While there is no shortage of data breaches and new exploits in any given year, it’s relatively rare for there to be an entirely new class of vulnerabilities to be publicly disclosed, but that’s what has happened this year with Spectre and Meltdown.
The Spectre and Meltdown flaws were publicly disclosed on Jan. 3, ushering in a new era of vulnerabilities that hardware and software vendors, as well as end users, will be dealing with for years to come.
So what are the threats and what are Meltdown and Spectre all about?
The way that most modern CPUs work, including silicon from Intel, AMD and ARM, is that in order to improve performance, they make use of a technique known as speculative execution. With speculative execution, the CPU predicts what will be needed next for a given process. With the Meltdown and Spectre flaws, an attacker could theoretically abuse the speculative execution model to read system memory and potentially get unauthorized access to information.
When Meltdown and Spectre were first disclosed, there were three variants. As of today, there are now at least seven publicly disclosed variants, with experts expecting more to come in the months and years ahead.
1. Bounds Check Bypass (CVE-2017-5753)
Variant 1 was among the first three issues that were included in the Jan. 3 disclosure. This flaw could enable an attacker to abuse an operating system kernel (Windows, Mac OS, Linux or otherwise) to read the memory of another system process.
2. Branch Target Injection (CVE-2017-5715)
Variant 2 abuses the CPU branch predictor function to potentially enable an attacker to read data from an operating system kernel.
3. Rogue Data Cache Load (CVE-2017-5754)
The last of the original three variants disclosed on Jan. 3, Variant 3 abuses memory page tables to read operating system kernel data from userspace.
3a. Rogue System Register Read (CVE-2018-3640)
Variant 3a was disclosed on May 21. According to the US-CERT advisory on it, “Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side channel analysis and obtain sensitive information.”
4. Speculative Store Bypass (CVE-2018-3639)
Variant 4 was reported the same day as 3a. US-CERT warned that when exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side channel vulnerability could allow less privileged code to read arbitrary privileged data and run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side channel methods.
5. Lazy Floating Point State Restore (CVE-2018-3665)
Variant 5 was first disclosed on June 13. “System software may utilize the Lazy FP state restore technique to delay the restoring of state until an instruction operating on that state is actually executed by the new process,” Intel warned in its advisory. “Systems using Intel Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel.”
6. L1TF – L1 Terminal Fault “Foreshadow” (CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646)
The seventh (and currently most recent) Meltdown and Spectre flaw was publicly disclosed on Aug. 14. Foreshadow is actually a collection of three vulnerabilities identified as CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646. Foreshadow vulnerabilities could have potentially enabled an attacker to extract privileged information from both vulnerable CPUs as well as hypervisors and even Intel Software Guard Extension (SGX) secure enclave technologies.
There has been no shortage of warnings about how serious the Meltdown and Spectre bugs are for all IT users, with some warnings more accurate than others.
Greg Kroah-Hartman, who maintains the stable branch of the Linux kernel, gave a talk at the Open Source Summit in August about the vulnerabilities, explaining to Linux developers the precise impact. Kroah-Hartman said the bugs could enable someone to have access to memory that they shouldn’t be able to read.
“These are nasty, nasty bugs,” Kroah-Hartman said.
He said that with the Meltdown/Spectre flaws, it’s possible to trick the CPU into giving read access to memory, but it doesn’t enable new memory writes. Where the flaws have particular impact is for virtual machine usage and the cloud, where an attacker could potentially get access to read another user’s system memory.
“So you can start reading stuff from other people’s machines or virtual machines, that’s what’s so scary,” Kroah-Hartman said.
Just because security researchers disclose that something can be exploited doesn’t necessarily mean that it’s an immediate risk to an enterprise. To date, there have been no public reports of data breaches that have been directly attributed to any of the Meltdown and Spectre flaws.
That said, since Meltdown Spectre are memory-related exploits, detection is a difficult task. Meltdown and Spectre vulnerability attacks are likely only unknown at this point due to a lack of forensic evidence and the challenges of root cause analysis for fileless memory attacks.
While there is no real world evidence currently of Meltdown and Spectre attacks in the wild, it is critically important that organizations take steps to protect themselves.
As a CPU-based set of vulnerabilities, Meltdown and Spectre are different than nearly every other type of flaw that an organization faces. No single patch will fix Meltdown and Spectre. Rather what is required is a combination of “micro-code” patches from CPU vendors as well as operating system patches.
The first step in Meltdown Spectre defense is patch management. Make sure your organization is fully up to date on all operating system patches. Patching micro-code is significantly harder. Intel maintains an actively updated set of guidelines on its latest Meltdown and Spectre micro-code updates at: https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf (PDF).
Defense in depth is critical as part of any vulnerability risk reduction program. Part of that can come from active monitoring of logs that are collected in a SIEM (security information and event management) system.
The use of digital loss prevention (DLP) technology can also be helpful, that way in the event an attacker is able to read from memory, privileged information still won’t be able to make it out of the organization.
Though the use of encryption for data, as well as the use of password vaults, it’s possible to make it more difficult for an attacker to make use of data that is stolen from memory using a Meltdown/Spectre vulnerability.
EDR and UEBA
In the final analysis, while Meltdown and Spectre represent a new class of vulnerability, there are existing tools and best practices that organizations can employ to help limit risk.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.