Home Blog Meltdown and Spectre. Is this the end of the world as we know it?

Blog

Jan 10
Meltdown and Spectre. Is this the end of the world as we know it?
Posted by Chris Marshall

Meltdown. Spectre.pngHappy New Year loyal LP blog readers, and what a start to the year we have had. Unless you have had your head in the sand for the last week you cannot help but have heard all the buzz around the latest two high profile security vulnerabilities to hit our networks. I am of course referring to the infamous Spectre and Meltdown flaws. Cue dramatic music “Dun Dun Duuuun!!!!”

First, I would like to address the most pressing question at hand. Why the names Spectre and Meltdown. Well according to the websites https://spectreattack.com/ and https://meltdownattack.com/ the reasons are as follows:

“The Meltdown vulnerability basically melts security boundaries which are normally enforced by the hardware.”

“The Spectre name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.”

Great so our security boundaries are melting in front of our eyes and its going to haunt us for a long time. At least we kind of now know why the melting security shield and ghost with a twig icon were chosen to represent these flaws!

I’m sure that you agree that it all sounds very bleak, but do not be too discouraged as all is not yet lost. In this blog I decided to dig a little deeper and find out what I could discover about these two very naughty potential security flaws and see what options we might have to possibly mitigate or maybe even solve them.

These vulnerabilities where identified by researches back in early 2017 with hardware and software vendors being made aware of the situation on June 1st, 2017 (Spectre) and July 28, 2017 (Meltdown). This gave our vendors around five months to prepare and release software patches prior to the scheduled public announcement on January 9th, 2018.

Unfortunately, the cat got out of the bag a little early and news leaked on January 3rd leaving vendors scrabbling to publish a response.

Cat Out of Bag.png

This pair of exploits take advantage of the way that our modern (1995 onwards) CPU’s in our computers, phones, routers, switches, toasters (you get the picture) access memory, which enable them to read memory space that does not belong to them. Normally this address space would be protected by access privilege checking, but these exploits manage to get around these checks. Accessing memory space of neighboring processes including kernel level process means that a potential attacker leveraging one of these exploits has the keys to the kingdom and could glean information such as passwords, encryption keys, and any other sensitive information you can imagine.

Two criteria must be met for these vulnerabilities to be exploited.

  1. The device being targeted must utilize an affected Intel, AMD, Qualcomm, or ARM processor (most processors from the last 10+ years fall into the category of "vulnerable").
  2. An attacker must be able to execute their own code on the device. Depending on the vulnerability, the code may be executed as unprivileged code, or in others, as privileged ("root" or "SYSTEM") code.

There are three likely scenarios where attackers may attempt to leverage these vulnerabilities.

  1. Spectre could be leveraged to launch attacks against virtualized hosting environments. Given that it is possible to read host memory from within a guest, this could result in an attacker gaining access to the host OS. This sort of attack scenario mainly impacts cloud hosting providers such as Amazon, Azure, Google, etc. These providers are working to ensure customers are not impacted by these vulnerabilities. Check with your specific hosting provider for additional details. It is important to note that successfully exploiting these vulnerabilities in this scenario is not trivial.
  2. It is important to note that Spectre is accessible from within the web browser on affected devices which could allow malicious web sites to read arbitrary data from other browser tabs. This could allow a remote attacker to obtain sensitive information, such as session or cookie data for other active sessions. It is important to note that this sort of an attack would likely only work under specific conditions. This attack would also require an attacker to convince a user to visit a malicious website in order to execute the code required to steal data.
  3. Meltdown could enable attackers to exploit additional vulnerabilities more easily. Meltdown allows for the defeating of Kernel Address Space Randomization (KASLR). This means that any vulnerability that wasn't previously exploitable due to KASLR is now potentially exploitable if chained together with Meltdown. This would be specific to the vulnerability the attacker is attempting to leverage, but from an attacker perspective it does remove some of the hurdles and problems encountered during the creation of their exploits.

As with all vulnerabilities, applying published patches is a crucial step to preventing an attacker from successfully exploiting these vulnerabilities. Microsoft, Linux and Apple have released patches for Meltdown.

For affected Cisco devices please refer to the PSIRT advisory. Currently no patches are available for Spectre. As soon as Operating System patches are available for Spectre, we recommend that you apply them to your system as soon as possible. LookingPoint complete managed services customers will have these patches applied as part of their standard service offering.

The majority of Cisco products are closed systems that do not allow customers to run custom code on the device, and thus are not vulnerable. There is no vector to exploit them. Cisco devices are considered potentially vulnerable only if they allow customers to execute their customized code side-by-side with Cisco code on the same microprocessor.

In summary things may not be quite as bleak as we first thought. Patches have been made available for Meltdown and the consensus is that an exploit leveraging Spectre vulnerability will be hard to implement. In the mean time keep up with those system and anti-malware patch updates.

Below are some quick facts relating to these vulnerabilities taken from https://meltdownattack.com/

ISSUE Fast Facts:

Am I affected by the vulnerability?

Most certainly, yes.

Can I detect if someone has exploited Meltdown or Spectre against me?

Probably not. The exploitation does not leave any traces in traditional log files.

Can my antivirus detect or block this attack?

While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.

What can be leaked?

If your system is affected, our proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.

Has Meltdown or Spectre been abused in the wild?

We don't know.

Which systems are affected by Meltdown?

Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected.

Which systems are affected by Spectre?

Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.

What is the difference between Meltdown and Spectre?

Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers (Meltdown and Spectre)

What are CVE-2017-5753 and CVE-2017-5715?

CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

What is the CVE-2017-5754?

CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

Contact Us to Learn More

Written By: Chris Marshall, LookingPoint Senior Solutions Architect - CCIE #29940

Written By:

subscribe to our blog

Get New Unique Posts