Two proof-of-concept attacks have recently been discovered named Meltdown and Spectre.
These vulnerabilities “break down barriers between user mode and kernel mode and between different processes running on the same device, allowing a rogue process (which could be triggered by a website) to access memory that it shouldn't have access to.” (source)
Although these weaknesses currently provide no reason to panic, they are absolutely something that should be on any IT professional’s radar. This currently affects desktops, laptops, cloud servers, and even smartphones. Essentially all modern processors. (Intel, AMD, and ARM processors have been verified.)
Currently, there are no documented cases of this exploit being utilized, but that doesn’t mean that we shouldn’t prepare ourselves.
What are the concerns?
- In its current state it is undetectable, but at the same time contains no remotely executable code.
- This impacts all processors that have been released since 1995 except the Intel Itanium and Intel Atom created before 2013.
- Cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.
- Currently, existing security applications have no means of detecting this exploit.
What does this mean for me?
- No current exploits are known to utilize these vulnerabilities as of right now. The code that these types of vulnerabilities use, which simply disclose data, do not allow code execution. This means that by themselves they are not particularly useful to an attacker.
- Cloud providers are currently the most vulnerable due to the potential to gain access to other customer’s data.
- Current antivirus solutions and other security software (like Cylance for example) cannot detect or protect against this threat. This means the only means for protecting your environment is to make sure that patches are deployed to the appropriate operating systems.
- Check out our post entitled: 10 questions we answer about meltdown and spectre.
What are my next steps?
Currently, all operating systems are potentially affected by this. To safeguard your environment, the following precautionary steps can be taken. Please read and fully understand the implications that applying these fixes will have on your environment. There are currently two major concerns with applying fixes to these operating systems.
- The exploits targets code that essentially makes the CPU faster. This raises concerns that the patches may prevent the utilization of the functionality that allows the CPUs to “be faster."
- Some anti-virus software has been found to be incompatible with the OS patches. This seems to be more of a concern with the Microsoft operating system.
How to patch based on your operation system.
Microsoft has released a technical document explaining how to patch your Windows devices. Full details can be found here.
- Microsoft has released patches for this exploit, though these patches will only apply to devices if there is either:
- No anti-virus present.
- A supported anti-virus software is installed.
Microsoft has reached out to anti-virus providers asking to set a specific registry key when the software supports the Microsoft patch. For more information about the registry entry, please see the Microsoft support document here.
Currently, Microsoft is not releasing a list of anti-virus vendors that are not compatible with the patches, but a community security expert has compiled a list of AV software and its current support state as of January 04, 2018. This link will take you to the google doc provided by @GossiTheDog.
See original Twitter message here.
- Apply any firmware updates provided by hardware OEM. These would come in the form of firmware updates.
- For Windows Servers, you must also enable software mitigations. Details on applying these changes can be found here.
MAC OS X
Intel is currently unable to address this exploit in OS X with a firmware update. Developers at Apple are already underway implementing code that will, in fact, fix the issue. This code is currently called “Double Map." This code has already been implemented in OS 10.13.2, with expected improvements in 10.13.3.
As versions of Linux vary, there is not currently one source for details, but we have found that the current enterprise providers do not yet have a solution. Fixes will be addressed in future kernel updates.
To see Meltdown in action, check out this video!
Post co-authored by Cris Weber, Lead Development architect and Adam Eaddy, Productive Systems Management Consultant.