TACTICAL CYBER INTELLIGENCE REPORT
- Actor Type: II
- Serial: TACREP-018-006-001
- Countries: ALL
- Report Date: 20180106
Source: Red Hat Videos - Meltdown and Spectre in 3 minutes
Meltdown and Spectre are two major flaws that affect all modern computers based on processors from Intel, AMD and ARM. Discovered and named by the team of security researchers as part of Google Project Zero, both of these flaws potentially allow hackers to steal personal data from computers, including cloud servers and mobile devices.
The disclosure date for the flaws was January 9, 2018 but due to premature reports, growing speculation and risk of exploitation, the information was revealed sooner and patches are just being made available for some platforms.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
Both these critical CPU flaws come down to how a CPU handles cache and optimizes execution techniques which results in a user getting access to kernel memory.
Cache Management and Speculative Execution:
Processors use a concept of rings to protect kernel memory from user programs. x86 processors have lots of rings, but for this issue, only two are relevant: "user" (ring 3) and "supervisor" (ring 0). When running regular user programs, the processor is put into user mode, ring 3. When running kernel code, the processor is in ring 0, supervisor mode, also known as kernel mode.
These rings are used to protect the kernel memory from user programs. The page tables aren't just mapping from virtual to physical addresses; they also contain metadata about those addresses, including information about which rings can access an address. The kernel's page table entries are all marked as only being accessible to ring 0; the program's entries are marked as being accessible from any ring. If an attempt is made to access ring 0 memory while in ring 3, the processor blocks the access and generates an exception. The result of this is that user programs, running in ring 3, should not be able to learn anything about the kernel and its ring 0 memory.
Every modern processor performs a certain amount of speculative execution. For example, given some instructions that add two numbers and then store the result in memory, a processor might speculatively do the addition before ascertaining whether the destination in memory is actually accessible and writeable. In the common case, where the location is writeable, the processor managed to save some time, as it did the arithmetic in parallel with figuring out what the destination in memory was. If it discovers that the location isn't accessible—for example, a program trying to write to an address that has no mapping and no physical location at all—then it will generate an exception and the speculative execution is wasted.
Intel processors, specifically—though not AMD ones—allow speculative execution of ring 3 code that writes to ring 0 memory. The processors do properly block the write, but the speculative execution minutely disturbs the processor state, because certain data will be loaded into cache and the TLB in order to ascertain whether the write should be allowed. This in turn means that some operations will be a few cycles quicker, or a few cycles slower, depending on whether their data is still in cache or not. As well as this, Intel's processors have special features, such as the Software Guard Extensions (SGX) introduced with Skylake processors, which slightly change how attempts to access memory are handled. Again, the processor does still protect ring 0 memory from ring 3 programs, but again, its caches and other internal state are changed, creating measurable differences. (ArsTechnica, 2018)
As these flaws cannot be fixed with a firmware or microcode update alone, an OS-level fix is also required for the affected operating systems. The immediate solution comes in the form of a kernel Page Table Isolation (PTI), which separates the kernel’s memory from user processes. But this solution increases the kernel’s overhead, potentially causing the system to slow down depending on the task and processor model.
Early indications suggest that these patches mostly deal with Meltdown exploits and not Spectre, which again, is harder to exploit and to fix. In order to protect against all instances of Spectre, application-level fixes are to be expected.
- 1. Windows
Microsoft has released an emergency patch this week for Windows 10 that is being applied automatically. Windows 7 and Windows 8 have also received a patch that can be applied manually while automatic updates are rolling out ahead of next Patch Tuesday.
In addition to the patch, Microsoft is warning that some third-party antivirus will create a conflict with the fix and the OS update won't be applied to those systems until the antivirus supports these changes.
Users should expect additional hardware/firmware updates from OEMs and motherboard manufacturers in the short term to complement Microsoft's patch. There is a PowerShell verification script which can be used to test and confirm whether protections have been enabled properly.
- 2. MacOS
Apple has confirmed that all of its iPhones, iPads, and Mac devices are affected by the recently discovered chip flaws. The company has already released OS updates to protect users from the Meltdown attack, and a patch for Spectre will arrive "in the coming days.”
Apple released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, adding that these updates do not slow down the devices. As the Apple Watch doesn’t use Intel chips, it is not affected.
- 3. Linux
Linux kernel developers have a set of patches named kernel page-table isolation (KPTI) released in kernel 4.15 (currently in RC).
- 4. Android
According to Google, devices with latest security updates are protected.
- 5. Cloud Services
Companies using virtualized environments are the biggest potential targets for those looking to exploit the vulnerability. Microsoft Azure, Amazon AWS and Google Cloud are all implementing fixes and claim they have already mitigated some of the risk. Expect scheduled downtime of several cloud services in the coming days.
- Update to the latest version of Chrome (on January 23rd) or Firefox 57 if using either browser
- Check Windows update and ensure KB4056892 is installed for Windows 10
- Check your PC OEM website for support information and firmware updates and apply any immediately.
Author: Wapack Labs, Asia Desk
Contact the Wapack Labs for more information: 603-606-1246, or firstname.lastname@example.org.