Following Internet rumors, security researchers released technical details yesterday about two types of serious vulnerabilities that collectively affect most modern CPU architectures. Dubbed "Meltdown" and "Spectre", these vulnerabilities allow malicious code to read the memory of same system, which could include passwords or other confidential data that would not otherwise be accessible to other programs. Vendors have started to release the first wave of OS and software mitigations for these issues, although important caveats apply.
The fact that there are two different, but closely related classes of vulnerabilities here along with the rush to research and patch them upon public disclosure has led to a lot of initial confusion and speculation. The purpose of this blog post is not to provide an exhaustive overview of Meltdown and Spectre, but instead to provide key points and caveats to help arm stakeholders as they perform risk assessments and implement mitigation plans in their own environments.
Meltdown (CVE-2017-5754), at least for now, only affects modern Intel processors. It leverages an Intel privilege escalation vulnerability and speculative execution to read kernel memory from user land. It is generally easier to patch Meltdown from an OS/software perspective than Spectre. The early vendor/provider announcements about patching these issues typically only refer to Meltdown.
Spectre (CVE-2017-5753 and CVE-2017-5715) affects many modern Intel, AMD, and ARM processors. It leverages branch prediction and speculative execution to read memory from other running programs on the same system. It is more challenging to patch than Meltdown.
Both Meltdown and Spectre are based on aptly-named speculative execution, a common optimization feature of modern CPUs that allows the CPU to perform certain tasks before knowing whether they are actually needed. This is generally faster than having the CPU perform such tasks after it knows they are needed. If it turns out a given speculatively executed task is not actually needed, the results are simply discarded without further effect.
When speculative execution is chained with another vulnerability -- Intel-only privilege escalation in the case of Meltdown and branch prediction in the case of Spectre -- proof of concept exploits are able to use side channels to read the contents of memory on the affected system, including normally privileged memory locations that can leak confidential data such as passwords, encryption keys, or whatever data is being stored in memory by other programs running on the same system. The extent of systems vulnerable to Meltdown and/or Spectre encompasses desktops, laptops, servers, smartphones, and perhaps most seriously, cloud servers / hypervisors.
The real-world impact will vary based on the specific hardware / CPU architecture, virtualization platform, operating systems, patching status, and user accounts in use. Given the right circumstances, it may be possible for an attacker with code execution capability on the targeted system to steal secrets from a different user, or a different VM, or from a VM's hypervisor host.
So far there are no confirmed reports of Meltdown or Spectre attacks in the wild, though it is likely they will commence soon as proof of concept code for web-based attacks are publicized. Also research is still being performed into how to detect Meltdown or Spectre attacks. Detection signatures will help going forward once common exploit code is circulated (especially for web-based remote attacks), but historical detection may be very challenging if not impossible depending on what historical data you have to analyze and what artifacts are left behind by these types of attacks. For example, in a worst case scenario, if a state-sponsored hacking team knew about Meltdown and/or Spectre a year ago and used it selectively, it it likely to have gone unnoticed and may not be detectable after the fact in many cases.
Security researches first disclosed Meltdown and Spectre to CPU manufacturers Intel, AMD, and ARM in June 2017. Since then, and given that replacing hardware is not yet a viable solution in most cases, major OS and software vendors have developed (and in some cases already started to quietly deploy) preliminary patches, mostly for Meltdown. For the major OS vendors, Google (many of the security researchers who first discovered Meltdown and Spectre work for Google's Project Zero) has already made significant progress patching these issues across their products. Microsoft released out-of-band Windows patches on January 3 (with an important caveat about a registry key controlled by your AV vendor). Linux kernel patches are reportedly forthcoming. Apple has not released an official statement, but may have already started to deploy patches as well. (Update: All Macs and iOS devices are vulnerable; Apple has now released a security advisory and some patches, while other patches are in the works; details here.) Regarding web browser-based attack vectors, Mozilla and Chrome have both released mitigation recommendations and plans.
The security implications posed by Meltdown and Spectre for virtualized and cloud environments are particularly concerning. Popular cloud providers including Azure and AWS have already started to deploy patches on their respective hypervisors, though it is generally still up to users to patch their existing VM OSes and ensure they use patched VM images going forward. VMware has released a security advisory and patches for affected products.
There are early reports that such initial patches may reduce CPU performance in certain workloads by 5-30%, although most users should experience slowdowns on the lower end of that spectrum, if any performance impact at all. Some recent Intel CPU models have a feature called PCID that may soften the performance hit post-patch. That said, a new generation of CPUs will likely be required to fully fix these issues at their root cause in the hardware design, without sacrificing performance. (Incidentally, the CERT advisory advises to "Replace CPU hardware" as the only recommended, fully effective solution to the vulnerabilities.)
When reviewing vendor patches, it is important to distinguish between Meltdown and Spectre. Don't assume that a given vendor patch covers both or is completely effective. Again, Meltdown is easier to patch overall, while patching Spectre is more complex; indeed, the researchers note, "As it is not easy to fix, [Spectre] will haunt us for quite some time."
Some patches also come with important caveats; e.g., the Windows patch deployment first requires a registry key value to be set properly by the system's AV software, otherwise a BSOD may result. Microsoft has published detailed Meltdown and Spectre security guides for sysadmins and IT pros, as well as a PowerShell script to query Windows for the status of relevant mitigations. A useful, frequently updated list of relevant vendor advisories and patch status is available here: https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/.
Details about Meltdown and Spectre are still rapidly evolving. If anything critical changes in our understanding, we will update this blog post.
Polito, Inc. offers a wide range of security consulting services including penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.