Posts

Meltdown and Spectre: The Intel chip vulnerability Introduction and Assessment

The vulnerability

The Meltdown and Spectre are a series of critical vulnerabilities that leads to sensitive information disclosure from an operating system, caused by a fundamental design flaw in Intel’s processors.

On Jan 3, Google Project Zero has disclosed the Vulnerability Note VU#584653 “CPU hardware vulnerable to side-channel attacks”.

A PoC has already been published on GitHub

How big is the threat?

A success exploit of this vulnerability allows an attacker to access sensitive information inside the protected memory regions. Such information may include passwords, emails and documents. Those data are most likely to appear in plaintext in memory when being processed by the OS and applications. Because the OS level memory isolation is usually considered trustworthy. And this time, it broke.

There are two approaches of exploiting the vulnerabilities.

The Meltdown – “User level attacks Kernel level”: A malicious, unprivlleged user level application could access the OS kernel mode memory due to the failure boundary check. Related vulnerability: CVE-2017-5754

The Spectre – “User level attacks User level”: A malicious user level application reads the memory of another normal running user level application due to a bug on the CPU’s speculative execution feature. Related vulnerabilities: CVE-2017-5753, CVE-2017-5715

The attack surface exists on both client side and server side. The possible attack scenarios includes attacking the cloud-based shared hosting, attacking the client side with web based JavaScript, and it can also used as a supportive way to launch a memory corruption vulnerability exploit, to bypass the Kernel level ASLR protection.

Besides the Proof-of-Concept code on GitHub. Researchers has demonstrated leaking the kernel memory.

One lucky thing is, the attackers for this vulnerability would be “passive” and “read-only”, comparing to an actively exploited RCE vulnerability.

Am I affected?

The answer is most likely to be Yes –

  • The chip vendors Intel, AMD and ARM are affected.
  • Windows, Linux (Android included) and macOS are affected
  • Cloud service vendors such as AWS and AliCloud are affected

Microsoft has also released a PowerShell script to detect whether a Windows system is affected here.

How can I get protected?

Patching this vulnerability is more difficult than usual: It happens on hardware level, affects multiple platforms, including varies version of mobile and IoT devices. The current patch on Linux and Windows will incur a 5-30% performance hit on Intel products.

Please keep updated on the newly released patches and apply them when available, or to confirm with your service provider that they have updated to the latest patch. Big vendors are already giving feedback about their patching status:

  • VMware:
    https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
  • AMD:
    https://www.amd.com/en/corporate/speculative-execution
  • Red Hat:
    https://access.redhat.com/security/vulnerabilities/speculativeexecution
  • Nvidia:
    https://forums.geforce.com/default/topic/1033210/nvidias-response-to-speculative-side-channels-cve-2017-5753-cve-2017-5715-and-cve-2017-5754/
  • Xen:
    https://xenbits.xen.org/xsa/advisory-254.html
  • ARM:
    https://developer.arm.com/support/security-update
  • Amazon:
    https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
  • Mozilla:
    https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

For SonicWall users:

The Meltdown and Spectre are side channel attacks in the memory level, which won’t leave logs like other exploits targeting specific services. While the attacks and malwares can still be detected and intercepted via network traffic.

SonicWall Capture Labs Threat Research team is keep monitoring the newly emerged exploits and malwares for this vulnerability. The following signatures are already developed to identify and stop the attacks:

  • GAV: Exploit.Spectre.A
  • IPS 13149: Suspicious Javascript Code (Speculative Execution)
  • WAF 1673: Suspicious Javascript Code (Speculative Execution)

Reference:

  • [1] Meltdown and Spectre https://meltdownattack.com/
  • [2] Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
  • [3] Vulnerability Note VU#584653 https://www.kb.cert.org/vuls/id/584653
  • [4] Meltdown and Spectre analysis from Antiylab http://www.freebuf.com/vuls/159269.html
  • [5] We translated Intel’s crap attempt to spin its way out of CPU security bug PR nightmare http://www.theregister.co.uk/2018/01/04/intel_meltdown_spectre_bugs_the_registers_annotations/