While the global workforce was just getting ready to start the New Year, the researchers revealed news of two new critical issues in nearly all modern microprocessors, called Meltdown and Spectre. In layman’s terms, this involves nearly all computing devices manufactured in the last 20 years, used by both enterprises and end-users, ranging from computers, servers, mobile devices to cloud services, and virtualization platforms. What, if anything, can you do, to keep safe(r)?
On January 3, 2018, researchers revealed news of two new critical modern microprocessor vulnerabilities, manufactured by Intel, AMD, and ARM. The vulnerabilities, named Meltdown and Spectre, have been confirmed on CPUs manufactured since year 2011, and are potentially present in CPUs manufactured since 1995. Those processors can be found in most of today’s workstations, laptops, servers, and mobile devices as well as cloud infrastructure and virtualization platforms.
The Meltdown and Spectre vulnerabilities allow attackers to access device memory, which is normally reserved for operating system kernel or memory reserved by another well-behaving application. The malicious application can gain access to critical data, such as private crypto keys, passwords, etc.
Who is affected and how can the vulnerabilities be exploited?
From what we know so far, the vulnerabilities affect enterprises and individuals using devices containing chips from Intel, AMD, or ARM – in short, just about everyone.
|
Vulnerability |
Vendor |
Consequences |
|
Meltdown |
Intel |
Malicious application can gain arbitrary access to device’s memory, regardless of the operating system |
|
Spectre |
Intel, AMD, ARM |
Malicious application can gain arbitrary access to another, well-behaved application’s memory |
To exploit the vulnerabilities, the malicious actor must be able to execute code on the target device.
Meltdown in action
A PoC for the Spectre vulnerability already exists, showing how a malicious JavaScript can read an un-patched web browser’s memory.
How do I protect myself from the vulnerabilities?
We strongly urge both end users and system administrators to apply the operating systems and application patches as soon as possible. As the vulnerabilities affect a large number of devices and complex IT environments, we do not foresee all devices being patched any time in the near future. We also encourage enterprises to proactively follow activities in their IT environments by establishing incident detection and prevention systems. This is the only way to properly detect and react to security incidents and limit business damages.
A list of vendor fixes and notices
Most of the leading IT vendors have already issued official security notices, including security patches, which mitigate the Meltdown and Spectre vulnerabilities.
- Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
- Dell/EMC:
- http://www.dell.com/support/article/at/de/atbsdt1/sln308587/microprocessor-side-channel-attacks--cve-2017-5715--cve-2017-5753--cve-2017-5754---impact-on-dell-products?lang=en
- http://www.dell.com/support/article/at/de/atbsdt1/sln308588/microprocessor-side-channel-attacks--cve-2017-5715--cve-2017-5753--cve-2017-5754---impact-on-dell-emc-products--dell-enterprise-servers--storage-and-networking-?lang=en
- IBM: https://www.ibm.com/blogs/psirt/potential-cpu-security-issue/
- F5: https://support.f5.com/csp/article/K91229003
- Palo Alto Networks: https://researchcenter.paloaltonetworks.com/2018/01/threat-brief-meltdown-spectre-vulnerabilities/
- Pure Storage: https://support.purestorage.com/Field_Bulletins/The_Meltdown_and_Spectre_CPU_Vulnerabilities
- VMware: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
- Aerohive: https://www.aerohive.com/support/security-center/product-security-announcement-aerohives-response-to-meltdown-and-spectre-jan-5-2018/
Most operating system, cloud solutions, and virtualization environments’ vendors have also issued patches that mitigate the Meltdown vulnerability. The patches have been known to introduce some additional latency.
- Microsoft:
- Windows: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/858123b8-25ca-e711-a957-000d3a33cf99
- Azure: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
- Google:
- Android: https://source.android.com/security/bulletin/2018-01-01
- Google Cloud: https://blog.google/topics/google-cloud/what-google-cloud-g-suite-and-chrome-customers-need-know-about-industry-wide-cpu-vulnerability/
- Apple: https://support.apple.com/en-us/HT208394
- Linux:
- RedHat: https://access.redhat.com/security/vulnerabilities/speculativeexecution
- Debian: https://security-tracker.debian.org/tracker/CVE-2017-5754
- Amazon: https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
The major web browser vendors have released new versions of the browsers, which mitigate at least some parts of the Spectre vulnerability, but due to the issue complexity, we do not foresee the issue to be fully resolved any time soon.
- Google (Chrome): https://www.chromium.org/Home/chromium-security/ssca
- Mozilla (Firefox): https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
- Microsoft (Internet Explorer in Edge): https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056890
Intel has issued a notice that they would be releasing an update for up to 90% of the affected CPUs by January 15. AMD and ARM have also issued notices regarding their CPUs’ vulnerability status:
