Meltdown & Specter bugs: what they mean for business

MeltdownMeltdown and Specter are recent CPU (hardware) bug discoveries that use a critical design flaw in CPUs to easily obtain the information from an off-limits memory location. In other words, researchers have found a way to trick the CPU into giving up information held elsewhere in memory, even if that memory is off-limits to the original program reading it.

Triggering the bug requires very little code and can be as simple as the victim reading a web page that contains the appropriate Javascript. However, finding useful information inside the system and sending that information back home is more complex and may require additional steps from a threat actor.

As can be seen in this demo from Michael Schwarz, the bug can cause passwords and other information to be given up in real time if the right conditions are met.

Consider that in a virtual or cloud environment, there are multiple tenants running on the same hardware: this bug can allow one tenant to read information held in memory from another tenant, regardless of security restrictions. The depth of impact from this is stunning. Given the widespread nature and significant consequences, I expect threat actors to be searching for Meltdown and Specter vulnerable systems for a long time to come.

Unlike most bugs we come across, Meltdown and Specter are unusual in that they are bugs in the CPU design of almost all Intel, AMD and Arm processors. It impacts all operating system types, all cloud services, datacentre servers, desktops, and mobile devices worldwide.

Make no mistake, this is likely to become the most significant global information security issue we have seen in business to date. According to CERT, Meltdown has a “Low” difficulty of successful attack (meaning it is somewhat trivial for an unauthenticated user to trigger), while Specter has a “High” difficulty, requiring software tailored to the environment.

Mitigation. What to do next?

Don’t panic, but make a plan. The flaws may not be so easily exploitable by an external threat actor just yet – more clarification is needed.

Little can be done at the network border. Your only real option is to patch the operating systems of each mobile device, PC, server and hypervisor to work around the issue. At the time of writing, Azure and AWS had both corrected their hypervisor hardware to protect their tenants from other tenants, but it is up to individual tenants to fix their own guest operating systems. The same applies for in-house servers, PC fleets and mobile devices.

Watch for your operating system vendor to release a patch, if one hasn’t been released already. However, approach your patching with caution! Unlike software bugs, these kinds of hardware bugs cannot be “patched” simply and require software workarounds to hide the hardware issue. In one case, it has been suggested the fix might involve moving the kernel from one place in memory to another, each time the kernel and the operating system need to share information, and this may cause a 5 to 30% load spike in older CPUs depending on the workload. This may be disastrous on busy transaction servers, such as databases. So check your performance carefully before rolling into production.

Although at the time of writing details are still somewhat scant (there is a publication embargo on full details until 9 January 2018), the wide spread nature of these issues and the ability to read restricted memory means that you should pay close attention to this issue and create a mitigation plan as soon as possible.

In my opinion, it also highlights the importance of reconsidering the need to virtualise hosts when those hosts carry highly sensitive data: We occasionally see bugs that allow guest hosts to steal data from other guests. This is one such bug.

Further reading

Jason Kempnich

Jason is an Information Security Consultant and CISSP based in Queensland, Australia, with 20 years experience. He has worked in a variety of sectors from federal government through to giant multinational organisations.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *