What are these two vulnerabilities?

Two distinct vulnerabilities have been announced by various hardware manufacturers that are similar in nature to the Heartbleed vulnerability of a few years ago. Both vulnerabilities expose data that is being processed by your computer’s CPU that should otherwise not be made available. Let’s look at each vulnerability separately so we can provide a meaningful estimation of the risk to you and your company.

Spectre gets its name from “Speculative Instruction” and relates to a performance improvement that hardware manufacturers built into their hardware over 15 years ago. A CPU prefetches data based upon algorithms that predict what instructions will be requested and executed next. The best analogy for this I’ve seen is from a New York Times Op-Ed piece[1] that puts it this way:

“A butler pre-pours (or pre-fetches) a second glass of wine for the host of a dinner party before the host requests the glass of wine. If the host declines the wine, the butler disposes of it. However, guests at the dinner party learn what wine is in the hosts wine-seller because they can see what wine was pre-poured before it is disposed of.”

Spectre’s Potential Impact, Mitigating Controls, and Remedies: Like guests at the dinner party, an attacker with privileged access to the hardware environment, can see the wine pre-poured by the butler or potentially sensitive data pre-fetched by the CPU. Multi-tenant servers in Cloud environments are at greatest risk, because one bad tenant could see server CPU memory (i.e.: a password, SSN #) from another tenant.

The Spectre vulnerability was privately reported to hardware vendors and has yet to be exploited in the wild reducing the overall threat until a proof-of-concept attack is published. The remedy for Spectre is a firmware upgrade to the hardware from your hardware manufacturer.

Risk Rating: Medium for most systems except multi-tenant cloud systems where the risk is high. A publicly available exploit raises the risk here to high except for multi-tenant servers which would be critical.

Meltdown gets its name from its ability to “Melt” security boundaries logically within hardware devices using a JavaScript code attack within a browser to read processor memory.

Meltdown’s Potential Impact, Mitigating Controls, and Remedies: Meltdown is easier to exploit (theoretically), because hackers can insert malicious JavaScript within a website to read from CPU memory. Mitigating controls include the fact that this vulnerability was privately reported many months ago to Operating System vendors and patches have been released and should already be installed if you are current with your OS vendor patching (which include Android, iOS, Mac, and Windows).

Risk Rating: Because this patch has been released by OS Vendors and should be installed already, and these are privately reported vulnerabilities with no public exploits known, this vulnerability is currently rated medium. If exploit code is released, this risk rating would increase to high.

Critical Challenges:

  • The Spectre patch has been shown to cause up to a 20% slowdown in performance in database applications;
  • Spectre patches have been pulled by many vendors in the last 10 days because of major issues they introduced such as performance issues, reboots, and blue screens; new patches are in the works. Neoscope recommends waiting a few weeks to validate the new patches before installation.

Vendor Responses:

  • For Meltdown, Firefox released a fix in v57; Google rolled their fix in Chrome v64 on Jan. 23rd;
  • Apple has confirmed it’s affected and released updates for iPhones, Macs and Apple TVs;
  • As of Jan. 3 2018, Microsoft released patches for their supported operating systems; and,
  • Detailed CERT Advisory and vendor responses: https://www.kb.cert.org/vuls/id/584653

What should you do?

Spectre:

  • Do not apply any patches until vendors rerelease their patches to eliminate problems; then,
  • Focus on installing firmware updates on external multi-tenant cloud systems as soon as possible;
  • Apply firmware updates on internal hardware systems where performance issues aren’t a concern;
  • Beware of AMD’s CPUs due to the potential of a crashing server (i.e.: blue screen); and,
  • Consider your exposure to IoT devices, as they will need firmware updates and possibly patches too.

Meltdown:

  • Deploy OS patches ASAP for Meltdown on all workstations, laptops, servers, and possibly IoT devices.

Neoscope is an enterprise-security focused Managed IT Services company. We’re your IT department if you don’t have one; extra leverage if you do. Customers choose us for the peace of mind we give them by building security into the foundation of all we do.

Visit our website to find out more about our services and to book a FREE onsite cyber-security training with our CISO ($1000 value)!

In 2016 Neoscope was recognized as the 8th fastest growing company in New Hampshire by Inc. 500 Magazine.