United States

A meltdown: Urgent vulnerabilities affecting all major processors

INSIGHT ARTICLE  | 

Executive summary

Earlier this week, security researchers from Google’s Project Zero, German technology firm Cerberus Security and various universities1 discovered two vulnerabilities in all modern-day central processing units (CPUs), including those from Intel, ARM and AMD. CPUs are the figurative brains of a computer or system, and they perform essentially all forms of data processing as well as core system functions. This requires them to have full access to the system memory which can contain extremely sensitive data, including passwords, personal photos and emails, and encryption keys. Attackers may use the recently discovered vulnerabilities to manipulate CPUs to allow them to steal sensitive data from almost all modern systems.

Due to the way the attack is executed, anti-virus, anti-malware, or other types of endpoint protection may have a difficult time detecting such activities. In addition, the exploitation of either version of the vulnerability will leave no trace within traditional security log files, making monitoring or responding to this attack nearly impossible. Lastly, according to the United States Computer Emergency Response Team (U.S. CERT), fully removing the vulnerability requires fully replacing vulnerable CPU hardware, which leaves affected organizations in a situation in which a series of compensating controls might be needed to manage the risk.

Who is affected by these vulnerabilities?

Intel, ARM and AMD CPUs are all exposed to these vulnerabilities. This would affect virtually all Linux, Windows, OS X versions prior to High Sierra 10.13.2, containerization solutions (Docker, LXC, OpenVZ), and some paravirtualization hypervisors (such as Xen PV). All systems are affected by this vulnerability, including desktops, servers, cloud and internet of things (IoT) devices. Companies in addition to CPU manufacturers, including Google, Amazon and Apple, are in the midst of pushing automatic security updates for software and firmware.

Vulnerability Information

The two attacks, now known as Meltdown and Spectre, were used in exploiting three vulnerabilities related to how the CPU accesses a system’s running memory.2 In both of these attacks, the CPU’s memory storage area, which is designed to be private and only readable by approved processes, was manipulated via malicious code with the end result being that the private memory was exposed and readable. This proof of concept code has since been expanded and theoretically shows that the attack can be carried out via malware, rogue applications or even via browsing malicious websites which force the system to execute malicious JavaScript.

While the flaw is very technical in nature, at a high level, the CPU is leaking memory because of how modern procedures perform speculative execution. This is an intentional design built into processors which significantly speed up a CPU’s operations by allowing the chip to guess what areas of memory will be needed next and loading it to be processed. If the CPU makes a correct prediction then processing speeds are significantly enhanced, and if their prediction is incorrect not much is lost as the CPU will then load the correct memory with only a minimal delay. The researchers found that they could force the CPU to load specific areas of memory including typically protected areas that contained passwords, encryption keys and other sensitive information.

Competing CPU companies have spent decades attempting to achieve a competitive advantage by continuously refining these branch prediction architectures, which results in almost all chipsets being vulnerable to these weaknesses. Both versions of the attacks, Meltdown and Spectre, take advantage of this segregation flaw in different ways but with similar results, which means the threat is similar across almost all types of modern systems.

It should be noted that for the attack to come to fruition an attacker must be in a position to force the targeted system to run some version of the malicious code. In general, this would entail an attacker compromising a system via traditional methods (hacking, malware, credential theft, etc.) then introducing the malicious code. The risk of this version of the attack would be high but not critical as the attacker must first gain access to the system which implies that most of the damage has already been done. However, a more dangerous version of the attack is theoretically possible via malicious code hosted on websites. In this version of the attack, malicious code (most likely JavaScript) is hosted on a web page and a victim is somehow lured to that site. This would most likely be via please-click-this-link type of phishing emails.  In this scenario when the victim browses to the web site, the malicious code is loaded into the system memory by the web browser, executed, and the resulting leaked memory is then exported to the attacker.  This scenario should truly be considered a critical risk.

For technical information regarding the exploits, please visit this site.

What should you do?

RSM’s threat intelligence teams and partners have designated these vulnerabilities as high to critical risks depending on the technical details of the environment. Threat analysis of various Deep and Dark Web locations show very few references to the Meltdown or Spectre exploits being used in the past 60 days, but it is reasonably expected that such activity will significantly increase with the publication of the technical details of the exploits.

While there have been several potentially disturbing proof-of-concept exploit code examples released, to our knowledge this has not been exploited yet in the wild. Reliably exploiting these vulnerabilities in the wild may prove challenging for all but the most advanced attackers. The next couple of weeks will help to determine whether the proof-of-concept code is deployed widely in a stable, repeatable manner. If this comes to pass, the overall risk of the issue will increase significantly.

In the meantime, organizations will have limited options to mitigate this risk:

  1. Monitor company (both operating system vendor and system manufacturer) websites for updates on securing these vulnerabilities.  Most major vendors are rapidly developing patches to attempt to protect from these attacks, so expect them to be released within the next week. However, organizations should thoroughly test and validate that these patches do not break existing software. The fixes implemented in these patches will most likely alter the memory access methods used by CPUs which will most likely have very unpredictable results across operating systems and applications.
  2. Update anti-malware, anti-virus and endpoint protection software as soon as updates are released. As mentioned, traditional solutions will likely not be able to detect the actual attack. However, as malware is developed which uses these attacks, these solutions may detect the signatures of the malicious binaries and kill their operations before the exploits can be delivered.
  3. Consider increasing the sensitivity and various thresholds on spam filters, proxies and other protective solutions in order to limit the ability for attackers to send phishing emails that will lure users to malicious websites. For at least the near future it is probably better to accidentally block a few valid emails or websites than it is to allow potentially malicious emails, attachments or web site code to enter the environment.
  4. Aggressively update signatures on intrusion detection systems, security information and event management (SIEM) programs and other monitoring software that can alert you to potentially malicious traffic, IP addresses or web sites interacting with your environment.
  5. Increase security awareness training to employees to make sure they are aware of the situation.  Warn them to be cautious about opening attachments, clicking on external links within emails and visiting unfamiliar websites.

 

ENDNOTES

1University of Pennsylvania, University of Maryland, Ramburg, Graz University of Technology and University of Adelaide
2CVE-2017-5753, CVE-2017-5715, CVE-2017-5754

How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.


Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.

LEARN MORE