What are they, and what’s the difference?

Meltdown and Spectre refer to computer processor vulnerabilities that the US Computer Emergency Readiness Team (US-CERT) has described as “side-channel attacks that take advantage of the ability to extract information from instructions that have executed on a CPU.” As instructions are digested by a processor, the information is spread-loaded across the machine’s memory and it is this memory content that can be extracted. Three CVEs associated with the attacks have been released:

• CVE-2017-5753

• CVE-2017-5715

• CVE-2017-5754

Hardware vendors have announced en masse their take on the issue as well as how businesses and consumers should respond. Effectively every Intel processor manufactured after 1995 is vulnerable to these exploits, as well as many ARM chips. AMD has stated with confidence that their products have “near zero risk of exploitation” thanks to differences in their architecture.

Meltdown attacks refer specifically to exploits in the way modern processors utilize out-of-order execution. This is a feature that allows resources to be used as soon as they are available during clock cycles and leads to the processing of information out of sequential order. Side-channel information is better described as the details about an encryption process that is neither the ciphertext nor plaintext. Exploitability presents itself if a secret value if required during an operation. According to the official Meltdown paper, an attack consists of the following steps:

1. The content of an attacker-chosen memory location, which is inaccessible to the attacker, is loaded into a register

2. A transient instruction accesses a cache line based on the secret content of the register

3. The attacker uses Flush+Reload to determine the accessed cache line and hence the secret stored at the chosen memory location

Spectre differs insofar that it takes advantage of how CPUs “guess” execution paths by branch prediction and speculative execution. Again, these features were implemented to boost processing power and speed. By injecting incorrect instructions, Spectre also gains the ability to pull information from a system’s memory. Due to the fact that Spectre can be used via Javascript, users should expect updates for all varieties of web browsers. These attacks are uniquely dangerous considering they take advantage of hardware insecurities, and therefore work on most operating systems. Meltdown and Spectre both had source code repositories available on Github, though they appear to have been removed.

Where do we go from here?

Despite the fact that the creators of Meltdown and Spectre believe these vulnerabilities will be around for a long time, vendors have been working collaboratively in order to push out patches to all affected devices. Intel has advised all end-users to await security updates from their respective OS creators. In turn, Microsoft, Apple, VMware and the likes are prompting customers to apply any firmware updates as they are released. US-CERT has been maintaining an up-to-date roster linked to vendor recommendations.

For Windows environments, it’s also important to note that users are responsible for confirming compatibility with their anti-virus supplier before applying any patches. Per Microsoft, “compatibility issues arise when antivirus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot.” Customers utilizing anti-virus that does not set the below registry key will not receive applicable January security updates:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000”

Though it’s best to confirm directly with your anti-virus vendor, a quick reference datasheet can be viewed here.

Explaining these vulnerabilities to your end-users

The staff over at KnowBe4 has been kind enough to create this template, and is encouraging IT professionals to use it and customize it to their specific environments:

"Computer researchers have recently found out that the main chip in most modern computers—the CPU—has a hardware bug. It's really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on our network, including your workstation and all our servers.

This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. This hardware bug breaks that isolation.

So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.

So, What Are We Doing About This?

We need to update and patch all machines on the network. This is going to take some time, some of the patches are not even available yet. We also may have to replace some mission-critical computers to fix this.

In the meantime, we need you to be extra vigilant, with security top of mind and think before you click."

References:

AMD. "An Update on AMD Processor Security". https://www.amd.com/en/corporate/speculative-execution

Bar-El, Hagai. "Introduction to Side Channel Attacks". Discretix Technologies Ltd. Discretix. Web. 6 Jan. 2018.

Kocher, Paul et al. "Spectre Attacks: Exploiting Speculative Execution". University of Pennsylvania; University of Maryland; Graz University of Technology; Cyberus Technology; Rambus, Cryptography Research Division; University of Adelaide; Data61, 2018. Spectre Attack. Web. 6 Jan. 2018.

Lipp, Moritz et al. "Meltdown". Graz University of Technology; Cyberus Technology GmbH; University of Pennsylvania; University of Maryland; University of Adelaide; Data61; Rambus, Cryptography Research Division. 2018. Web. Meltdown Attack. 6 Jan. 2018.

Microsoft. "Important: Windows security updates released January 3, 2018, and antivirus software". Microsoft, 3 Jan. 2018, https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software.

Sjouwerman, Stu. “How To Explain Meltdown And Spectre To Your C-Level and employees.” KnowBe4, KnowBe4, Inc, 5 Jan. 2018, blog.knowbe4.com/how-to-explain- meltdown-and-spectre-to-your-c-level-and-end-users.

US-CERT. "Vulnerability Note VU#584653". US-CERT, 3 Jan. 2018.

https://www.kb.cert.org/vuls/id/584653

#Vulnerabilities