On Wednesday, rumors surfaced that there were vulnerabilities in the majority of microprocessors, which would allow attackers to access system memory information held in the kernel, the most privileged area of modern operating systems. The kernel manages processes including starting and ending user programs, security settings, memory handling, and controlling hardware such as memory and network drives.
Later in the day the security community rallied together to produce a barrage of research on two different attacks that took advantage of these flaws: enter Meltdown and Spectre.
With so much overlapping commentary, and further details likely to be released, it’s hard to make sense of exactly what’s going on and what systems are at risk. Here’s what we know – and do not yet know – so far. The Digital Shadows (now ReliaQuest) Intelligence team conducted this analysis by:
- Reproducing and validating the Spectre Proof of Concept Code (POC) found in the Spectre academic whitepaper,
- Researching criminal forums for related activity,
- Collating publicly available research from the security community.
What we know about Meltdown and Spectre
- Meltdown and Spectre were discovered by at least three different groups, including researchers at Google Project Zero, Cyberus Technology and Graz University of Technology. The flaws were responsibly disclosed back in June 2017, but details of the vulnerabilities only appeared yesterday on January 3rd. It seems the affected companies wanted to keep the news under wraps until fixes were ready to be released, but the vulnerabilities were disclosed earlier than planned.
- Meltdown is an attack that bypasses the mechanism between the operating system and applications. This can lead to the exposure of passwords and other sensitive data stored in the system memory. The vulnerability can be tracked via CVE-2017-5754.
- Spectre is an attack that bypasses the isolation between applications by exploiting what is known as a “speculative execution”, used by modern processors to increase performance speed. Under the right conditions, the processor can be tricked into leaking data returned from other applications, exposing sensitive data. The exploit is tracked via CVE-2017-5753 and CVE-2017-5715.Digital Shadows (now ReliaQuest) analysts tested a proof-of-concept code referenced in the Spectre whitepaper, which functioned correctly.
Spectre proof of concept exploit tested on an Ubuntu 16.04 VM by Digital Shadows (now ReliaQuest)
- These flaws are not exclusive to Intel processors, they also affect AMD and ARM. Cloud environments are also at risk as an attacker could break out of one user’s process and access processes running on the same shared server.
- Patches for Meltdown have been released; however, there is currently no specific patch available for Spectre, which will likely require a hardware fix to mitigate completely. The US CERT certainly seems to think so.
What we don’t know about Meltdown and Spectre
- Although the general consensus is that nearly every processor commonly in use today is at risk, the full extent of which systems and platforms are affected is still unknown.
- How easy is it to exploit these flaws? There have not been any reports of Meltdown or Spectre attacks being performed in the wild for malicious purposes. While Digital Shadows (now ReliaQuest)’ analysis of the Spectre POC code functioned correctly, the intricacies and feasibility of performing a Spectre attack against another machine under the right conditions with the “speculative exploitation” approach is still unclear.
- How can threat actors leverage Meltdown and Spectre for their attacks? The exploit scenarios are some of the biggest unknowns. The nature of the vulnerabilities themselves lead to the exposure of sensitive data such as encryption keys and passwords, so future attacks would likely involve users stealing this information to then takeover machines and accounts. Internet of Things (IoT) devices are also susceptible as they run the same type of processors, and people are less likely to update these accordingly the same way they would their personal or work computers. A dedicated attacker could decide to use these vulnerabilities to find flaws and default passwords in IoT devices, which we saw led to the creation of the Mirai botnet.
- Criminals do not need to use Meltdown and Spectre for their attacks if they can profit in other ways. We have seen actors discussing the sale of the exploits on the Shadow Broker’s “Scylla Hacking Store” for $8900. This is likely to be the first of many claimed sales across the dark web and criminal forums, as cybercriminals look to profit from the media attention and hysteria around these discoveries.
Meltdown and Spectre exploit advertised for sale by the Shadow Brokers
What you can do about it
A host of companies have come out and released advisories for their affected products. We have provided a list of these and their relevant websites below:
Patching and rebooting should therefore be a priority requirement for all organizations and home users. Despite this, there are a few things to bear in mind:
- Spectre cannot yet be completely mitigated against through patching,
- These mitigations will affect system performance and slow down machines. You will want to test out the mitigations prior to deploying them.
- Mitigating and patching hardware with software is very difficult, and it creates problems with other applications (e.g.: endpoint protection)
These patches are only preliminary measures though, and there will probably be future updates released to combat the performance problems caused by these fixes.
What we can be certain of is that this issue will run on for a considerable length of time. Digital Shadows (now ReliaQuest) will continue to post updates on both Meltdown and Spectre as and when new information becomes available. Happy New Year!