Published on : 18 Jan , 2018
Introduction
During first week of January 2018, major security flaw has been detected in computer chips being manufactured by OEMs in the last two decades.
The security flaws are named as “Meltdown” & “Spectre”. It allows attacker to gain access of protected data in computer memory.
Severity Rating:High
CVE ID
Meltdown - CVE-2017-5754
Spectre - CVE-2017-5715, CVE-2017-5753
Working Principle
Meltdown and Spectre involves a malicious program which tries to gain access to protected data and uses two methods known
as Out-of-order execution and speculative execution & branch prediction that are used to speed up computer chips.
Speculative execution attempts to predict the future in order to work faster. If a program involves multiple logical
branches, then the calculations for those branches will be done even before the program has to decide which logical branch to follow.
The data from speculative execution is often stored in cache and the problem arises when caching and speculative execution start interfering
with protected memory. Attacks using Spectre and Meltdown are given below. An example can be Javascript on a website trying
to trick a browser into revealing user details with password using Spectre. This can also lead to revealing data of other users and even on virtual
servers; thereby affecting cloud services.
Impact on CII Sectors:
It might be the case that almost all major Critical Information Infrastructure (CII) Organizations might be vulnerable to Meltdown
and Spectre attacks due to its inherent vulnerabilities associated with older as well as new systems. Following concerns/recommendations
applies across all CIIs :
- Server systems should be updated regularly as well as proper security features in OS should be turned on.
- Outdated browser versions as well as Java version may lead to theft of online banking information of the customers. Hence, keep browsers up to date.
- Install latest BIOS updates as well as software patches available through OEM updates. This may help mitigate leak of critical information.
What are the systems affected by Meltdown and Spectre?
Every processor that implements out-of-order execution and processors that are capable of keeping many
instructions in flight i.e Desktops, Laptops, Cloud Servers and also Smartphones are vulnerable.
Solution
Apply updates as mentioned by various OEM vendors after appropriate testing. Users may get in touch with these vendors for updates as and when they are released.
Vendor Information
- AMD: https://www.amd.com/en/corporate/speculative-execution
- ARM: https://developer.arm.com/support/security-update
- Intel : https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
- Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
- Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco- -sa-20180104-cpusidechannel
- Apple :https://support.apple.com/en-hk/HT208394
- Juniper : https://forums.juniper.net/t5/Security-Now/Meltdown-amp-Spectre-Modern-CPU-vulnerabilities/ba-p/317254
- Lenovo : https://support.lenovo.com/in/en/solutions/len-18282
- Microsoft Azure : https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
- Citrix : https://support.citrix.com/article/CTX231399
- Linux Foundation :https://lkml.org/lkml/2017/12/4/709
- RedHat : https://access.redhat.com/security/vulnerabilities/speculativeexecution
- SUSE: https://www.suse.com/support/kb/doc/?id=7022512
- Google :https://support.google.com/faqs/answer/7622138
- Mozilla : https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
- Amazon : https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
- VMware : https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Note of caution:
Visit proper system vendor’s website to download patch.
Do not use patches from untrusted sources as this may lead to system hijacking.
In order to exploit any of these vulnerabilities, an attacker must be able to run specially crafted code on the affected system.
Users are advised to keep working backups prior to applying any patches from vendors.
References:
- https://meltdownattack.com
- https://www.csoonline.com/article/3247868/vulnerabilities/spectre-and-meltdown-explained-what-they-are-how-they-work-whats-at-risk.html
- https://hothardware.com/news/asus-gigabyte-msi-spectre-meltdown-exploits-motherboard-bios-updates
- https://fedoramagazine.org/update-ongoing-meltdown-spectre-work/
- https://www.theinquirer.net/inquirer/news/3024392/google-claims-its-spectre-patch-results-in-no-degradation-to-system-performance
- https://www.theregister.co.uk/2018/01/10/intel_allows_that_meltdown_and_spectre_may_slow_servers_down/
- https://www.enisa.europa.eu/publications/info-notes/meltdown-and-spectre-critical-processor-vulnerabilities