January 5, 2018

Meltdown and Spectre Vulnerabilities - Quick Overview

Meltdown and Spectre are two major vulnerabilities in modern processors, undermining layers of security features introduced by applications on your system, resulting in leakage of any data in clear form (encrypted/not encrypted).

Meltdown and Spectre Vulnerabilities - Quick Overview

If you are reading this post, it means that you have already heard about a critical vulnerabilities discovered in CPUs of different vendors including Intel, AMD and ARM. If you have been living under a rock then go to Meltdown ans Spectre

Smartphones, tablets, laptops, PCs, MACs, cloud devices, servers and 99% of CPUs released since 1995 are affected.

What is this about?

Meltdown and Spectre are two major vulnerabilities in modern processors, undermining layers of security features introduced by applications on your system, resulting in leakage of ANY data in clear form (encrypted/not encrypted).

In short, if you are using the most secure password manager with the latest encryption technology to secure your credentials and private information, you need to be worried.

More exploits are underway, but below you can see one demonstration of stealing passwords via Meltdown vulnerability in real-time:

Spectre vulnerability exploitation:

When a lower layer of your system (hardware) is vulnerable to such extent, the security of the upper layers (software) does not really matter.

How does this happen?

Normally CPUs isolate application memories from each other by marking kernel addresses as non-accessible. This design is introduced for security reason, we do not want Application A to access sensitive data of Application B stored in a memory, because this would allow a malicious actor to access all your secrets with a single application. Both Meltdown and Spectre make use of bug in isolation, resulting in potential leakage of ANY data stored in memory

Meltdown affects any operating system running on a vulnerable CPU and it does not depend on vulnerabilities in a software. It enables reading memory of other processes and virtual machines in the cloud at the speed of 503 KB/s.

Spectre attack tricks the processor into speculatively executing instructions sequences that should not have executed during correct program execution. This breaks the isolation between applications an allows one application to get access to sensitive data in another. Most dangerous part about Spectre is that it can be executed with a Javascript as well, so if you click on a specially crafted malvertisment or visit a website serving a malicious Javascript your might become a victim of massive exposure of sensitive data.

Meltdown - allows applications to access arbitrary system memory. After installing a malicious software on your system, attacker can access sensitive data stored in the system memory.

Spectre - tricks other applications into accessing arbitrary locations in their memory. Using a malicious code or a Javascript attacker may force the specific application to turn over the sensitive data in its own memory.

Important issues with these vulnerabilities is that when exploited, they do not leave any traces or logs. Thus undermining the need for accountability.

Am I affected?

Windows users you can run following PowerShell commands with elevated privileges to check if you are affected. This will install Microsoft's SpeculationControl module, run it and display results.

  • Run PowerShell as Administrator
  • Install-Module SpeculationControl - Install Microsoft's SpeculationControl module
    • You will be asked to confirm if you want to download and install the module
    • If you are receiving an error, then most probably you need to change the execution policy of PowerShell by running following command: Set-ExecutionPolicy Bypass
  • Run Get-SpeculationControlSettings - this will check your system and output results

If you see text in red similar to screenshot below, it means that your system is affected:
Meltdown-Spectre-Powershell

For Linux users you can refer to a method of checking, published on GitHub:
Am I affected by Meltdown?! Meltdown (CVE-2017-5754) checker

Issues with patches and fixes

  1. Microsoft will release patches for the system which have a specific key in a registry. Company instructed vendors, that in order to protect customer devices, AV companies should insert a string in a registry, confirming that the patches will not affect their software and/or users. So when you receive a confirmation from AV that patches will work as intended, if you don't want to wait for an update make following changes:
    • Open Regedit
    • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat
    • Add following DWORD value: cadca5fe-87d3-4b96-b7fb-a231484277cc
  2. Patches that are underway might incur at least 30% performance depreciation in all your existing implementations. Therefore you are strongly advised to speak with cloud service providers asap about potential increased costs and available patches

What should I do?

  • Install BIOS and Firmware updates from official manufacturers
  • Install latest Operating System patches
    • Note, certain Antivirus software might not be compatible with latest patches resulting in stop errors a.k.a "Blue Screen of Death". Before installing patches you are advised to check this with your provider.
  • Keep your browsers and software up-to-date
  • Amp your safe browsing game by installing following plugins:
  • Or use browsers like ToR and Brave to limit scripts on some extent
  • Take care of physical security of your devices - do not give access to smartphones, laptops and other devices to untrusted users
  • Do not install suspicious or pirated software - Pirated software are well known to exposing users to different types of malware

What should the business do?

  • Warn your employees about the vulnerability and potential risks in layman's terms, ask them to be vigilant- refer technical audience to official research papers
  • Test and install BIOS and Firmware updates from official manufacturers
  • Test and install latest Operating System patches, also check if Antivirus Provider is supporting those patches
  • Push updates to browsers
  • Block execution of Javascript on unknown websites - this will increase a load on your team, since you will start receiving calls about broken websites, but worth the risk
  • Run installed software checks, make sure that any unauthorized software is removed
  • Be wary of waves of phishing attacks and prepare a plan to counter measures
  • Contact third parties and vendors, make sure that they are aware of this issue.
  • If you are using cloud services - contact providers and ask for timelines for fixing vulnerabilities and clarify additional processing costs.

Available patches and advisories

Amazon

Apple

ARM

Citrix

Google

Linux

Microsoft

Mozilla

VMware

This post will be updated with new information