Meltdown & Spectre Vulnerabilities





Published on : 18 Jan , 2018


Introduction


During first week of January 2018, major security flaw has been detected in computer chips being manufactured by OEMs in the last two decades. The security flaws are named as “Meltdown” & “Spectre”. It allows attacker to gain access of protected data in computer memory.

Severity Rating:
High


CVE ID


Meltdown - CVE-2017-5754
Spectre    - CVE-2017-5715, CVE-2017-5753

Working Principle


Meltdown and Spectre involves a malicious program which tries to gain access to protected data and uses two methods known as Out-of-order execution and speculative execution & branch prediction that are used to speed up computer chips. Speculative execution attempts to predict the future in order to work faster. If a program involves multiple logical branches, then the calculations for those branches will be done even before the program has to decide which logical branch to follow. The data from speculative execution is often stored in cache and the problem arises when caching and speculative execution start interfering with protected memory. Attacks using Spectre and Meltdown are given below. An example can be Javascript on a website trying to trick a browser into revealing user details with password using Spectre. This can also lead to revealing data of other users and even on virtual servers; thereby affecting cloud services.

Impact on CII Sectors:


It might be the case that almost all major Critical Information Infrastructure (CII) Organizations might be vulnerable to Meltdown and Spectre attacks due to its inherent vulnerabilities associated with older as well as new systems. Following concerns/recommendations applies across all CIIs :

  1. Server systems should be updated regularly as well as proper security features in OS should be turned on.
  2. Outdated browser versions as well as Java version may lead to theft of online banking information of the customers. Hence, keep browsers up to date.
  3. Install latest BIOS updates as well as software patches available through OEM updates. This may help mitigate leak of critical information.

What are the systems affected by Meltdown and Spectre?


Every processor that implements out-of-order execution and processors that are capable of keeping many instructions in flight i.e Desktops, Laptops, Cloud Servers and also Smartphones are vulnerable.

Solution


Apply updates as mentioned by various OEM vendors after appropriate testing. Users may get in touch with these vendors for updates as and when they are released.

Vendor Information



  1. AMD: https://www.amd.com/en/corporate/speculative-execution

  2. ARM: https://developer.arm.com/support/security-update

  3. Intel : https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

  4. Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

  5. Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco- -sa-20180104-cpusidechannel

  6. Apple :https://support.apple.com/en-hk/HT208394

  7. Juniper : https://forums.juniper.net/t5/Security-Now/Meltdown-amp-Spectre-Modern-CPU-vulnerabilities/ba-p/317254

  8. Lenovo : https://support.lenovo.com/in/en/solutions/len-18282

  9. Microsoft Azure : https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

  10. Citrix : https://support.citrix.com/article/CTX231399

  11. Linux Foundation :https://lkml.org/lkml/2017/12/4/709

  12. RedHat : https://access.redhat.com/security/vulnerabilities/speculativeexecution

  13. SUSE: https://www.suse.com/support/kb/doc/?id=7022512

  14. Google :https://support.google.com/faqs/answer/7622138

  15. Mozilla : https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/

  16. Amazon : https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

  17. VMware : https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

Note of caution:


Visit proper system vendor’s website to download patch. Do not use patches from untrusted sources as this may lead to system hijacking. In order to exploit any of these vulnerabilities, an attacker must be able to run specially crafted code on the affected system. Users are advised to keep working backups prior to applying any patches from vendors.

References:


  1. https://meltdownattack.com
  2. https://www.csoonline.com/article/3247868/vulnerabilities/spectre-and-meltdown-explained-what-they-are-how-they-work-whats-at-risk.html
  3. https://hothardware.com/news/asus-gigabyte-msi-spectre-meltdown-exploits-motherboard-bios-updates
  4. https://fedoramagazine.org/update-ongoing-meltdown-spectre-work/
  5. https://www.theinquirer.net/inquirer/news/3024392/google-claims-its-spectre-patch-results-in-no-degradation-to-system-performance
  6. https://www.theregister.co.uk/2018/01/10/intel_allows_that_meltdown_and_spectre_may_slow_servers_down/
  7. https://www.enisa.europa.eu/publications/info-notes/meltdown-and-spectre-critical-processor-vulnerabilities