At the start of January, there were two major vulnerabilities that were publicly disclosed, known to the industry and the general public as Spectre and Meltdown (https://spectreattack.com/). These vulnerabilities pose a major risk to the confidentiality of information processed by CPUs from the three main manufacturers (It is also believed to affect CPUs from other manufacturers such as IBM (Power) and Oracle (Sparc)): Intel, AMD, and ARM.

As these vulnerabilities were caused by design flaws in the hardware itself all operating systems will require workaround patches; including Windows, MacOS, BSD, Linux distributions, and mobile operating systems (including iOS and Android). This article will focus on the reality and impact of the risks and mitigations for businesses, other organisations, and individuals rather than the technical complexities.

Initially, an embargo was in-place for revealing the details of these vulnerabilities, which was due to be lifted on January 9^th 2018. However, a researcher was able to reverse engineer a security patch that led to the information on the vulnerability being released prematurely. Due to this early disclosure of information, some vendors were not able to release their security updates, and as such information has been released to the public gradually.

SureCloud has waited for a reasonable baseline of reliable information to be released before offering our recommendations here. Due to the nature of how these issues came to light, it is important to act on verified and trustworthy intelligence. That being said, both Spectre and Meltdown remain a moving target, and as such we intend on updating this article as new information becomes available.

The Bugs

Meltdown and Spectre are both caused by hardware issues in the “speculative execution” CPU feature. By exploiting these vulnerabilities, it has been shown that an unprivileged application can read the memory of other applications, which can include high-privileged system memory. Proof-of-concepts have shown that exploitation is possible in a variety of ways; for example, the following attack vectors have already been demonstrated:

• Malicious programs reading information (e.g. passwords) from other users.
• Malicious programs reading information from other virtual machines that share the same CPU.
• Malicious JavaScript loaded into a browser that would harvest information from the computer.

However, due to the vulnerabilities’ flexible nature, it is possible that other services could be exploited in similar ways. Concerningly, there is no requirement for a malicious program or code to utilise elevated privileges in order to perform successful exploitation of these weaknesses; as such is almost impossible to actively or retroactively detect if the information has been breached from the CPU.

Is my organisation affected?

The short answer is “yes”, but the risk to each organisation will vary. With the attack vectors that are currently available one of the greatest risks is to virtual machines that share CPUs with other virtual machines that are not managed by the organisation. The impact of this would be that an attacker could execute malicious code and steal other tenant information whilst it is being processed by the CPU. Some of those that are at the greatest risk are organisations using virtual private server vendors who have not already deployed the various patches.

There are other key risks, particularly to browsers loading web pages containing malicious JavaScript. However, currently, there is limited proof-of-concept code available that would be useful for an attacker.

Detection of insecure systems

There have been some tools released to assist in verifying whether a system is still vulnerable to these attacks. Furthermore, SureCloud has rolled out updates to the SureCloud vulnerability scanning platform for clients with on-demand scanning to be able to detect many of these issues through missing security updates. However, patches and known detection methods continue to be released as time moves forward and we will be updating our capabilities over the coming weeks as more information becomes available.

Windows

Microsoft has released an official PowerShell tool that can be used to verify whether your system(s) are affected by this vulnerability:

• https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

A third-party tool for windows has also been released that does not require PowerShell for detection purposes:

• https://ionescu007.github.io/SpecuCheck/

Linux

A tool for Linux has been released to check if your system is vulnerable to the Meltdown variant of the vulnerability:

• https://github.com/raphaelsc/Am-I-affected-by-Meltdown

Mitigations

Due to the severity of this issue, the UK National Cyber Security Centre (NCSC) has provided guidance on mitigating these bugs (https://www.ncsc.gov.uk/guidance/meltdown-and-spectre-guidance) and this is being regularly updated.

Most critically, it is important to ensure that systems and software packages are patched against these issues wherever patches are available. Patches have been released for Windows. Patches for Linux have been created, and are expected to be available within most distributions. Many other operating systems and software vendors have already released patches or will be in the near future. It is key that organisations are running on supported operating systems and software to ensure that they can receive these critical security updates.

There have been some reported issues applying patches for these vulnerabilities, including stability and performance problems. We have detailed the issues that we know about below, but we strongly recommend thoroughly testing these patches before rolling them out to production systems.

There have been some issues identified with certain anti-virus (AV) programs on Windows, causing the Blue Screen of Death once the patches have been applied. Microsoft is maintaining a whitelist of configurations that do not crash, but this may cause a delay with these critical patches being applied, and may require that AV solutions are updated first.
Another reported problem is that some users of AMD CPUs are left unable to boot their operating system or reverse the changes after applying these patches.

Meltdown and Spectre affect many different layers of the system, and it should be noted that both the operating system and individual software packages may need updating. Simply applying the requisite operating system patches will not be enough to resolve all variants of these vulnerabilities.

CPU manufacturers are likely to release microcode updates for their processors that help to mitigate some variants of the vulnerabilities. These are expected to be applied on boot after patching most operating systems, but separate BIOS/EFI patches may also be released to make these changes permanent.

As the exploits continue to improve, outdated web browsers are expected to become a primary attack vector for these vulnerabilities. Currently, there are new versions of Firefox and Chrome which have mitigations in place. However, the Chrome patch is not yet automatically applied. It is currently recommended to enable “site isolation” in Chrome to mitigate the risk ahead of the patch being deployed.

• Patched Firefox: 57.0.4 and above
• Patched Chrome: v64 and above
• Patched Safari: Upcoming
• Patched Internet Explorer: Included in 03/01/2018 security update

Additional Reading

If you are interested in the technical aspects of the hardware bugs and exploits there are already some great writeups, including the original papers. Starting points can be found below:

• https://spectreattack.com/
• https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/

References

• https://www.dragonflydigest.com/2018/01/05/20672.html
• https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
• https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
• https://www.theregister.co.uk/2018/01/08/microsofts_spectre_fixer_bricks_some_amd_powered_pcs/
• https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr