Note: This blog is a revisit on our 2018 coverage of the Spectre and Meltdown vulnerabilities. You can read further on Meltdown and Spectre: the Story So Far.
In the past week, a security researcher discovered several working exploits for the infamous Spectre and Meltdown hardware vulnerabilities (also known affectionately in some circles as ‘Smeltdown’), resulting in panic back in January 2018. The exploits had been uploaded to VirusTotal’s database in February, with one exploit for Linux reportedly allowing unprivileged users to read the contents of files that store user passwords in both Windows and Linux systems. The researcher who discovered the exploits, Julian Voisin, has claimed that the exploits had been thoroughly tested and successful.
This blog will look at these two notorious vulnerabilities and their evolving impact on the media and the security community. Given the technical sophistication required to exploit Spectre and Meltdown, many organizations left these vulnerabilities unpatched to avoid reducing their machines’ capabilities. Three years later, a working exploit has been finally released and has caused the security community to return to that 2018 anxious state. Read this blog to find out why it’s essential to keep calm in times of common agitation.
What are the Spectre and Meltdown Vulnerabilities?
The Meltdown vulnerability—tracked as CVE-2017-5754— breaks the mechanism that keeps applications from accessing arbitrary system memory. The vulnerability allows an attacker to access system memory. Spectre—tracked under CVE-2017-5753 and CVE-2017-5715—tricks other applications into accessing random locations in their memory. Both of these issues exist in the broader category of side-channel attacks.
Why are the Spectre and Meltdown Vulnerabilities Dangerous?
You may be thinking, this is simply another one of thousands of exploitable vulnerabilities currently in circulation, and in many ways, you are right. Despite identifying these working exploits, the likelihood of these issues being exploited in the wild is still low, at least much lower than other bugs that have been highlighted in the last couple of weeks. If somehow you’ve missed it—you should prioritize patching the four Microsoft Exchange zero-days that are reportedly being used by multiple advanced threat groups in live attacks.
The threat actor’s technical demands wishing to exploit the bugs are significant, albeit slightly lower since the public exploits’ release. What made Spectre and Meltdown the talk of the town in 2018 was the enormous scale of potentially affected devices. These are hardware vulnerabilities in almost all modern processors, which could allow programs to steal data currently being processed on a computer. While plans are not typically permitted to read data from other programs, a malicious exploit could allow an actor to access sensitive data stored in additional running programs’ memory; data that could include passwords stored in a password manager or browser, personal photos, emails, or critical business documents.
How Do the Spectre and Meltdown Vulnerabilities Function?
Spectre and Meltdown’s names result from the speculative execution process that all modern processors use to optimize performance. Speculative execution is an optimization technique in which a processor (CPU) performs a series of tasks before it is prompted to have the information ready if required at any point.
The best analogy I have seen for this process is a chef cooking popular orders ahead of customers requesting them. Optimization in this sense is based on the chef’s experience of knowing what type of food would be ordered at certain times (i.e., hummus or yogurt to be served all day if you ask my 2-year-old). This technique allows the chef to get through his orders at a quicker rate. Speculative execution works similarly, with your CPU anticipating what processes and tasks you might request at certain times and performing them in advance.
What Was the Patching Situation for Spectre and Meltdown?
Despite the low probability of the vulnerabilities being targeted in live attacks, their discovery initially resulted in quite a media frenzy overall modern CPUs’ susceptibility (which included PCs, tablets, and smartphones) to such a fundamental flaw. Some of the somewhat fantastical reporting contributed towards a rushed and botched response to mitigating the vulnerabilities in many ways.
Early software patches for the duo were rife with optimization problems, leading to performance regressions for several reasons. The patches were being applied to systems immune to specific variants and often caused microcode and operating systems to conflict with each other— with the ultimate effect of causing system instability, particularly on Windows systems.
Performance impact was a massive bone of contention, with figures of 5-30% impact being referenced by many technology news websites. The actual performance impact number depended on many factors, including workload and type of CPU the patch was being applied on, and likely resulted in a far lower figure. Some researchers have since suggested that the performance impact was negligible.
We’re not just done at performance impact, though. Initial patches from Windows created system instability. As a result, Microsoft’s update ended up blacklisted on some third-party antivirus systems, with the patch causing Blue Screen of Death (BSOD) and boot loop issues on some AMD systems. Windows 10 users also could not defer the update, which ultimately caused Microsoft to withdraw the patch.
The update for Windows 7 and Server 2008 caused an even more significant and more problematic vulnerability, aptly named “Total Meltdown.” The patch incorrectly set permissions, causing memory that should only be accessible to the kernel to be automatically mapped for every process running at user-level privileges. This vulnerability allowed malicious programs to read complete system memory at speeds of gigabytes per second, instead of 120 KB/s which Meltdown is otherwise capable of. Research into the Windows 10 patches in April 2018 also discovered that the patches didn’t work and allowed a program to access the entire kernel page by calling on a particular command called NtCallEnclave.
Intel’s updates didn’t fare much better, with the first microcode updates causing random reboots, leading to a mass withdrawal of patches. Linux creator Linus Torvalds was particularly scathing about Intel’s patch, saying that it was “pure garbage” and did “insane things” to systems’ performance when applied. I can only imagine being that sysadmin coming back from a few days off to find out your company had used a patch that caused 5-30% performance impact and resulted in a more impactful and exploitable vulnerability?
Due to the problems mentioned above with the initial updates to address Spectre and Meltdown, many organizations will likely have skipped the knowledge bases required to protect these bugs. This is particularly the case for older operating systems that would receive the most significant decrease in system performance. The updates released for Spectre and Meltdown have been fine-tuned over the past three years. We advise that organizations apply the patches where possible, following routine local testing to determine any susceptibility to performance degradation.
While the risk of Spectre/Meltdown is low, other side-channel attacks will likely exist for many years to come. The vulnerabilities represent a snapshot of broader hardware problems associated with modern CPUs. There will likely be fundamental changes to CPU construction in future computers; in the past year, Intel has confirmed its new Tiger Lake processors will be exempt from these types of attacks. While applying patches may feel like using a sticky plaster at this time, it remains the best option we have available.
Why Should I Worry About Smeltdown Now?
It’s been three years since security researchers initially disclosed the bugs. In that time, there hasn’t been a single example of exploitation of the bugs in live attacks. There are fundamentally easier ways for a credible threat actor to intrude into targeted networks or attempt to steal data. While discovering the working exploits has raised the risk associated with Spectre and Meltdown, it’s still unlikely that these will become a common attack vector. Threat actors and groups will always take the path of least resistance, aiming for the most significant gain for the smallest output.
The vulnerabilities also represented an excellent experience to look back and recognize the importance of remaining calm in the face of fantastical reporting. Not everything that is released will end up being a world-changing event, and we should always take a risk-based approach to remediation of cyber threats and vulnerabilities. Prioritize issues that are both likely to be exploited and cause the most significant impact, and be less concerned with the largely hypothetical threats that are yet to be targeted in the wild.
If you’d like to trial getting a clear picture of your attack surface, SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) aggregates data from billions of sources across the open, deep, and dark web, giving you a picture of your network exposure in real time. Get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.
If you are a SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) user already, you can enrich these CVEs with data from Shadow Search including TTPs utilized, threat actors involved in exploitation, linked Intelligence updates, and sightings from across the open, deep, and dark web.