Chief Technology Officer/CISO
Situation
On January 3, 2018, researchers, including those with Google Project Zero, released information on three new vulnerabilities:
- CVE-2017-5753: bounds check bypass
- CVE-2017-5715: branch target injection
- CVE-2017-5754: rogue data cache load
They grouped these vulnerabilities under the names “Spectre” (CVE-2017-5753 and CVE-2017-5715) and “Meltdown” (CVE-2017-5754). Comprehensive details on both of these are available at https://meltdownattack.com.
Security updates to address these vulnerabilities began releasing before disclosure on January 3, 2018. Security updates are continuing to be released over time due to the uniquely broad nature of these vulnerabilities. At the time of this writing, there are no known active attacks against any of these vulnerabilities.
The recent media articles focus on flaws or vulnerabilities in a modern processor technique known as Speculative Execution and Branch Prediction. To correctly grasp the threat vectors of these vulnerabilities one must understand what Speculative Execution is, and what it provides in today’s computing platforms.
Speculative Execution is the ability of a processor to make reasonable guesses about the future program flow. If the guess is correct, then execution has been sped up for that series of instructions. If that guess is incorrect, those streams canceled, and state changes (registers, memory, etc.) reverted. However, speculative execution also has other side effects such as cache loads, which do not revert, which can allow for side-channel attacks to leak information. These vulnerabilities divide into three distinct variants, listed above.
Spectre could be used to target multiple processor types to date, including Intel, AMD, and ARM, while Meltdown is specifically an Intel processor vulnerability that exploits privilege escalation specific to Intel processors only. Each variant has slightly different ramifications and threat vectors associated with them.
If you would like an in-depth technical overview of the variants and methodology used to exploit them, we recommend reading the Google Project Zero documentation.
Problem
These vulnerabilities present a unique situation because they ultimately are hardware-based vulnerabilities. All three stem from issues in modern processors and are known to affect Intel, AMD and ARM chips. Which means that the operating systems and applications that run on top of these processors are vulnerable.
Because these vulnerabilities affect the processors at the physical layer, the only way to adequately address them is for the processors to be replaced or to have a firmware update. Until then, the makers of operating systems can (and are/have) released patches that make the physical-layer vulnerabilities inaccessible which in turn mitigate the vulnerabilities.
Full technical details on the vulnerabilities are available at the sites referenced above. But the critical point to understand about these threats is that they are information disclosure vulnerabilities that can enable processes and applications to access the information they otherwise shouldn’t be able to: user-mode applications can access privileged information in the kernel and throughout the operating system. For regular end-user systems and devices, malware and malicious scripts can use these vulnerabilities to obtain information like usernames, passwords, and account information. For shared-hosting environments like public cloud providers, this means that one hosted customer could potentially access the data of any other customer hosted on the same hardware.
Implication
Because these are information disclosure vulnerabilities, they don’t pose the same, immediate danger as WannaCry/WanaCrypt0r or Petya/NotPetya. They have more in common with the Heartbleed event of 2014. Concerning the severity of the vulnerabilities themselves: they are important, but not critical. They are information disclosure, not code execution, vulnerabilities.
The most significant area of risk is in shared-hosting scenarios. Fortunately, most cloud providers have already deployed security updates and those that haven’t are expected to do so shortly. For end-users and those managing networks, the highest risk these vulnerabilities pose is exploitation by malware seeking to gather information like usernames and passwords from systems.
What makes these vulnerabilities most notable, from a risk assessment point of view, is the breadth of exposure since they conceivably affect nearly every device with a modern processor. The implication is that full mitigation and remediation may not be possible. Older systems (like Windows XP) and devices (like older Android smartphones and IoT devices) will likely never receive fixes for these vulnerabilities.
Need
The actions to take in response to this event are the following:
- Users of shared-hosting (i.e., cloud) services should check with their service provider to confirm they’ve applied security updates to address these vulnerabilities.
- Administrators and end-users should deploy security updates to all systems and devices as early as they’re available.
- Administrators and end-users should consider retiring systems and devices that will not be updated as soon as possible.
- Administrators and end-users should use comprehensive network and endpoint security that can help prevent attacks that seek to exploit these vulnerabilities.