Indusface Total Application Security - Meltdown and Spectre

What is the vulnerability?

On January 3, 2018, security researchers from Google Project Zero in conjunction with academic and industry researchers from several countries released information about three new vulnerabilities affecting various modern microprocessors by Intel, AMD, ARM and other vendors. They are grouped as “Spectre” (CVE-2017-5753 and CVE-2017-5715) and “Meltdown” (CVE-2017-5754). 

These are design flaws in many modern microprocessors’ speculative execution of instructions (a commonly used performance optimization), could allow an unprivileged local attacker to obtain access to sensitive information. There are three variants in Meltdown and Spectre.

CVE Details

•  CVE-2017-5753: bounds check bypass

•  CVE-2017-5715: branch target injection

•  CVE-2017-5754: rogue data cache load

The first two variants abuse speculative execution to perform bounds-check bypass (CVE-2017-5753), or by utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively. Collectively known as "Spectre". These variants could be used not only to cross syscall boundary (variant 1 and variant 2) but also guest/host boundary (variant 2). An unprivileged attacker could use these two flaws to read privileged memory by conducting targeted cache side-channel attacks. 

The third variant called as "Meltdown" abuse speculative execution by rogue data cache load(CVE-2017-5754) on impacted microprocessors to break the isolation between user applications and the operating system. An unprivileged local attacker could read privileged (kernel space) memory (including arbitrary physical memory locations on a host) by conducting targeted cache side-channel attacks.

What are the risks?

Exploiting these processor vulnerabilities requires an authenticated local attacker. That is, an attacker who has access to the local machine and running an application in user-mode. These are read-only/information disclosure vulnerabilities but not code execution vulnerabilities. There are multiple, fully functional exploit code samples/POCs available in public but there is still no indication of being exploited in the wild.

These attacks are most threatening to shared hosting environments, where multiple users are all capable of executing code on a single system. As a result, most of the cloud service providers like Amazon and Microsoft have already deployed security updates.

These vulnerabilities are quite a burst since they affect nearly every device with a modern processor, that means full mitigation and remediation may not be possible. Older systems (like Windows XP) and devices (like older Android smartphones and IoT devices) will likely never receive fixes for these vulnerabilities.

Severity: Medium

CVSS Scorev2: Base Score 4.7 Vector: CVSS:2.0/AV:L/AC:M/Au:N/C:C/I:N/A:N

CVSS Scorev3: Base Score 5.6 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Do I need to worry about it?

Meltdown and Spectre are hard to distinguish from regular benign applications. Microsoft has released a PowerShell script  that users can run to verify that their systems are properly patched and no longer vulnerable to Meltdown and Spectre. Intel has also released detection & mitigation tools. 

INTEL-SA-00075 Detection and Mitigation Tool (Windows)

INTEL-SA-00075 Linux Detection and Mitigation Tools (Linux)

Miitgation?

Though the vulnerabilities affect processors at the physical layer, the best way to address these vulnerabilities right now is to be up to date with microcode, OS, hypervisor and vendor patches. By the end of next week, Intel expects to have issued updates for more than 90% of processor products introduced within the past five years.

Spectre is harder to exploit than Meltdown and also it is harder to mitigate because the most effective fix is to redesign the computing hardware. Until then customers are suggested to apply security updates released by OS & application vendors. Security patches are now available for most of the major platforms.

Meltdown attacks can be mitigated by patching Operating Systems. For Linux, KPTI (Kernel Page Table Isolation) formerly known as KAISER (a kernel isolation technique) patch has been released. Other operating systems/providers should implement similar mitigations.

 Cloud service users likely do not need to act since most of the providers are updating to protect their infrastructure against these vulnerabilities.

 Security experts believe that hackers will soon start to remotely exploit these CPU vulnerabilities in targeted or mass attacks.

- Google pointed out that attacks are possible via both JavaScript and WebAssembly. The company informed customers that current versions of Chrome include a feature named Site Isolation that can be manually enabled to prevent attacks. Chrome 64, which is scheduled for release on January 23, will contain mitigations in the V8 JavaScript engine. 

- Microsoft has also confirmed that attacks can be launched via JavaScript code running in the browser. The company has released updates for its Edge and Internet Explorer web browsers to mitigate the vulnerabilities.

Customers are recommended to disable JavaScript in their browser and install ad blockers.

You can find more details about mitigations for the CPU Speculative Execution issue here.

Since, both Meltdown & Spectre are exploited by local authenticated users, only scans on local machine can find these vulnerabilities.

Indusface customers’ infrastructures are protected from remote code execution via the application layer via our products core sets.

For Indusface SaaS Infrastructure

Indusface SaaS Infra is secured and customer need not worry about it. AWS Hypervisor is already patched and OS level vulnerability cannot be exploited as it would require administrative rights which is available only for trusted user and is strictly governed