Sadly, the world (and we mean the whole world) is faced with two newly identified hardware vulnerabilities, this time with Meltdown and Spectre. These vulnerabilities are OS agnostic, being a vulnerability in modern CPU architecture (thanks Parallel Processing!). Both are able to access memory (information) from other applications and processes (control) other than their own. Two Factor Authentication, up-to-date Antivirus definitions, Principle of Least Privilege (PLP), and OS patches are your best bet in protecting against these vulnerabilities.
Upon reading the abstracts on Meltdown and Spectre, I immediately thought of our brothers and sisters in infosec, and then Charles Dickens, and truly, “It was the best of times, it was the worst of times.” Personally, I’ve had the R.E.M. song, It’s the End of the World as We Know It (and I Feel Fine), playing over and over in my head. Except I don’t feel fine.
PLEASE NOTE: The information provided in this blog is the information we have as of Jan 04 2018 16:27 GMT-0700 (MST).
What exactly are Meltdown and Spectre?
Meltdown and Spectre are hardware vulnerabilities that allow a malicious agent to access memory from other applications and processes other than their own. This allows for accessing SSH keys, certificates, files, passwords, browser info (passwords), and passwords from password manager software (aka, all the passwords). Anything stored in memory is vulnerable, and impacts all modern (1995) x86 CPUs from Intel, AMD, as well as ARM chips. (Meltdown may be limited to Intel chips, but there’s insufficient information to say that AMD and ARM are not also impacted.)
Meltdown allows for accessing arbitrary system memory (places it shouldn’t) while Spectre is able to trick other applications into accessing arbitrary system memory. For more technical information, read the following abstracts: Meltdown and Spectre Attacks: Exploiting Speculative Execution.
What are we doing for you?
We are currently building and testing the Microsoft Windows update packages. Those should be released by the time you read this. The updates are part of the normal Windows updates, but are out-of-band, being released now instead of Tuesday, January 9, 2018. For a list of updates, please see our KB article Known Issues January 3, 2018 Windows Cumulative & Security Only Updates.
WARNING: Deploy these patches at your own risk. As with all patches, our packages are only as good as the files received from the software vendor. There are documented cases of the patches causing Blue Screens (BSODs), but we have not been able to confirm this issue in-house. The BSOD issues that have been reported to this point appear to be related to (big name) Antivirus vendors and appear have workarounds.
What else can I do?
Mitigation is what everyone wants. We recommend using Two Factor Authentication for everything that supports it (including your own domain -it’s easy), up-to-date Antivirus definitions, implement the Principle of Least Privilege (PLP), and OS patches. While there are no known detections of Meltdown & Spectre in any Antivirus (AV) software, their delivery mechanism may be detected.
Meltdown already has patches available from major OS vendors. For third-party software vendors, Meltdown will likely have patches released soon. Spectre, on the other hand, will likely take quite some time to patch (some say years), and the only mitigation strategy at this point is detecting and eliminating the delivery agent through AV.
You can check if your Windows desktop OS machines are vulnerable to Meltdown by using the following PowerShell provided by Microsoft.
Install-Module SpeculationControl Get-SpeculationControlSettings
Below is a sample output from a vulnerable machine:
For Windows Servers, there are some additional registry modifications from Microsoft that need to take effect first before applying a patch.
After you have patched your server systems, you can run the PowerShell script on these servers.
The information about these vulnerabilities is being made available at lightning speed, so here are some other valuable resources:
|Intel||Security Advisory||Security Research Findings||ARM||Security Update||AMD||Processor Security||Microsoft||Security Update Guide||Antivirus Software Info||Azure blog||Amazon||Security Disclosure||Project Zero Blog||Cloud, G Suite, Chrome||Mozilla||Security Blog||Red Hat||Vulnerability Response||Debian||Security Tracker||Ubuntu||Knowledge Base||SUSE||Vulnerability Response||CERT||Vulnerability Notice VU#584653||MITRE||CVE-2017-5715||CVE-2017-5753||CVE-2017-5754||VMWare||Security Advisory VMSA-2018-0002||Citrix||Security Bulletin|
Follow @admarsenal on Twitter