Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Meltdown and Spectre Vulnerabilities: Where the Real Risks Lie

Posted by Michael Gorelik on January 5, 2018
Find me on:

dubbed Meltdown and Spectre

The IT world is still shaking from the news that most modern processors have severe architecture flaws. This makes it possible for attackers to gain access to user mode and kernel memory data to leak crypto-keys, passwords, memory structures like loaded module addresses and other valuable information. The security flaws potentially affect all major CPUs, including chips manufactured by Intel, AMD and ARM.

--- 

Watch our security alert webinar on-demand in which Morphisec CTO Michael Gorelik, cuts through the noise surrounding the Meltdown and Spectre CPU vulnerabilities and answers live questions. 

WATCH IT NOW!

----

Meltdown and Spectre: No Spectacle, Just Facts

The team at Google Project Zero and independent researchers discovered two techniques to exploit these flaws, dubbed Meltdown and Spectre. They work differently, but both use a side-channel technique that abuses the CPU data cache, branch prediction and speculative execution mechanisms. Dubbed Meltdown allows other processes to read private kernel memory and affects only Intel processors. Spectre, which affects all major processors, enables user-mode applications to extract information from other running processes. 

Where the Real Risks Lie

Meltdown and Spectre are information leakage vulnerabilities as opposed to code execution vulnerabilities. But does the threat really stop at information leakage?

Despite the narrow focus of current media reports, the real risk behind the vulnerabilities in CPUs is not primarily data theft.  Although stealing passwords and other sensitive data from memory is a serious hazard, the bigger problem is that the flaws expose memory structures that can easily be used by cybercriminals for massive, successful exploitations and breaches. In other words, information Meltdown and Spectre harvest could later be used as a pre-stage to remote code execution. Most frequently, memory leakage vulnerabilities are leveraged by cybercriminals as a way to bypass ASLR in an exploitation chain.

Cybersecurity is a perpetual battle to keep attackers from exploiting systems that provide an entry point for their malicious activity. Various defense mechanisms prevent them from understanding the memory structure of their target. This knowledge is crucial for attacks to inject malicious code into the right places seamlessly. The dubbed Meltdown and Spectre vulnerabilities potentially expose the internal memory structure for cybercriminals to utilize at will. We expect to see many more exploits in the near future.

Morphisec vs. Meltdown and Spectre

The Meltdown and Spectre vulnerabilities are examples of Morphisec working as a defense in depth. The vulnerability itself is out of scope because there is no resource being attacked. However, Morphisec will have morphed memory, setting traps and making it difficult to map the memory structure in preparation for an actual exploit. Any attack that begins with exploiting Meltdown or Spectre will be stopped immediately by Morphisec when it gets to the code execution phase.

Are There Attacks Using the Vulnerabilities?

At the moment there are no known attacks that exploit the Meltdown or Spectre vulnerabilities. However, several proof-of-concepts have already been released both for Linux and Windows.

What Should You Do?

Microsoft has already issued a patch for Meltdown for Windows 10, which is automatically pushed if you have Microsoft or other compatible antivirus installed on your system. (More about this in the “Tip” section below.)

Known available patches

  • The following Patches are pushed for Windows 10 versions:
    • Windows 10 Fall Creators Updateis receiving KB4056892 (Build 16299.192)
    • Windows 10 Creators Update Version 17033 gets KB4056891 (Build 15063.850)
    • Version 1607 is getting KB4056890 (Build 14393.2007)
    • 1511 receives KB4056888 (Build 10586.1356) – for enterprise and education only.
    • The original Windows 10 version is receiving KB4056893 (Build 10240.17738) – for enterprise only.
  • Windows 7 patches are also available and will be pushed in the regular Patch Tuesday.
  • Patches to Apple and Linux systems are also available.

Impact of the Update

This was no ordinary bug fix and these patches might bring a significant performance hit. The vulnerability is in the techniques used to make processes run faster. Since the update minimizes the advantage of branch prediction and speculative execution, systems may slow down considerably. Moreover, some security solutions and possibly other types of software are expected to have functionality flaws because they utilize this advanced branch prediction feature extensively.

No Morphisec Conflict

Morphisec does not collide with or prevent the Microsoft security update. However, we still recommend validating whether or not the update was applied as you may have an antivirus preventing it. If you have Windows Defender disabled, even if you are not using an antivirus, you may need to manually set the registry key.  (More on this in the Tips section below.)

Tips

To check if you received the update

  1. In admin mode install a new module in PowerShell:

PS

C:\> Install-Module SpeculationControl

  1. PS C:\>

Get-SpeculationControlSettings

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: True 

Warning – Some Antivirus solutions conflict with the update

If you do not have a compatible antivirus, you will not receive the update until your AV vendor adds a specific registry key into the registry system. Some antivirus solutions are not compatible with the update so this key controls when the update is pushed.

To add the Registry Key manually

If you do not want to wait for your antivirus to add the registry key, it can be added manually. Below are the details of the key that needs to be created to receive the update. Please note that some AVs might not be compatible with the update: 

Key="HKEY_LOCAL_MACHINE"
Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”

Patch Shared Resources First

We recommend that hardware or resource sharing environments are patched first. Theoretically, Meltdown could be exploited on a single virtual machine, used to compromise a hypervisor, then applied across the entire network.

More About Memory Leakage Vulnerabilities

  • An information disclosure/memory leakage vulnerability is not enough to execute code on its own. It can only be weaponized when used together with other exploits. 
  • Previous memory leakage vulnerabilities, such as Heartbleed, generated a lot of noise but were never used at scale by attackers. 
  • The exception may be attacks targeting the banking industry and PoS malware. Cybercriminals may soon find ways to combine these vulnerabilities with memory-scrapers to access sensitive personal information.