By: Almi Dumi
Chief Information Security Officer at eMazzanti Technologies
Meltdown and Spectre are the latest cyber security threats that is making the news! Not sure how these threats may affect you? Wondering what you need to do to protect yourself and your business? eMazzanti Technologies has been working tirelessly with our partners and hardware vendors to ensure that our client base has taken the appropriate steps to protect their data. Below we have given you a helpful summary of what these threats are and what steps have been taken thus far to mediate the vulnerabilities:
The Difference between Meltdown and Spectre:
An attack relying on processors equipped with out-of-order execution capabilities. Attackers can read important personal data and passwords from arbitrary kernel-memory locations without any privilege escalation. Effectively Meltdown is a race condition between the address fetch and corresponding permission.
Affects Intel, AMD and ARM processors. Relies on branch prediction technology and speculative execution to maximize performance. For example the CPU tries to guess the destination of a branch and execute ahead. This also is a side channel attack that tries to induce the victim to speculatively perform operations that would not occur during correct program execution.
Meltdown was initially reported by Jann Horn, Werner Haas, Thomas Prescher, Daniel Gruss, Mortiz Lipp, Stefan Mangard and Michael Schwarz.
Spectre was initially reported by Jann Horn, Paul Kocher, Daniel Genkin, Mike Hamburg, Mortiz Lipp and Yuval Yarom.
Desktops, laptops and cloud computers. Meltdown is not specific to any operating system or software vulnerability. This attack bypasses the hardware enforced physical isolation of security domains. The vast majority of modern processors are vulnerable to this attack like Intel processors since 2010.
Desktops, laptops, cloud computers and smartphones. Billions of devices using Intel, AMD and ARM processors with speculative execution capabilities vulnerable to this attack. This attack was successfully mounted on Samsung, Qualcomm and a variety of other mobile devices using ARM architecture.
Attacker chooses the location and loads into a register. A transient instruction accesses a cache line based on the secret content of the chosen register. Use Flush+Reload to determine the cache line. By repeating these steps an attacker can read the content stored in kernel memory. This attack is capable of reading the contents of the entire physical memory.
Attack is performed in multiple phases leveraging conditional branch mispredictions as well as misdirection of targets of indirect branches. Adversaries perform conditions to retrain the processor in order to exploit it using an erroneous speculative . A side channel is used to extract the information using a false prediction. Flush+Reload or Evict+Reload attack.
It is important to note that the exploitation of either one of the vulnerabilities is virtually untraceable and almost impossible to detect. The attacks leverage technologies developed to improve performance on processors affecting millions using personal and cloud computing as well as mobile devices such as smartphones.
As a countermeasure to Meltdown software companies such as Microsoft and Apple have rolled out patches to protect against side-channel attacks and prevent kernel space and physical memory mapping available in user space. These are the changes recommended in the KAISER approach. However, X86 platforms remain vulnerable due to architectural limitation that require privileged memory location mapping in user space. This leaves a residual attack surface that could be leveraged to gain pointers and overcome the randomization by calculating the pointer value. The KAISER patch used to mitigate the Meltdown attack does not protect against Spectre. These attacks require different defenses.
As technology evolves it introduces complexity and new risk factors. Both Meltdown and Spectre seem to utilize technology developed to maximize performance on processors used in a variety of devices on-premise and in the cloud. Exploitation depends on a number of factors such as the victim’s CPU, architecture and the ability of the attacker to interact with the victim. More information about these vulnerabilities and the attack methodology is available in the white pages included in this article. Google Project Zero maintains a site with updated information relevant to this subject.
These vulnerabilities are not new. In fact, they were discovered mid-2017 so vendors such as Microsoft, Apple and others have been working on addressing this issue for quite some time. Microsoft released the patches to the Windows insider community sometime late last year and has already released an out-of-bound update on January 3rd 2018 available to the rest of the ecosystem. [KB4056892 https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 ] In order for the update to apply successfully and without any complications a registry key must be modified prior to applying the update. This is due to an issue with some antivirus software that could result to a BSoD (Blue Screen of Death) in some configurations. Most antivirus vendors are already working with Microsoft and have released the necessary updates to the general public to ensure this patch is applied successfully.
Here are the registry changes required as per Microsoft:
eMazzanti Technologies Network Operations Center and eCare team is working diligently to take the necessary steps and perform these updates in a safe manner. Our engineers are currently performing regression testing on the Microsoft monthly rollup updates. Out-of-band security updates are released by Microsoft directly to address urgent vulnerabilities and are subject to an accelerated change control schedule.
Apple also recognizes the potential for exploitation using these attacks on all MAC systems and iOS devices. But because it requires a malicious app there are currently no known exploits. The recommendation is to use only software from trusted sources such as App Store and to ensure your systems are properly patched. WatchOS is not effected and does not require mitigation. More information about this vulnerability with regards to Apple devices here: https://support.apple.com/en-us/HT208394
Google is implementing TLS 1.3 as the new standard for 2018. As an additional hardening step, the recommendation is to turn on site isolation altogether or on a per-site basis. In addition, the company announced a boarder support for NTLMv2 authentication protocol with Extended Protection for Authentication (EPA). A technology only previously available in Chrome for Windows. Google Cloud Platform (GCP) and G Suite applications have already been updated to protect against these vulnerabilities. More information about this announcement here.
If you have any questions or need assistance, please do not hesitate to contact us by calling our service desk at (201) 360-4400 or submit a support request by emailing [email protected]