Meltdown and Spectre - CPU Design Vulnerability
Mark Nunnikhoven
Principal @ Amazon | I make security and privacy easier to understand
Ouch. This got messy fast.
Initially announced as an Intel design issue, three new similar CVE’s—nicknamed Meltdown and Spectre—affect all modern process designs.
This hardware level issue must be mitigated at the operating system level and eventually fixed as a design choice in the next generation of chips.
What’s The Issue?
Discovered by Jann Horn from Google’s Project Zero and a diverse team of researchers from various institutes, these issues are technically impressive. They take advantage of several features in modern processors that are all involved predicting what needs to be done next.
They exploit these features through complex timing attacks to access privileged memory from an unprivileged process. In plain English, these vulnerabilities make it possible for any program to access sensitive memory locations.
If exploited in the wild, an attacker could map out protected memory spaces to discover information like passwords, encryption keys, sensitive intellectual property. Or--just as likely--your recipe for mac & cheese, the latest cat video, or your high score in Mini Metro.
Basically whatever your system is working on at the time of the attack.
This is a high impact vulnerability, and you should address it.
How Likely Am I To Be Hacked?
There’s no way to tell for sure how probable it is that these vulnerabilities will be used to attack a specific system.
When issues like this occur, the most logical way to approach it is through a series of specific question.
1.Is there a known attack in the wild?
Not at this time. The researchers have proven the issues via a proof of concept, and other teams have used the research information or similar methods to replicate the results.
The team at Mozilla posted a particularly troubling result that used these types of techniques to exploit timing mechanisms in a web browser to access the memory space of the browser itself. That’s very, very bad.
Given that information, it’s highly likely that cybercriminals are working to exploit these vulnerabilities at scale immediately. The official CVSS score is still pending and may change given the attention.
So while there is a no currently known attack in the wild, the safe assumption is that an attack is imminent.
2. What’s the impact of an attack, if successful?
If a cybercriminal attacked a system and was able to access the right memory space, they could—possibly—steal credentials (password, keys, etc.) to sensitive systems.
That’s bad.
It’s also not guaranteed. Meltdown and Spectre aren’t vulnerabilities in software frameworks or an application that leaks credentials. It’s similar to Heartbleed but instead of searching the haystack for a needle; you're looking in the whole farm.
3. Can this be mitigated?
Yes. Patches are forthcoming for all major operating systems to mitigate the issue.
Note: this is different than the typical cycle. What usually happens is there is an operating system bug that can be mitigated by a security control (anti-malware, intrusion prevention, etc.) until a patch for the OS that fixes the vulnerability.
With Meltdown and Spectre, the vulnerability in is the hardware design. Updates can't be made to existing chips to address the issue (sometimes they can be), so newer chip designs will have to deal with these problems.
In the meantime, operating system’s will have to prevent exploitation of the vulnerability.
Security controls may be able to stop known attacks (once they’ve occurred) and potential attacks once more information about the use of the technique in the real world is available.
Because this attack manipulates the timing of instructions. It’s really abusing the “proper” way of doing things. That makes it especially difficult to protect against using a 3rd party security control.
4. Patch or test?
Once the patches are made available, should you wait and test the patch thoroughly or patch immediately accepting the risk that it may crash your system?
In a scenario like this, my recommendation is to patch immediately. But you need to make that decision for yourself and your circumstances.
The reason I recommend patching is simple. The vulnerability has a high impact, and it’s gaining steam in the public eye. The chances of cybercriminals using it to steal your data and access your systems have increased significantly.
Roll out the patch once it’s available and turn on automatic updates for all systems and devices.
Disclosure Timing
The public disclosure of these issues went ahead quicker than expected. Word leaked earlier this week, and after some rampant speculation, the full disclosure went forward.
I’m not privy to all the details. But as people quickly rush to get information out there, there is more urgency behind the tone of the messaging.
SwiftOnSecurity said it best…
When released, the patches will have gone through rigorous testing (Apple patched macOS quietly in December). Microsoft has implemented a registry key system to ensure that security tools don’t break unnecessarily. Other vendors and organizations will have more information out shortly.
While the messaging might seem reactive and a bit frantic, the code isn’t.
Next Steps
As with any issue of this magnitude, more information will continue to trickle out over the next few days. The key takeaways are simple:
- Meltdown and Spectre are "high impact" and "low->medium probability" vulnerabilities, BUT that probability is increasing steadily
- Patch your operating systems when the patch is made available (automatic updates are your friend)
- Stay tuned to your operating system and cloud service provider’s communications channels; more information is coming
How are you approaching these vulnerabilities? Does this level fo public attentions shift the conversations you have with other teams in your organization? Let me know in the comments below or on Twitter where I’m @marknca.
>> For Trend Micro customers, please check the latest knowledge base articles (business / consumer) on these issues. Other security vendors and organizations (like cloud service providers) will have information about their environments on their sites.