First, I would like to address the most pressing question at hand. Why the names Spectre and Meltdown. Well according to the websites https://spectreattack.com/ and https://meltdownattack.com/ the reasons are as follows:
“The Meltdown vulnerability basically melts security boundaries which are normally enforced by the hardware.”
“The Spectre name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.”
Great so our security boundaries are melting in front of our eyes and its going to haunt us for a long time. At least we kind of now know why the melting security shield and ghost with a twig icon were chosen to represent these flaws!
I’m sure that you agree that it all sounds very bleak, but do not be too discouraged as all is not yet lost. In this blog I decided to dig a little deeper and find out what I could discover about these two very naughty potential security flaws and see what options we might have to possibly mitigate or maybe even solve them.
These vulnerabilities where identified by researches back in early 2017 with hardware and software vendors being made aware of the situation on June 1st, 2017 (Spectre) and July 28, 2017 (Meltdown). This gave our vendors around five months to prepare and release software patches prior to the scheduled public announcement on January 9th, 2018.
Unfortunately, the cat got out of the bag a little early and news leaked on January 3rd leaving vendors scrabbling to publish a response.
This pair of exploits take advantage of the way that our modern (1995 onwards) CPU’s in our computers, phones, routers, switches, toasters (you get the picture) access memory, which enable them to read memory space that does not belong to them. Normally this address space would be protected by access privilege checking, but these exploits manage to get around these checks. Accessing memory space of neighboring processes including kernel level process means that a potential attacker leveraging one of these exploits has the keys to the kingdom and could glean information such as passwords, encryption keys, and any other sensitive information you can imagine.
Two criteria must be met for these vulnerabilities to be exploited.
There are three likely scenarios where attackers may attempt to leverage these vulnerabilities.
As with all vulnerabilities, applying published patches is a crucial step to preventing an attacker from successfully exploiting these vulnerabilities. Microsoft, Linux and Apple have released patches for Meltdown.
For affected Cisco devices please refer to the PSIRT advisory. Currently no patches are available for Spectre. As soon as Operating System patches are available for Spectre, we recommend that you apply them to your system as soon as possible. LookingPoint complete managed services customers will have these patches applied as part of their standard service offering.
The majority of Cisco products are closed systems that do not allow customers to run custom code on the device, and thus are not vulnerable. There is no vector to exploit them. Cisco devices are considered potentially vulnerable only if they allow customers to execute their customized code side-by-side with Cisco code on the same microprocessor.
In summary things may not be quite as bleak as we first thought. Patches have been made available for Meltdown and the consensus is that an exploit leveraging Spectre vulnerability will be hard to implement. In the mean time keep up with those system and anti-malware patch updates.
Below are some quick facts relating to these vulnerabilities taken from https://meltdownattack.com/
ISSUE Fast Facts:
Am I affected by the vulnerability?
Most certainly, yes.
Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.
Can my antivirus detect or block this attack?
While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.
What can be leaked?
If your system is affected, our proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.
Has Meltdown or Spectre been abused in the wild?
We don't know.
Which systems are affected by Meltdown?
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected.
Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers (Meltdown and Spectre)
What are CVE-2017-5753 and CVE-2017-5715?
CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
What is the CVE-2017-5754?
CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
Written By: Chris Marshall, LookingPoint Senior Solutions Architect - CCIE #29940