Image taken from https://meltdownattack.com under Creative Commons 1.0 (CC0)
At the heart of a computing system, the Central Processing Unit (CPU) executes code required by applications that are used by billions of people. On the first week of 2018, the Spectre (CVE-2017–5753 and CVE-2017–5715) and Meltdown (CVE-2017–5754) attacks were publicly released on the Meltdown Attack site that discloses major vulnerabilities affecting nearly all modern CPUs that would allow applications to read sensitive data processed on a computer. This includes passwords, credit card numbers and other sensitive data like social-security numbers. Spectre was reported by two independent people — Jann Horn from Google Project Zero and Paul Kocher. Meltdown was independently discovered, and subsequently reported by researchers from three teams : Google Project Zero, Cyberus Technology and Graz University of Technology. As the white papers (Spectre, Meltdown) have only recently been published and the research work is not fully matured, there will likely be future updates.
The first impression of the scale and implications of the vulnerabilities can be terrifying as these are flaws on the hardware — stemming from the CPU which affects computing systems that resides in many mundane electronics such as personal computers, smartphones ,and even on Internet servers that are running various services and applications. Organizations would need to protect themselves from such potential attacks, and provide safety assurance to their customers. Thus, this post aims to provide a risk profile of the vulnerabilities and the considerations to strategize and manage the risks from an independent perspective.
Let’s talk about SPECTRE
Spectre attacks induce a victim to speculatively perform operations that would not occur during correct program execution and leaks the victim’s sensitive information via a side channel to the adversary.
During the normal execution of a program, operations are expected to be executed in a linear fashion until a decision needs to be taken. The CPU may be unable to evaluate and determine which decision to take due to insufficient data available. The branch prediction function of the CPU predicts the decision and perform speculative execution of operations ahead of time to maximize performance. In the event of an incorrect prediction, the CPU is designed to revert the results of an incorrect speculative execution on their prior state to maintain correctness, these errors were previously assumed not to have any security implications (Spectre Whitepaper).
However, not all the changes from the incorrect speculative execution are reverted. The state of the microarchitectural parts of the CPU are not reverted and sensitive data could be stored in the cache. A malicious program could subsequently read the sensitive data from the cache through a side channel attack (Spectre Whitepaper). Side channel attacks are not new and have been present for a period of time.
Let’s talk about MELTDOWN
Similar to Spectre, Meltdown is another class of microarchitecture attack. However according to Meltdown Whitepaper, it is distinct in two different ways:
1. Meltdown exploits out-of-order executions
2. Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection
Out-of-order execution is used to maximize CPU performance by executing instructions down the stream of the program ahead of time. The transient transactions would access an attacker-chosen memory location which is inaccessible to the attacker and it is eventually stored in the cache. The threat actor would use a side channel attack to recover the sensitive data on the cache (Meltdown Whitepaper).
Assessing the attack vectors and risk
The Spectre attack affects CPUs from Intel, AMD and ARM. Only a subset of architectures and models are tested to be vulnerable (Spectre Whitepaper). The Meltdown attack only affects Intel CPUs (Meltdown Whitepaper). First, the attacks both require tailoring of the exploit to the victim’s unique digital environment. Second, the exploit has to be compatible with the victim’s processor architecture and the victim application. Third, the threat actor would need to induce the execution of transient instructions to read the sensitive data at a chosen location. Therefore, the weaponization of the malware may require a considerable degree of resources and effort, and will likely be a targeted attack.
The Common Vulnerability Scoring System (CVSS) score released by Vulnerability Notes Database for the vulnerabilities was rated as Medium with the following score:
· Base: 4.4
· Temporal: 3.4
· Environmental: 5.1
There are patches released by major vendors to mitigate the vulnerabilities. A comprehensive reference list can be found at the Meltdown Attack website.
The vulnerabilities has garnered significant attention in the security industry which is a strong pushing factor for vendors to develop and roll out patches and solutions. However, not all of the products have patches available for mitigation. Therefore, there is still a likelihood that you are and will remain vulnerable until there is a patch available for a specific product.
A good starting point is to retain an updated inventory of all your hardware and software assets which will be useful for incident response. By looking up the inventory, you can also identify the patches available for affected assets and subsequently prioritise the patching process based on the asset value. In addition, it is also a good practice to release announcements to your users or customers. This is to reassure them that appropriate actions have been taken in response to the vulnerabilities. If any actions are required on their end, communicate to them urgently so that they can be protected. By doing so, it will portray commitment for providing a safe and secure environment with their interests at heart.
What can you do?
Using a risk centric approach and by harnessing the Defence-in-depth concept in your security strategy, you will be able to reduce the risk exposure from these vulnerabilities to an acceptable level based on your organization’s risk appetite.
The objective of a threat actor exploiting the vulnerabilities is to obtain sensitive data from you or your organization. Start by identifying the assets which processes sensitive data, evaluate the security controls in place and identify the lacking areas.
By layering security controls, it increases the difficulty for a threat actor to perform successful reconnaissance, exploitation of the vulnerability and the exfiltration of the sensitive data. Keeping up to date with the development of the vulnerabilities is crucial as risk factors are dynamic and can change in the future.
It is not surprising that major vulnerabilities such as Spectre and Meltdown are released from time to time. It can be costly to rely on patching vulnerabilities as they are discovered and reported to protect your organization. There is a good likelihood that there is a window of vulnerability due to delayed patch releases and time required for patch deployment.
Instead, it may pay off to adopt a proactive approach. It would be more beneficial for organizations to be vigilant and be prepared for security incidents as security risks are rarely reduced to zero. Additionally, building layers of defenses will require organizations to deploy adequate detective and preventive security controls at multiple levels, and perform regular risk assessments of information technology assets.