The new year brought a new vulnerability type — the CPU-based Meltdown and Spectre bugs — that’s forcing vendors and IT departments to modify long-standing ways of identifying threats, prioritizing remediation, managing patches and evaluating risk.
“Meltdown and Spectre are different vulnerabilities from what you’re used to seeing,” Jimmy Graham, a Product Management Director at Qualys, said during a webcast on Wednesday.
As a result, it’s essential for organizations to fully understand the nature of these vulnerabilities, stay on top of the latest information, and analyze the vulnerabilities’ impact in their IT environments, in order to stay as safe as possible.
“It’s not a simple [process] of just install a patch and you’re done,” he said.
Graham outlined a number of elements that set Meltdown and Spectre apart, starting with the fundamental issue: They’re hardware flaws. Consequently, the patches and updates being released mitigate the danger, but don’t fully erase the attack surface. That could only be done by physically replacing the affected CPUs.
Also unique is the massive scope of impacted IT assets. Most Intel CPUs released in the past 20 years are affected. Compounding matters is that real operational risks exist when patching these vulnerabilities in certain systems, including degraded performance and complete malfunction.
And of course, the risks are colossal.
Meltdown (CVE-2017-5754) impacts primarily Intel CPUs, although it’s also present in some ARM CPUs. By providing access to all physical memory, including kernel memory, via a user mode, ring 3 process, “any process running in the system can access all the contents of physical memory.”
Attackers could steal passwords, grab private keys and do whatever necessary to escalate their system privileges to administrator levels. “Anything that can be stored in memory can be accessed through Meltdown,” Graham said.
Since hackers need to gain a foothold in systems before they can exploit Meltdown, it’s likely it will be part of “chained attacks,” which involve exploiting two or more vulnerabilities in sequence.
Meanwhile, Spectre (CVE-2017-5753, CVE-2017-5715) impacts Intel, AMD, and ARM CPUs by abusing branch prediction and speculative execution, resulting in data leakage from compromised processes.
“An attacker process on a system can access the memory contents of other process, and can include kernel memory in some circumstances,” Graham said.
The most likely exploit scenario in the short term for Spectre is a JavaScript type of attack, where JavaScript escapes its sandbox, and accesses forbidden memory from the browser process, allowing attackers to access to cookies and session keys
Graham noted that successfully exploiting Spectre is “very difficult” because attackers must have detailed knowledge of the victim process, meaning they’d have to know specifically which process they’re going to target.
On the bright side, it’s important to note that, unlike with some recent vulnerabilities like WannaCry and EternalBlue, there have been no reported attacks — yet.
Meltdown can be extensively mitigated using KPTI (Kernel Page Table Isolation) via the OS patches provided by Microsoft, Apple and Linux OS vendors.
“They’re basically moving the kernel into its own segregated memory space. It’s no longer mapped into user space,” Graham said.
Although this still leaves a small window of attack possibilities, it defuses all known attacks.
For Spectre, patches are available via software updates for OSes and apps, and via processor microcode. Right now, the priority should be closing the JavaScript attack vector by patching browsers.
“Even if you don’t have the microcode updates to more completely mitigate Spectre, the browser vendors have made some changes that make it more difficult to exploit Spectre by removing things that a JavaScript attack would need, such as very precise timers,” Graham said.
There are a number of issues that organizations must keep in mind before and after patching Meltdown and Spectre.
For Meltdown, a big caveat is that the patches can seriously affect the performance of certain types of workloads, or make the systems unstable. In addition, certain steps need to be taken in some scenarios. For example, Windows systems must get an anti-virus software update and a registry key modified.
In the case of Spectre, Linux microcode updates can be installed via standard Linux repositories from the major Linux OS vendors, but that’s not the case with Microsoft systems. For the latter, users can’t update the microcode through OS updates at this point. Instead, the firmware microcodes have to be obtained via a BIOS update from the system hardware manufacturers. Then software in the system must be recompiled to utilize the protections in the new microcode.
Graham offered the following recommendations for managing the Spectre and Meltdown mitigation process.
“For workstation type devices, I’d focus on patching the underlying OS, because performance concerns are not as great, compared to servers, and patch the browsers as well to start enabling some of these mitigations,” Graham said.
Tests should go beyond simply verifying that updates and patches they’ve been successfully installed. You must test workloads on servers. “You don’t want to be blindly installing these patches on very critical database systems without testing them with some kind of load,” Graham said.
Qualys is continuously updating vulnerability detections, so it now has more than 75 QIDs to determine the patch state for Spectre and Meltdown. Qualys provides both agentless scanning and agent-based detections, so you can use the most appropriate method for any given IT asset.
In addition, Qualys recently rolled out a pre-built Spectre/Meltdown Dashboard to give you visibility into the remediation progress. It can be downloaded from the Qualys Community site.
You can also find detailed and illustrated instructions on how to create Qualys Search Lists, Scan Option Profiles, Remediation Tracking and Patch Reports for Spectre and Meltdown in this article just published to our community site by Debra M. Fezza Reed, Qualys’ Product Manager for Reporting.
We invite you get many more details by watching a recording of Graham’s webcast, in particular his demo of the new Spectre/Meltdown dashboard, and his answers to questions from the audience.