SECURITY ADVISORY: MELTDOWN & SPECTRE CHIP VULNERABILITIES
As you may now be aware, a new set of vulnerabilities were published over the new year dubbed ‘Meltdown’ and ‘Spectre’. These two families of attacks are notable as they are not related to specific software flaws, but are based on exploiting architectural shortcomings in Intel x86 and Atom processers, which fuel most PCs and servers today. AMD, the other major chip manufacturer, seems to be less impacted by some of the attacks resulting from these chip flaws.
A Quick Explanation
In short, the vulnerability may allow a process to read out the memory area of the CPU from a parallel running process. While we do not normally associate CPU with memory, there are small memory areas within a CPU, and it is access to this area that is not controlled properly by the CPU micro-code.
There are already great resources available on the attack, the primary one being: https://meltdownattack.com/, which originally disclosed details of the vulnerability. There is also a great set of references for vulnerability advisories for major hardware and software vendors.
All of this sounds serious, and it is, as the vulnerability is present in almost every CPU produced over the last 20 years. However, we should keep in mind that the flaw has not been exploited in the wild- yet. As time progresses the likelihood of attack exploitation will no doubt increase.
While the potential attacks are serious, the issue is currently around the magnitude of devices that need to be patched in order to mitigate the issue. It is therefore inevitable that customers will be exposed for the foreseeable future as some systems may be difficult to update either due to lack of support, outdated operating systems or embedded closed systems.
In cloud environments, the issue is even more pronounced as you may be sharing your CPU with other cloud users. This means that if your app is executing in the cloud app, your neighbour in the cloud may be able to eavesdrop on the calls in and out of your application. Of course, the big players in the cloud markets are doing their best to fix the issues and AWS and Azure have both been applying emergency patches. If you are using cloud services, you should investigate your cloud provider’s response to the issue.
On AWS there have already been reports that the patch has impacted the performance of the EC2 compute environment, forcing customers to upgrade their compute environments. It is interesting how a security issue like this may thus change the economics of the cloud solution.
You should remember that the attack will use the standard attack vectors that we always see, such as spreading either through remote-code execution (vulnerabilities in the applications you are running) or local execution (vulnerable applications running on your machine). As always, we expect to see the spread of the exploit happening over malware embedded in e-mails, users being tricked into executing content on the web such as java, flash or even worse, running an executable file.
The Key to Staying Safe
In the coming days, you should expect a number of patches being made available for your operating systems and applications. There are already patches available for Linux, Microsoft and other major operating systems.
One major issue is that the patches change fundamentals of the OS and therefore some applications may be incompatible. Specifically, AV clients and endpoint security clients are having issues with the new patches, and may even prevent the patch from installing. Hence, you should ensure your AV has been upgraded to a release that supports the patch. Also note that due to issues around AV, Microsoft requires you to change a specific registry key in order to patch your system.
Major browsers are also being upgraded in attempt to mitigate the issue.
The Reality with Virtual
Your virtual environments will also be affected. VMware and Microsoft have already released patches to their hypervisors. Please note that the hypervisor software will need to be updated in order to support the guest OS patches mentioned before.
There has been some discussion on how much the patches will impact performance on the patched systems, but initial investigation shows that performance impact is limited.
It should be noted, that most security appliances have implemented control of arbitrary code execution, meaning they control every process running on the device. Therefore, for an attack to be successful, it would need to rely on local or remote code execution vulnerabilities to be present. In this scenario, Meltdown would then potentially aggravate the situation and could lead to information disclosure. Currently none of our vendors have highlighted any immediate exposure.
From Help AG’s perspective, we are monitoring the situation very closely, and as advisories are made available from our vendors in the coming days, we will be regularly releasing information to our customers.
Should you be in doubt about what to do, we are always ready to assist you. As always you are only a call, mail or web-ticket away.
Security advisory by:
Nicolai Solling, CTO at Help AG