Meltdown and Spectre Vulnerability Fixing workaround for Networks /Systems /Security Administrators

A few day ago I have heard some news about chip venerability flaw but later on detail were revealed. Google Day zero team found the flaw in CPU architecture. Meltdown and Spectre flaw effecting almost all ranges of processors.

Till 2nd day of its bug found date, US homeland department was suggesting the replacement of hardware and it was impossible for us to replace every processor so I preferred to wait for solution. Snapshot of US homeland suggestion is attached, but later on they have shared its remediation procedures. These remediation step are tested to reducing impact of flaw in our in-house environment.

Spectre Bug and Meltdown bug as due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities. According to US Cert the specific and customize OS module can reduced its day zero impact. I have found the working around base on possibilities and bug exploit study. This work around is applicable specially to Network and Security devices of vendor like Juniper, CISCO, Huawei, ZTE, NOKIA etc.

Indication/Possible troubleshooting:

• As due to bug, process in processor can overwrite and access to restricted application space (Specter Bug) 

1. Using a process they can jump into another process.
2.  Using this bug a process can jump during instruction from user process to kernel process (Operation System Rule violation).

• Meltdown bug can execute the instruction out of order to access the kernel memory. Low kernel memory can be the possible symptoms or execution of program other them desired one can be the possibility.

1. We can find its possibilities through command line of network devices if the problem observed. We can check the process id with its possible access of memory address space. We can find the OS, process and memory access detail in debug and process detail access.
2. We have the mechanism of monitoring all demon/Functions performance and check the abnormalities on network devices.
3.  Meltdown exploit can cause the user space to access the kernel space. Only architecture of operating system in find the exact allocation of memory for each process .The network /Security /Operating System admin should contact their support team if any abnormality found.
4. We have specific mechanism of viewing when user space access the kernel memory by correlating to process ids.

•  Please contact your support vendor for possible realize of its patch fix.

The main challenge of patch fixing the performance of process. But as due to processor redesigning/Assembler redesign required to secure the all next code execution so technically it’s not a big challenge. But considering other possibilities like temperature issue or performance retention can be challenges.

Exploit of process Bug:

• The meltdown bug can be exploited with compromise system or valid login. The user from a compromise account base on Central authentication system or local system can be the possibility. Make sure the device should not accessible to unauthorized location or resources. Because after accessing the local account the can jump to OS or kernel memory space.
• There is another way to exploit it via java code in script via browser for Spectre. So block all unnecessary/Unauthorized access to network devices through web. As spectre violates all rule of browser isolation, sandboxing etc. The paper author have successfully exploited the bug.

Work Around:

• Make sure to keep minimum and secure local user with strong password. All other user should be authenticated with central authentication server.
• Minimize network devices access via web-browser as web browser can be possibility for java.
• Monitored the possible memory access of user access process ids.
• Do a cross check the signature of downloaded OS before version upgrade activity .Follow OS validate and install procedure before every installation because the addition of malicious code can be the possibility in non-validated OS.