The IT world is still shaking from the news that most modern processors have severe architecture flaws. This makes it possible for attackers to gain access to user mode and kernel memory data to leak crypto-keys, passwords, memory structures like loaded module addresses and other valuable information. The security flaws potentially affect all major CPUs, including chips manufactured by Intel, AMD and ARM.
---
Watch our security alert webinar on-demand in which Morphisec CTO Michael Gorelik, cuts through the noise surrounding the Meltdown and Spectre CPU vulnerabilities and answers live questions.
----
The team at Google Project Zero and independent researchers discovered two techniques to exploit these flaws, dubbed Meltdown and Spectre. They work differently, but both use a side-channel technique that abuses the CPU data cache, branch prediction and speculative execution mechanisms. Dubbed Meltdown allows other processes to read private kernel memory and affects only Intel processors. Spectre, which affects all major processors, enables user-mode applications to extract information from other running processes.
Meltdown and Spectre are information leakage vulnerabilities as opposed to code execution vulnerabilities. But does the threat really stop at information leakage?
Despite the narrow focus of current media reports, the real risk behind the vulnerabilities in CPUs is not primarily data theft. Although stealing passwords and other sensitive data from memory is a serious hazard, the bigger problem is that the flaws expose memory structures that can easily be used by cybercriminals for massive, successful exploitations and breaches. In other words, information Meltdown and Spectre harvest could later be used as a pre-stage to remote code execution. Most frequently, memory leakage vulnerabilities are leveraged by cybercriminals as a way to bypass ASLR in an exploitation chain.
Cybersecurity is a perpetual battle to keep attackers from exploiting systems that provide an entry point for their malicious activity. Various defense mechanisms prevent them from understanding the memory structure of their target. This knowledge is crucial for attacks to inject malicious code into the right places seamlessly. The dubbed Meltdown and Spectre vulnerabilities potentially expose the internal memory structure for cybercriminals to utilize at will. We expect to see many more exploits in the near future.
The Meltdown and Spectre vulnerabilities are examples of Morphisec working as a defense in depth. The vulnerability itself is out of scope because there is no resource being attacked. However, Morphisec will have morphed memory, setting traps and making it difficult to map the memory structure in preparation for an actual exploit. Any attack that begins with exploiting Meltdown or Spectre will be stopped immediately by Morphisec when it gets to the code execution phase.
At the moment there are no known attacks that exploit the Meltdown or Spectre vulnerabilities. However, several proof-of-concepts have already been released both for Linux and Windows.
Microsoft has already issued a patch for Meltdown for Windows 10, which is automatically pushed if you have Microsoft or other compatible antivirus installed on your system. (More about this in the “Tip” section below.)
This was no ordinary bug fix and these patches might bring a significant performance hit. The vulnerability is in the techniques used to make processes run faster. Since the update minimizes the advantage of branch prediction and speculative execution, systems may slow down considerably. Moreover, some security solutions and possibly other types of software are expected to have functionality flaws because they utilize this advanced branch prediction feature extensively.
Morphisec does not collide with or prevent the Microsoft security update. However, we still recommend validating whether or not the update was applied as you may have an antivirus preventing it. If you have Windows Defender disabled, even if you are not using an antivirus, you may need to manually set the registry key. (More on this in the Tips section below.)
PS
C:\> Install-Module SpeculationControl
Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: True
If you do not have a compatible antivirus, you will not receive the update until your AV vendor adds a specific registry key into the registry system. Some antivirus solutions are not compatible with the update so this key controls when the update is pushed.
If you do not want to wait for your antivirus to add the registry key, it can be added manually. Below are the details of the key that needs to be created to receive the update. Please note that some AVs might not be compatible with the update:
Key="HKEY_LOCAL_MACHINE"
Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”
We recommend that hardware or resource sharing environments are patched first. Theoretically, Meltdown could be exploited on a single virtual machine, used to compromise a hypervisor, then applied across the entire network.