seven New Variations of Spectre and Meltdown Discovered

Meltdown and Spectre Overview

On January 8, 2018, Revolutionary Security reported on Meltdown and Spectre, which are kernel-level vulnerabilities impacting the processing of unauthorized local memory. These vulnerabilities take advantage of a CPU feature called “speculative execution,” which is leveraged by the CPU to optimize performance by running tasks that may not actually be required. The vulnerabilities reported in January take advantage of speculative execution and trick the processor to leak data returned from other applications under certain circumstances. The vulnerabilities created wide-scale impact on the three major chip manufacturers – Intel, AMD, and ARM. Therefore, most PC’s, Apple (iOS) devices, and smartphones are affected.

Vendor Responses and Standard Mitigations

Affected vendors issued patches and guidance to minimize the impact of these vulnerabilities. They included browser updates, software patches, and configuration guidelines.  However, the CPU-level firmware patches had a significant negative impact on performance, so many customers chose to not apply the patches, citing business convenience requirements.

Intel recently announced that their 9th generation of processors will bring a myriad of new features to the market. Most importantly, they introduce several protections for the Spectre / Meltdown vulnerabilities. The new security protections include hardware changes which help prevent speculative execution attacks, which was the core attack vector for the original Spectre / Meltdown vulnerabilities. The new hardware protections include the use of virtual fences. Virtual fences are hardware changes that prevent side-channel inference and include microcode updates. These safeguards are designed to protect the system while limiting negative impact to performance, which is an undesirable side effect of currently available software patches. These 9th generation CPU’s are currently the best defense to protect against Spectre / Meltdown if an organization can make significant hardware changes by accelerating its tech refresh cycle.

Seven New Attack Types

While performing a series of transient execution attacks – a phrase that describes a series of attacks on the core mechanisms of a CPU – academic researchers discovered seven additional variants to the original vulnerabilities discovered in January 2018. Those variants have been labeled as:

Meltdown:

  1. Meltdown-BR
  2. Meltdown-PK

Spectre:

  1. PHT-CA-OP
  2. PHT-CA-IP
  3. PHT-SA-OP
  4. BTB-SA-IP
  5. BTB-SA-OP

Of the seven additional variants, two are variants of Meltdown and five are variants of Spectre. The seven newly-discovered vulnerabilities include Proof of Concept (PoC) code that validates how the vulnerabilities can be exploited. The newly identified vulnerabilities affect bound instruction, memory protection keys, pattern history tables, buffer tables, and other internal CPU mechanisms. Each of these attack types affect all major microprocessor vendors: Intel, AMD, and ARM. Some of these seven variants are mitigated by currently available patches and updates, while others require additional mitigations, which have not yet been identified.

Protecting Your Organization Through Risk Assessments

The Revolutionary Security team is currently in the process of performing risk assessments related to the Spectre and Meltdown vulnerabilities for our critical infrastructure clients. Generally, the operational risk from Spectre and Meltdown disclosures is relatively low, especially within the ICS environment. However, both Spectre and Meltdown can circumvent protective mechanisms and allow hackers to access a computer’s sensitive data. Spectre and Meltdown impact AMD, ARM, Nvidia and Intel processors, which are all the main key players in the enterprise environment.

Assessing your organization’s overall exposure is a relatively complicated process which is comprised of identification, analysis, planning, and remediation activities. The first step in assessing your risk profile is identifying a comprehensive list of technology assets across the enterprise. This includes both IT and OT/ICS assets. Essentially, any device with a processor must be viewed as potentially susceptible to this style of attack. Your organization should leverage its asset inventory solution(s) to provide the most accurate picture of the asset landscape.

Once there is an understanding of the asset landscape, the organization must work to prioritize the assets that support its critical business functions. To infer this, Revolutionary Security leverages a Business Impact Analysis (BIA) framework across multiple business functions. The BIA process for vulnerability assessment is slightly different than a traditional BIA approach. Prioritization of remediation activities must focus on impact to asset downtime, given the high-impact of most current fixes.

After the completion of an enterprise-wide BIA for all in-scope assets, a risk-prioritized mitigation plan is developed. This plan is largely based on the prioritization within the BIA, but also is largely dependent on the organization’s risk management methodology. Additional activities include consolidation of current patches and updates and development of performance and functional test plans. The output of this activity should be viewed as the decision criteria for determining remediation activities.

For the remediation of vulnerabilities, Revolutionary Security collaborates with enterprise cyber security, IT, vulnerability management, and operational groups to ensure proper distribution of work activities. It will be largely dependent on the organization regarding its tolerance for residual downtime due to patching and upgrading. Many organizations will defer remediation until routine patching cycles, while others will schedule an emergency maintenance period. The phases of remediation will be dependent upon the scope of the organization’s exposure and the availability of resources for mitigation.

Revolutionary Security is happy to assist your organization with assessing the risk of speculative execution vulnerabilities and establishing a risk-based approach to remediation.


About the Authors

Rob Hlavaty
Security Consultant
Revolutionary Security

Rob is a cyber security professional with experience across both Information Technology (IT) and Operations Technology (OT) environments. Rob has wide-ranging experience working as a security assessments and strategy consultant, primarily with large enterprise organizations. Rob is currently working on a Spectre and Meltdown vulnerability assessment to develop an effective mitigation plan for a large organization.

Trevor Houck
Senior Security Consultant
Revolutionary Security

Trevor is a cyber security professional with experience in both Information Technology (IT) and Operations Technology (OT) environments. Trevor brings extensive experience working as a penetration tester and intelligence analyst performing various functions within global Security Operations Centers (SOCs) for Fortune 500 organizations, including IT/OT integrated SOC environments.

Share this post