Recently two major security vulnerabilities (20-year-old ones!) in CPU architectures were announced in the form of Meltdown and Spectre:
- Meltdown (CVE-2017-5754)
- Spectre (CVE-2017-5753, CVE-2017-5715)
Both vulnerabilities allow attacks that can be leveraged to gain unauthorized access to areas of the memory used for kernel mode operations (please read this as “it allows a low-privileged application to steal items from high-privilege areas, which could include passwords, etc.”).
These vulnerabilities are present in almost all modern CPUs, and thus affect a large range of devices regardless of operating system (Linux, Windows, OS X, Android, etc.). However, it’s important to think about the attack vectors, this isn’t like WannaCry, and these vulnerabilities don’t do remote code execution (although browsers could be used to steal privileged memory, but if your browser is up to date, then it shouldn’t be vulnerable to known exploits such as these).
You can find out more (techie stuff) by following these links:
How do I know if devices are vulnerable?
Tools such as Microsoft Baseline Security Analyzer (MBSA), Nessus, etc. can help identify vulnerable systems. And because these vulnerabilities affect low-level CPU design, and a broad range of hardware manufacturers, it’s highly likely that you will have vulnerable systems both at the backend and client endpoints.
Device vendors have also released guidance on affected systems, I’ll cover this a bit later on.
But what should you be doing to protect your organization from Spectre and Meltdown?
Simple, we just patch, right? Not so fast…
These vulnerabilities were being worked on by Intel in 2017, and they were publicly discovered and disclosed in early 2018. So, the issue has been worked on for around six months.
Advice to patch “based on vendor guidance” was quickly issued by several security organizations, with vendors such as Microsoft quickly releasing patches. The issue here though was that the patches didn’t just fix the vulnerability and leave everything else working as normal.
Things were further compounded by a compatibility issue with third-party antivirus systems, which require patching and the need to update a registry key in Windows to enable patching.
Furthermore, reports of patches causing issues on RedHat, IBM systems, Windows, and VMware ESXi started coming in; to the point that Intel has now advised people/organizations to not install patches (no one likes their ESXi host rebooting, unexpectedly right?).
So, in short, the offered patches for the vulnerabilities can cause system stability issues and have been reported to have heavy negative CPU performance impact (30% additional load, etc.). Plus, as anyone who has patched at a business-level scale before will tell you, it’s never easy!
Major vendor guidance links
Some vendors (Dell, Intel, RedHat, and HP) have withdrawn their advice to patch and now advise waiting on new patch releases (specifically firmware patches):
So, remember to check your hardware vendors’ websites for specific guidance!
What do I do next?
This question isn’t simple to answer.
I’ve been following these vulnerabilities since early in the year, and my advice to customers (in this instance) has been to tread carefully, assess your environment, and take a risk-based approach to patch deployment (at least until stable patches are available).
In the mean time I also recommend adopting good practice security controls such as:
- Keep watching for vendor guidance regarding patching (BIOS, Firmware, OS, applications)
- Practice defense in depth (don’t rely on a single control)
- Ensure applications such as web browsers are up to date (Edge, Firefox, and Chrome have all been patched to include mitigations to prevent/reduce browser attack vectors)
- Ensure standard security systems are in place (adopt least-privilege access, ensure antivirus is installed and up to date, segment networks, etc.)
- Ensure you have solid backups that you can recover from (as with anything).
So, keep up other security practices, follow specific vendor guidance, and you should be able to avoid being haunted by Spectre and Meltdown.